--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package dnsdist/1.1.0-2+deb9u1
- From: Christian Hofstaedtler <zeha@debian.org>
- Date: Tue, 22 Aug 2017 15:11:33 +0000
- Message-id: <150341469348.10248.1078852194521448483.reportbug@debbuild.in.namespace.at>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.
Thanks,
Chris
diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog 2016-12-31 15:50:47.000000000 +0000
+++ dnsdist-1.1.0/debian/changelog 2017-08-22 13:58:05.000000000 +0000
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+ (Closes: #872854)
+
+ -- Christian Hofstaedtler <zeha@debian.org> Tue, 22 Aug 2017 13:58:05 +0000
+
dnsdist (1.1.0-2) unstable; urgency=medium
* Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
++++ b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+ unsigned char* p = optionsStart;
+- const unsigned char* end = p + optionsLen;
+- while ((p + 4) <= end) {
++ size_t pos = 0;
++ while ((pos + 4) <= optionsLen) {
+ unsigned char* optionBegin = p;
+ const uint16_t optionCode = 0x100*p[0] + p[1];
+ p += sizeof(optionCode);
++ pos += sizeof(optionCode);
+ const uint16_t optionLen = 0x100*p[0] + p[1];
+ p += sizeof(optionLen);
+- if ((p + optionLen) > end) {
++ pos += sizeof(optionLen);
++ if ((pos + optionLen) > optionsLen) {
+ return EINVAL;
+ }
+ if (optionCode == optionCodeToRemove) {
+- if (p + optionLen < end) {
++ if (pos + optionLen < optionsLen) {
+ /* move remaining options over the removed one,
+ if any */
+- memmove(optionBegin, p + optionLen, end - (p + optionLen));
++ memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+ }
+ *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) + optionLen);
+ return 0;
+ }
+ p += optionLen;
++ pos += optionLen;
+ }
+ return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
++++ b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+ apiWriteConfigFile("acl", content);
+ }
+
+-static bool compareAuthorization(YaHTTP::Request& req, const string &expected_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string& expectedApiKey)
+ {
+- // validate password
+- YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+- bool auth_ok = false;
+- if (header != req.headers.end() && toLower(header->second).find("basic ") == 0) {
+- string cookie = header->second.substr(6);
++ if (expectedApiKey.empty()) {
++ return false;
++ }
++
++ const auto header = req.headers.find("x-api-key");
++ if (header != req.headers.end()) {
++ return (header->second == expectedApiKey);
++ }
++
++ return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string &expected_password)
++{
++ static const char basicStr[] = "basic ";
++
++ const auto header = req.headers.find("authorization");
++
++ if (header != req.headers.end() && toLower(header->second).find(basicStr) == 0) {
++ string cookie = header->second.substr(sizeof(basicStr) - 1);
+
+ string plain;
+ B64Decode(cookie, plain);
+@@ -93,24 +108,46 @@ static bool compareAuthorization(YaHTTP::Request& req, const string &expected_pa
+ vector<string> cparts;
+ stringtok(cparts, plain, ":");
+
+- // this gets rid of terminating zeros
+- auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(), expected_password.c_str())));
++ if (cparts.size() == 2) {
++ return cparts[1] == expected_password;
++ }
+ }
+- if (!auth_ok && !expectedApiKey.empty()) {
+- /* if this is a request for the API,
+- check if the API key is correct */
+- if (req.url.path=="/jsonstat" ||
+- req.url.path=="/api/v1/servers/localhost" ||
+- req.url.path=="/api/v1/servers/localhost/config" ||
+- req.url.path=="/api/v1/servers/localhost/config/allow-from" ||
+- req.url.path=="/api/v1/servers/localhost/statistics") {
+- header = req.headers.find("x-api-key");
+- if (header != req.headers.end()) {
+- auth_ok = (0==strcmp(header->second.c_str(), expectedApiKey.c_str()));
+- }
++
++ return false;
++}
++
++static bool isAnAPIRequest(const YaHTTP::Request& req)
++{
++ return req.url.path.find("/api/") == 0;
++}
++
++static bool isAnAPIRequestAllowedWithWebAuth(const YaHTTP::Request& req)
++{
++ return req.url.path == "/api/v1/servers/localhost";
++}
++
++static bool isAStatsRequest(const YaHTTP::Request& req)
++{
++ return req.url.path == "/jsonstat";
++}
++
++static bool compareAuthorization(const YaHTTP::Request& req, const string &expected_password, const string& expectedApiKey)
++{
++ if (isAnAPIRequest(req)) {
++ /* Access to the API requires a valid API key */
++ if (checkAPIKey(req, expectedApiKey)) {
++ return true;
+ }
++
++ return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, expected_password);
++ }
++
++ if (isAStatsRequest(req)) {
++ /* Access to the stats is allowed for both API and Web users */
++ return checkAPIKey(req, expectedApiKey) || checkWebPassword(req, expected_password);
+ }
+- return auth_ok;
++
++ return checkWebPassword(req, expected_password);
+ }
+
+ static bool isMethodAllowed(const YaHTTP::Request& req)
+@@ -126,9 +163,9 @@ static bool isMethodAllowed(const YaHTTP::Request& req)
+ return false;
+ }
+
+-static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
++static void handleCORS(const YaHTTP::Request& req, YaHTTP::Response& resp)
+ {
+- YaHTTP::strstr_map_t::iterator origin = req.headers.find("Origin");
++ const auto origin = req.headers.find("Origin");
+ if (origin != req.headers.end()) {
+ if (req.method == "OPTIONS") {
+ /* Pre-flight request */
+@@ -142,7 +179,10 @@ static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
+ }
+
+ resp.headers["Access-Control-Allow-Origin"] = origin->second;
+- resp.headers["Access-Control-Allow-Credentials"] = "true";
++
++ if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
++ resp.headers["Access-Control-Allow-Credentials"] = "true";
++ }
+ }
+ }
+
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNNYaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYw+Qf3eZKM2q3WXjmX1up/63Nr
+BqjWHCasVxEG30NA+yGMVumuTol84AuO2t7mpZROxIu0SHlcnYNn0ehoSLI7KdJG
+8ZDzJVWKMCW1hScdIPjIu4PEHyjHB+ws5ty8Z92Oz6k/vp4t/LVTwrMDXzBbpfET
+TxujIcIGPJGjZFZoH64TQ5wSM+t4LzvjxdoUCmCMghfa9lPr9pqPoG6hnpU59Xn0
+7dIOYzECDLe/xNTp0dEe+pncAhEprsKPeqSVMwpZWYq7Zk0IK1I/uAiUp7t48EJU
+NsWLovH98eL+dTLKd/j/Zc+sfiG/0sKlQsLygqHy54zc9e2FR2Kz5BKNaYcttbwq
+=B1Fh
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/series dnsdist-1.1.0/debian/patches/series
--- dnsdist-1.1.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/series 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2016-7069.patch
+CVE-2017-7557-1.1.0.patch
--- End Message ---