[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#872928: marked as done (stretch-pu: package dnsdist/1.1.0-2+deb9u1)

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #872928,
regarding stretch-pu: package dnsdist/1.1.0-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
872928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872928
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.

Thanks,
Chris

diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog	2016-12-31 15:50:47.000000000 +0000
+++ dnsdist-1.1.0/debian/changelog	2017-08-22 13:58:05.000000000 +0000
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+    (Closes: #872854)
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Tue, 22 Aug 2017 13:58:05 +0000
+
 dnsdist (1.1.0-2) unstable; urgency=medium
 
   * Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch	2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
++++ b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+   unsigned char* p = optionsStart;
+-  const unsigned char* end = p + optionsLen;
+-  while ((p + 4) <= end) {
++  size_t pos = 0;
++  while ((pos + 4) <= optionsLen) {
+     unsigned char* optionBegin = p;
+     const uint16_t optionCode = 0x100*p[0] + p[1];
+     p += sizeof(optionCode);
++    pos += sizeof(optionCode);
+     const uint16_t optionLen = 0x100*p[0] + p[1];
+     p += sizeof(optionLen);
+-    if ((p + optionLen) > end) {
++    pos += sizeof(optionLen);
++    if ((pos + optionLen) > optionsLen) {
+       return EINVAL;
+     }
+     if (optionCode == optionCodeToRemove) {
+-      if (p + optionLen < end) {
++      if (pos + optionLen < optionsLen) {
+         /* move remaining options over the removed one,
+            if any */
+-        memmove(optionBegin, p + optionLen, end - (p + optionLen));
++        memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+       }
+       *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) + optionLen);
+       return 0;
+     }
+     p += optionLen;
++    pos += optionLen;
+   }
+   return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc	1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc	2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch	2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
++++ b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+   apiWriteConfigFile("acl", content);
+ }
+ 
+-static bool compareAuthorization(YaHTTP::Request& req, const string &expected_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string& expectedApiKey)
+ {
+-  // validate password
+-  YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+-  bool auth_ok = false;
+-  if (header != req.headers.end() && toLower(header->second).find("basic ") == 0) {
+-    string cookie = header->second.substr(6);
++  if (expectedApiKey.empty()) {
++    return false;
++  }
++
++  const auto header = req.headers.find("x-api-key");
++  if (header != req.headers.end()) {
++    return (header->second == expectedApiKey);
++  }
++
++  return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string &expected_password)
++{
++  static const char basicStr[] = "basic ";
++
++  const auto header = req.headers.find("authorization");
++
++  if (header != req.headers.end() && toLower(header->second).find(basicStr) == 0) {
++    string cookie = header->second.substr(sizeof(basicStr) - 1);
+ 
+     string plain;
+     B64Decode(cookie, plain);
+@@ -93,24 +108,46 @@ static bool compareAuthorization(YaHTTP::Request& req, const string &expected_pa
+     vector<string> cparts;
+     stringtok(cparts, plain, ":");
+ 
+-    // this gets rid of terminating zeros
+-    auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(), expected_password.c_str())));
++    if (cparts.size() == 2) {
++      return cparts[1] == expected_password;
++    }
+   }
+-  if (!auth_ok && !expectedApiKey.empty()) {
+-    /* if this is a request for the API,
+-       check if the API key is correct */
+-    if (req.url.path=="/jsonstat" ||
+-        req.url.path=="/api/v1/servers/localhost" ||
+-        req.url.path=="/api/v1/servers/localhost/config" ||
+-        req.url.path=="/api/v1/servers/localhost/config/allow-from" ||
+-        req.url.path=="/api/v1/servers/localhost/statistics") {
+-      header = req.headers.find("x-api-key");
+-      if (header != req.headers.end()) {
+-        auth_ok = (0==strcmp(header->second.c_str(), expectedApiKey.c_str()));
+-      }
++
++  return false;
++}
++
++static bool isAnAPIRequest(const YaHTTP::Request& req)
++{
++  return req.url.path.find("/api/") == 0;
++}
++
++static bool isAnAPIRequestAllowedWithWebAuth(const YaHTTP::Request& req)
++{
++  return req.url.path == "/api/v1/servers/localhost";
++}
++
++static bool isAStatsRequest(const YaHTTP::Request& req)
++{
++  return req.url.path == "/jsonstat";
++}
++
++static bool compareAuthorization(const YaHTTP::Request& req, const string &expected_password, const string& expectedApiKey)
++{
++  if (isAnAPIRequest(req)) {
++    /* Access to the API requires a valid API key */
++    if (checkAPIKey(req, expectedApiKey)) {
++      return true;
+     }
++
++    return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, expected_password);
++  }
++
++  if (isAStatsRequest(req)) {
++    /* Access to the stats is allowed for both API and Web users */
++    return checkAPIKey(req, expectedApiKey) || checkWebPassword(req, expected_password);
+   }
+-  return auth_ok;
++
++  return checkWebPassword(req, expected_password);
+ }
+ 
+ static bool isMethodAllowed(const YaHTTP::Request& req)
+@@ -126,9 +163,9 @@ static bool isMethodAllowed(const YaHTTP::Request& req)
+   return false;
+ }
+ 
+-static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
++static void handleCORS(const YaHTTP::Request& req, YaHTTP::Response& resp)
+ {
+-  YaHTTP::strstr_map_t::iterator origin = req.headers.find("Origin");
++  const auto origin = req.headers.find("Origin");
+   if (origin != req.headers.end()) {
+     if (req.method == "OPTIONS") {
+       /* Pre-flight request */
+@@ -142,7 +179,10 @@ static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
+     }
+ 
+     resp.headers["Access-Control-Allow-Origin"] = origin->second;
+-    resp.headers["Access-Control-Allow-Credentials"] = "true";
++
++    if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
++      resp.headers["Access-Control-Allow-Credentials"] = "true";
++    }
+   }
+ }
+ 
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc	1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc	2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNNYaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYw+Qf3eZKM2q3WXjmX1up/63Nr
+BqjWHCasVxEG30NA+yGMVumuTol84AuO2t7mpZROxIu0SHlcnYNn0ehoSLI7KdJG
+8ZDzJVWKMCW1hScdIPjIu4PEHyjHB+ws5ty8Z92Oz6k/vp4t/LVTwrMDXzBbpfET
+TxujIcIGPJGjZFZoH64TQ5wSM+t4LzvjxdoUCmCMghfa9lPr9pqPoG6hnpU59Xn0
+7dIOYzECDLe/xNTp0dEe+pncAhEprsKPeqSVMwpZWYq7Zk0IK1I/uAiUp7t48EJU
+NsWLovH98eL+dTLKd/j/Zc+sfiG/0sKlQsLygqHy54zc9e2FR2Kz5BKNaYcttbwq
+=B1Fh
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/series dnsdist-1.1.0/debian/patches/series
--- dnsdist-1.1.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/series	2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2016-7069.patch
+CVE-2017-7557-1.1.0.patch

--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---
Reply to: