From 45f416a78297e2ec5effdb2a3d056c5065b7c5ab Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 08:50:17 +0000 Subject: import unbound-1.7.3-10.el8 --- diff --git a/SOURCES/unbound-1.7.3-ipsec-hook.patch b/SOURCES/unbound-1.7.3-ipsec-hook.patch new file mode 100644 index 0000000..30fea5d --- /dev/null +++ b/SOURCES/unbound-1.7.3-ipsec-hook.patch @@ -0,0 +1,218 @@ +diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c +index c8400c6..9e916d6 100644 +--- a/ipsecmod/ipsecmod.c ++++ b/ipsecmod/ipsecmod.c +@@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name, + } + + /** ++ * Check if the string passed is a valid domain name with safe characters to ++ * pass to a shell. ++ * This will only allow: ++ * - digits ++ * - alphas ++ * - hyphen (not at the start) ++ * - dot (not at the start, or the only character) ++ * - underscore ++ * @param s: pointer to the string. ++ * @param slen: string's length. ++ * @return true if s only contains safe characters; false otherwise. ++ */ ++static int ++domainname_has_safe_characters(char* s, size_t slen) { ++ size_t i; ++ for(i = 0; i < slen; i++) { ++ if(s[i] == '\0') return 1; ++ if((s[i] == '-' && i != 0) ++ || (s[i] == '.' && (i != 0 || s[1] == '\0')) ++ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9') ++ || (s[i] >= 'A' && s[i] <= 'Z') ++ || (s[i] >= 'a' && s[i] <= 'z')) { ++ continue; ++ } ++ return 0; ++ } ++ return 1; ++} ++ ++/** ++ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to ++ * a shell. ++ * This is only relevant for checking the gateway when the gateway type is 3 ++ * (domainname). ++ * @param s: pointer to the string. ++ * @param slen: string's length. ++ * @return true if s contains only safe characters; false otherwise. ++ */ ++static int ++ipseckey_has_safe_characters(char* s, size_t slen) { ++ int precedence, gateway_type, algorithm; ++ char* gateway; ++ gateway = (char*)calloc(slen, sizeof(char)); ++ if(!gateway) { ++ log_err("ipsecmod: out of memory when calling the hook"); ++ return 0; ++ } ++ if(sscanf(s, "%d %d %d %s ", ++ &precedence, &gateway_type, &algorithm, gateway) != 4) { ++ free(gateway); ++ return 0; ++ } ++ if(gateway_type != 3) { ++ free(gateway); ++ return 1; ++ } ++ if(domainname_has_safe_characters(gateway, slen)) { ++ free(gateway); ++ return 1; ++ } ++ free(gateway); ++ return 0; ++} ++ ++/** + * Prepare the data and call the hook. + * + * @param qstate: query state. +@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, + { + size_t slen, tempdata_len, tempstring_len, i; + char str[65535], *s, *tempstring; +- int w; ++ int w = 0, w_temp, qtype; + struct ub_packed_rrset_key* rrset_key; + struct packed_rrset_data* rrset_data; + uint8_t *tempdata; +@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, + memset(s, 0, slen); + + /* Copy the hook into the buffer. */ +- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); ++ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); ++ w += sldns_str_print(&s, &slen, " "); + /* Copy the qname into the buffer. */ + tempstring = sldns_wire2str_dname(qstate->qinfo.qname, + qstate->qinfo.qname_len); +@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, + log_err("ipsecmod: out of memory when calling the hook"); + return 0; + } +- sldns_str_print(&s, &slen, "\"%s\"", tempstring); ++ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) { ++ log_err("ipsecmod: qname has unsafe characters"); ++ free(tempstring); ++ return 0; ++ } ++ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring); + free(tempstring); + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); ++ w += sldns_str_print(&s, &slen, " "); + /* Copy the IPSECKEY TTL into the buffer. */ + rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; +- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); ++ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); +- /* Copy the A/AAAA record(s) into the buffer. Start and end this section +- * with a double quote. */ ++ w += sldns_str_print(&s, &slen, " "); + rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, + qstate->return_msg->rep); ++ /* Double check that the records are indeed A/AAAA. ++ * This should never happen as this function is only executed for A/AAAA ++ * queries but make sure we don't pass anything other than A/AAAA to the ++ * shell. */ ++ qtype = ntohs(rrset_key->rk.type); ++ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) { ++ log_err("ipsecmod: Answer is not of A or AAAA type"); ++ return 0; ++ } + rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; +- sldns_str_print(&s, &slen, "\""); ++ /* Copy the A/AAAA record(s) into the buffer. Start and end this section ++ * with a double quote. */ ++ w += sldns_str_print(&s, &slen, "\""); + for(i=0; icount; i++) { + if(i > 0) { + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); ++ w += sldns_str_print(&s, &slen, " "); + } + /* Ignore the first two bytes, they are the rr_data len. */ +- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, ++ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, + rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); +- if(w < 0) { ++ if(w_temp < 0) { + /* Error in printout. */ +- return -1; +- } else if((size_t)w >= slen) { ++ log_err("ipsecmod: Error in printing IP address"); ++ return 0; ++ } else if((size_t)w_temp >= slen) { + s = NULL; /* We do not want str to point outside of buffer. */ + slen = 0; +- return -1; ++ log_err("ipsecmod: shell command too long"); ++ return 0; + } else { +- s += w; +- slen -= w; ++ s += w_temp; ++ slen -= w_temp; ++ w += w_temp; + } + } +- sldns_str_print(&s, &slen, "\""); ++ w += sldns_str_print(&s, &slen, "\""); + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); ++ w += sldns_str_print(&s, &slen, " "); + /* Copy