Bug#882960: jessie-pu: package pdns-recursor/3.6.2-2+deb8u4
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Security update using upstream patch for CVE-2017-15093.
DSA has marked this non-DSA but suggested fixing this
through an (old)stable update.
debdiff attached.
Thanks,
Chris
diff -Nru pdns-recursor-3.6.2/debian/changelog pdns-recursor-3.6.2/debian/changelog
--- pdns-recursor-3.6.2/debian/changelog 2017-01-07 00:45:53.000000000 +0000
+++ pdns-recursor-3.6.2/debian/changelog 2017-11-27 21:26:46.000000000 +0000
@@ -1,3 +1,10 @@
+pdns-recursor (3.6.2-2+deb8u4) jessie; urgency=medium
+
+ * Add upstream patch fixing security issue:
+ * Configuration file injection in the API. CVE-2017-15093
+
+ -- Christian Hofstaedtler <zeha@debian.org> Mon, 27 Nov 2017 21:26:46 +0000
+
pdns-recursor (3.6.2-2+deb8u3) jessie-security; urgency=high
* Security upload.
diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch
--- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch 1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch 2017-11-27 21:26:46.000000000 +0000
@@ -0,0 +1,48 @@
+diff -ru pdns-recursor-3.7.4.orig/ws-recursor.cc pdns-recursor-3.7.4/ws-recursor.cc
+--- pdns-recursor-3.7.4.orig/ws-recursor.cc 2017-01-13 12:03:03.000000000 +0100
++++ pdns-recursor-3.7.4/ws-recursor.cc 2017-11-02 18:10:54.764426426 +0100
+@@ -79,10 +79,11 @@
+ throw ApiException("'value' must be an array");
+ }
+
++ NetmaskGroup nmg;
+ for (SizeType i = 0; i < jlist.Size(); ++i) {
+ try {
+- Netmask(jlist[i].GetString());
+- } catch (NetmaskException &e) {
++ nmg.addMask(jlist[i].GetString());
++ } catch (const NetmaskException &e) {
+ throw ApiException(e.reason);
+ }
+ }
+@@ -94,9 +95,7 @@
+
+ // Clear allow-from, and provide a "parent" value
+ ss << "allow-from=" << endl;
+- for (SizeType i = 0; i < jlist.Size(); ++i) {
+- ss << "allow-from+=" << jlist[i].GetString() << endl;
+- }
++ ss << "allow-from+=" << nmg.toString() << endl;
+
+ apiWriteConfigFile("allow-from", ss.str());
+
+@@ -233,10 +232,16 @@
+ string serverlist;
+ if (servers.IsArray()) {
+ for (SizeType i = 0; i < servers.Size(); ++i) {
+- if (!serverlist.empty()) {
+- serverlist += ";";
++ string server = servers[i].GetString();
++ try {
++ ComboAddress ca = parseIPAndPort(server, 53);
++ if (!serverlist.empty()) {
++ serverlist += ";";
++ }
++ serverlist += ca.toStringWithPort();
++ } catch (const PDNSException &e) {
++ throw ApiException(e.reason);
+ }
+- serverlist += servers[i].GetString();
+ }
+ }
+
diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc
--- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc 1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc 2017-11-27 21:26:46.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStJ8aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEaoHgf/dAebO/MSvtvymt0pz0Kb
+lMvmkv6INpsh7bssVyY8v9HAMtkVRBSNAEiGjAJbLaDxsfgr0a+vGCd0C2v7sDXl
+8rZHuMlNpvxU0/i6O9k4AY9T7/G+Go567xbIK1PcZhZ+ixNaP7sms9a9ooISb4/R
++1wBz3D8TXUbWQsHkxX2GE6oihhqRdhvbOWpQ7aPNglE/wI4Eb5V2bIapM3M/o8N
+jFPm2kDZvNrcEMIW60vHdujrJMY85KiMGO9LMV9LCDj0nSO6jRTGI+2CteT2jnUq
+7w4L22ODxT1g5sIH/60swoHbIJ5zXWXDcxM3jPgh5kYIa7gvZoC6v1udsMyOYFu6
+Lw==
+=Y7Eg
+-----END PGP SIGNATURE-----
diff -Nru pdns-recursor-3.6.2/debian/patches/series pdns-recursor-3.6.2/debian/patches/series
--- pdns-recursor-3.6.2/debian/patches/series 2017-01-07 00:45:53.000000000 +0000
+++ pdns-recursor-3.6.2/debian/patches/series 2017-11-27 21:26:46.000000000 +0000
@@ -1,3 +1,4 @@
CVE-2015-1868.patch
CVE-2015-1868-2.patch
CVE-2016-7068.patch
+CVE-2017-15093-3.7.4.patch
Reply to: