Bug#930875: marked as done (unblock: pdns/4.1.6-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 22 Jun 2019 20:39:49 +0200
with message-id <a4fce076-47cd-55d8-8ed8-afd267a0dbc7@debian.org>
and subject line Re: Bug#930875: unblock: pdns/4.1.6-3
has caused the Debian Bug report #930875,
regarding unblock: pdns/4.1.6-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930875
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: pdns/4.1.6-3
• From: Chris Hofstaedtler <zeha@debian.org>
• Date: Fri, 21 Jun 2019 21:48:30 +0200
• Message-id: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package pdns 4.1.6-3 which contains fixes for two CVEs:

CVE-2019-10162: Denial of service via crafted zone records
CVE-2019-10163: Denial of service via NOTIFY packets

Please find the debdiff from -2 below.

Thanks,
Chris

unblock pdns/4.1.6-3


diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog
--- pdns-4.1.6/debian/changelog	2019-03-31 12:48:59.000000000 +0000
+++ pdns-4.1.6/debian/changelog	2019-06-21 19:07:07.000000000 +0000
@@ -1,3 +1,12 @@
+pdns (4.1.6-3) unstable; urgency=medium
+
+  * Fix Denial of service via crafted zone records (CVE-2019-10162)
+    using patch from upstream.
+  * Fix Denial of service via NOTIFY packets (CVE-2019-10163)
+    using patch from upstream.
+
+ -- Chris Hofstaedtler <zeha@debian.org>  Fri, 21 Jun 2019 19:07:07 +0000
+
 pdns (4.1.6-2) unstable; urgency=high
 
   [ Salvatore Bonaccorso ]
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch	2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,29 @@
+diff --git pdns-4.1.8/pdns/mastercommunicator.cc pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+index 456957a..ce0355c 100644
+--- pdns-4.1.8/pdns/mastercommunicator.cc
++++ pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+@@ -50,6 +50,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B)
+   FindNS fns;
+ 
+ 
++  try {
+   if (d_onlyNotify.size()) {
+     B->lookup(QType(QType::NS), di.zone);
+     while(B->get(rr))
+@@ -77,6 +78,16 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B)
+       hasQueuedItem=true;
+     }
+   }
++  }
++  catch (PDNSException &ae) {
++    L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << ae.reason << endl;
++    return;
++  }
++  catch (std::exception &e) {
++    L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << e.what() << endl;
++    return;
++  }
++
+ 
+   set<string> alsoNotify(d_alsoNotify);
+   B->alsoNotifies(di.zone, &alsoNotify);
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc	2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZxXgf9G4rXQ3xmE6pPTnwkN+9P
+nrqhjIrbhIS8t2KNVqLjUADhxHOli8lLj84f/fLnJgRabA5mz7iFVhpcHmocJADI
+lldJsjke6qbG+oduP90TsOD0wTWvibdxpoyrQlE0KvZua7geI5nSudEAVFW/SdhQ
+ynWGCgEodG35QkLOYlF19iSkd7x52Hx8MvMUF3YDZU/IjAVIIVmS4ZdaYz32T3ih
+OfpMFcOsu7Lsk8RkecK9Hegkv9ohqXGGcfz8rGsyF0gBGqTOhZ2rPqEj66jG4x++
+wLNPOkFpJYKLW+tkPzj0ra56/zjmOPrWbZWlEORnlmrU9ZS9nYG5gfYJuPNAveCq
+Mw==
+=SR9f
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch	2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,16 @@
+diff --git pdns-4.1.8/pdns/communicator.cc pdns-4.1.8-busyloop/pdns/communicator.cc
+index 7db5a3e..7fd59e4 100644
+--- pdns-4.1.8/pdns/communicator.cc
++++ pdns-4.1.8-busyloop/pdns/communicator.cc
+@@ -136,7 +136,10 @@ void CommunicatorClass::mainloop(void)
+           if (extraSlaveRefresh)
+             slaveRefresh(&P);
+         }
+-        else { 
++        else {
++          // eat up extra posts to avoid busy looping if many posts were done
++          while (d_any_sem.tryWait() == 0) {
++          }
+           break; // something happened
+         }
+         // this gets executed at least once every second
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc	2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZbcQf/XTC6bDxmwt4tEXXN6hXQ
++ArS6zRED2pbxCAipxvHtbj9xqhk343aNfrG4Y8kl32AmJuP76yGfNrFeiNtPWgA
+3zcuLxuyaCs/M7zMOtuYxcz6IhHBfZPZ+MixWSeJqsD5zV9kQT7LjvJR7ZeO87R5
+CBTz6vX4WzH0FW7aQnt3paYc0Rxn8H1LJQ8ytQCIch1kc2Xbn+qcW9velwP/hTPu
+iCgEHx4ntaQj4ohS2Ntd0CQa3NMKUyI17FybLfebUyNywWnh8NVU4hevgGOG3pCu
+oE7qe8+kms49hQiQPEGf5rst+MjVOrGwkiX7ydsT4udfHsH+F2Xb/qU1Tn20UjV4
+Bg==
+=bJOa
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.1.6/debian/patches/series pdns-4.1.6/debian/patches/series
--- pdns-4.1.6/debian/patches/series	2019-03-31 12:48:59.000000000 +0000
+++ pdns-4.1.6/debian/patches/series	2019-06-21 19:07:07.000000000 +0000
@@ -1 +1,3 @@
 CVE-2019-3871-auth-4.1.6.patch
+CVE-2019-10162-4.1.8-invalidrecords.patch
+CVE-2019-10163-4.1.8-busyloop.patch

--- End Message ---

--- Begin Message ---

• To: Chris Hofstaedtler <zeha@debian.org>, 930875-done@bugs.debian.org
• Subject: Re: Bug#930875: unblock: pdns/4.1.6-3
• From: Paul Gevers <elbrus@debian.org>
• Date: Sat, 22 Jun 2019 20:39:49 +0200
• Message-id: <a4fce076-47cd-55d8-8ed8-afd267a0dbc7@debian.org>
• In-reply-to: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>
• References: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>

Hi Chris,

On 21-06-2019 21:48, Chris Hofstaedtler wrote:
> unblock pdns/4.1.6-3

Unblocked, thanks.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---