the IPSECKEY record(s) into the buffer. Start and end this section + * with a double quote. */ +- sldns_str_print(&s, &slen, "\""); ++ w += sldns_str_print(&s, &slen, "\""); + rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; + for(i=0; icount; i++) { + if(i > 0) { + /* Put space into the buffer. */ +- sldns_str_print(&s, &slen, " "); ++ w += sldns_str_print(&s, &slen, " "); + } + /* Ignore the first two bytes, they are the rr_data len. */ + tempdata = rrset_data->rr_data[i] + 2; + tempdata_len = rrset_data->rr_len[i] - 2; + /* Save the buffer pointers. */ + tempstring = s; tempstring_len = slen; +- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, +- NULL, 0); ++ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, ++ &slen, NULL, 0); + /* There was an error when parsing the IPSECKEY; reset the buffer + * pointers to their previous values. */ +- if(w == -1){ ++ if(w_temp == -1) { + s = tempstring; slen = tempstring_len; ++ } else if(w_temp > 0) { ++ if(!ipseckey_has_safe_characters( ++ tempstring, tempstring_len - slen)) { ++ log_err("ipsecmod: ipseckey has unsafe characters"); ++ return 0; ++ } ++ w += w_temp; + } + } +- sldns_str_print(&s, &slen, "\""); +- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); ++ w += sldns_str_print(&s, &slen, "\""); ++ if(w >= (int)sizeof(str)) { ++ log_err("ipsecmod: shell command too long"); ++ return 0; ++ } ++ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str); + /* ipsecmod-hook should return 0 on success. */ + if(system(str) != 0) + return 0; diff --git a/SOURCES/unbound-1.7.3-use-basic-lock.patch b/SOURCES/unbound-1.7.3-use-basic-lock.patch new file mode 100644 index 0000000..d933bec --- /dev/null +++ b/SOURCES/unbound-1.7.3-use-basic-lock.patch @@ -0,0 +1,109 @@ +diff --git a/util/log.c b/util/log.c +index 75a58f9..43dd572 100644 +--- a/util/log.c ++++ b/util/log.c +@@ -70,7 +70,7 @@ static int key_created = 0; + static ub_thread_key_type logkey; + #ifndef THREADS_DISABLED + /** pthread mutex to protect FILE* */ +-static lock_quick_type log_lock; ++static lock_basic_type log_lock; + #endif + /** the identity of this executable/process */ + static const char* ident="unbound"; +@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + if(!key_created) { + key_created = 1; + ub_thread_key_create(&logkey, NULL); +- lock_quick_init(&log_lock); ++ lock_basic_init(&log_lock); + } +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + if(logfile + #if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS) + || logging_to_syslog + #endif + ) { +- lock_quick_unlock(&log_lock); /* verbose() needs the lock */ ++ lock_basic_unlock(&log_lock); /* verbose() needs the lock */ + verbose(VERB_QUERY, "switching log to %s", + use_syslog?"syslog":(filename&&filename[0]?filename:"stderr")); +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + } + if(logfile && logfile != stderr) { + FILE* cl = logfile; +@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + * chroot and no longer be able to access dev/log and so on */ + openlog(ident, LOG_NDELAY, LOG_DAEMON); + logging_to_syslog = 1; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + #elif defined(UB_ON_WINDOWS) +@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + } + if(use_syslog) { + logging_to_syslog = 1; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + #endif /* HAVE_SYSLOG_H */ + if(!filename || !filename[0]) { + logfile = stderr; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + /* open the file for logging */ +@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + filename += strlen(chrootdir); + f = fopen(filename, "a"); + if(!f) { +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + log_err("Could not open logfile %s: %s", filename, + strerror(errno)); + return; +@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir) + setvbuf(f, NULL, (int)_IOLBF, 0); + #endif + logfile = f; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + void log_file(FILE *f) + { +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + logfile = f; +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + void log_thread_set(int* num) +@@ -250,9 +250,9 @@ log_vmsg(int pri, const char* type, + return; + } + #endif /* HAVE_SYSLOG_H */ +- lock_quick_lock(&log_lock); ++ lock_basic_lock(&log_lock); + if(!logfile) { +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + return; + } + if(log_now) +@@ -279,7 +279,7 @@ log_vmsg(int pri, const char* type, + /* line buffering does not work on windows */ + fflush(logfile); + #endif +- lock_quick_unlock(&log_lock); ++ lock_basic_unlock(&log_lock); + } + + /** diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index df2b743..351185a 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.7.3 -Release: 8%{?extra_version:.%{extra_version}}%{?dist} +Release: 10%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -59,6 +59,8 @@ Patch2: unbound-1.7.2-python3-devel.patch Patch3: unbound-1.7.2-python3-pkgconfig.patch Patch4: unbound-1.7.3-anchor-fallback.patch Patch5: unbound-1.7.3-host-any.patch +Patch6: unbound-1.7.3-use-basic-lock.patch +Patch7: unbound-1.7.3-ipsec-hook.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -158,6 +160,8 @@ pushd %{pkgname} %patch3 -p1 -b .python3 %patch4 -p1 -b .anchor-fallback %patch5 -p1 -b .host-any +%patch6 -p1 -b .use-basic-lock +%patch7 -p1 -b .ipsec-hook # only for snapshots # autoreconf -iv @@ -429,6 +433,13 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Dec 10 2019 Tomas Korbar - 1.7.3-10 +- Secure ipsec mode (#1772061) +- CVE-2019-18934 + +* Tue Dec 10 2019 Tomas Korbar - 1.7.3-9 +- Use pthread_mutex_t locks when dealing with I/O operations (#1775708) + * Tue Jul 31 2018 Petr Menšík - 1.7.3-8 - Release memory in unbound-host