Date: Sunday, April 12, 2020 @ 07:56:44 Author: eworm Revision: 380219
upgpkg: dnsmasq 2.81-1 new upstream release Modified: dnsmasq/trunk/PKGBUILD Deleted: dnsmasq/trunk/0001-DNSSEC-fix-for-wildcard-NSEC-records.patch dnsmasq/trunk/nettle-3.5.patch -------------------------------------------------+ 0001-DNSSEC-fix-for-wildcard-NSEC-records.patch | 203 ---------------------- PKGBUILD | 21 -- nettle-3.5.patch | 20 -- 3 files changed, 6 insertions(+), 238 deletions(-) Deleted: 0001-DNSSEC-fix-for-wildcard-NSEC-records.patch =================================================================== --- 0001-DNSSEC-fix-for-wildcard-NSEC-records.patch 2020-04-11 21:59:44 UTC (rev 380218) +++ 0001-DNSSEC-fix-for-wildcard-NSEC-records.patch 2020-04-12 07:56:44 UTC (rev 380219) @@ -1,203 +0,0 @@ -From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <[email protected]> -Date: Fri, 19 Jan 2018 12:26:08 +0000 -Subject: DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. - -It's OK for NSEC records to be expanded from wildcards, -but in that case, the proof of non-existence is only valid -starting at the wildcard name, *.<domain> NOT the name expanded -from the wildcard. Without this check it's possible for an -attacker to craft an NSEC which wrongly proves non-existence -in a domain which includes a wildcard for NSEC. ---- - src/dnssec.c | 117 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- - 2 files changed, 114 insertions(+), 15 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index eb6c11c..a54a0b4 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -103,15 +103,17 @@ static void from_wire(char *name) - static int count_labels(char *name) - { - int i; -- -+ char *p; -+ - if (*name == 0) - return 0; - -- for (i = 0; *name; name++) -- if (*name == '.') -+ for (p = name, i = 0; *p; p++) -+ if (*p == '.') - i++; - -- return i+1; -+ /* Don't count empty first label. */ -+ return *name == '.' ? i : i+1; - } - - /* Implement RFC1982 wrapped compare for 32-bit numbers */ -@@ -1094,8 +1096,8 @@ static int hostname_cmp(const char *a, const char *b) - } - } - --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, -- char *workspace1, char *workspace2, char *name, int type, int *nons) -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, -+ char *workspace1_in, char *workspace2, char *name, int type, int *nons) - { - int i, rc, rdlen; - unsigned char *p, *psave; -@@ -1108,6 +1110,9 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - /* Find NSEC record that proves name doesn't exist */ - for (i = 0; i < nsec_count; i++) - { -+ char *workspace1 = workspace1_in; -+ int sig_labels, name_labels; -+ - p = nsecs[i]; - if (!extract_name(header, plen, &p, workspace1, 1, 10)) - return 0; -@@ -1116,7 +1121,27 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - psave = p; - if (!extract_name(header, plen, &p, workspace2, 1, 10)) - return 0; -- -+ -+ /* If NSEC comes from wildcard expansion, use original wildcard -+ as name for computation. */ -+ sig_labels = *labels[i]; -+ name_labels = count_labels(workspace1); -+ -+ if (sig_labels < name_labels) -+ { -+ int k; -+ for (k = name_labels - sig_labels; k != 0; k--) -+ { -+ while (*workspace1 != '.' && *workspace1 != 0) -+ workspace1++; -+ if (k != 1 && *workspace1 == '.') -+ workspace1++; -+ } -+ -+ workspace1--; -+ *workspace1 = '*'; -+ } -+ - rc = hostname_cmp(workspace1, name); - - if (rc == 0) -@@ -1514,24 +1539,26 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) - { -- static unsigned char **nsecset = NULL; -- static int nsecset_sz = 0; -+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; -+ static int nsecset_sz = 0, rrsig_labels_sz = 0; - - int type_found = 0; -- unsigned char *p = skip_questions(header, plen); -+ unsigned char *auth_start, *p = skip_questions(header, plen); - int type, class, rdlen, i, nsecs_found; - - /* Move to NS section */ - if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) - return 0; -+ -+ auth_start = p; - - for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) - { - unsigned char *pstart = p; - -- if (!(p = skip_name(p, header, plen, 10))) -+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) - return 0; -- -+ - GETSHORT(type, p); - GETSHORT(class, p); - p += 4; /* TTL */ -@@ -1548,7 +1575,69 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) - return 0; - -- nsecset[nsecs_found++] = pstart; -+ if (type == T_NSEC) -+ { -+ /* If we're looking for NSECs, find the corresponding SIGs, to -+ extract the labels value, which we need in case the NSECs -+ are the result of wildcard expansion. -+ Note that the NSEC may not have been validated yet -+ so if there are multiple SIGs, make sure the label value -+ is the same in all, to avoid be duped by a rogue one. -+ If there are no SIGs, that's an error */ -+ unsigned char *p1 = auth_start; -+ int res, j, rdlen1, type1, class1; -+ -+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) -+ return 0; -+ -+ rrsig_labels[nsecs_found] = NULL; -+ -+ for (j = ntohs(header->nscount); j != 0; j--) -+ { -+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) -+ return 0; -+ -+ GETSHORT(type1, p1); -+ GETSHORT(class1, p1); -+ p1 += 4; /* TTL */ -+ GETSHORT(rdlen1, p1); -+ -+ if (!CHECK_LEN(header, p1, plen, rdlen1)) -+ return 0; -+ -+ if (res == 1 && class1 == qclass && type1 == T_RRSIG) -+ { -+ int type_covered; -+ unsigned char *psav = p1; -+ -+ if (rdlen < 18) -+ return 0; /* bad packet */ -+ -+ GETSHORT(type_covered, p1); -+ -+ if (type_covered == T_NSEC) -+ { -+ p1++; /* algo */ -+ -+ /* labels field must be the same in every SIG we find. */ -+ if (!rrsig_labels[nsecs_found]) -+ rrsig_labels[nsecs_found] = p1; -+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ -+ return 0; -+ } -+ p1 = psav; -+ } -+ -+ if (!ADD_RDLEN(header, p1, plen, rdlen1)) -+ return 0; -+ } -+ -+ /* Must have found at least one sig. */ -+ if (!rrsig_labels[nsecs_found]) -+ return 0; -+ } -+ -+ nsecset[nsecs_found++] = pstart; - } - - if (!ADD_RDLEN(header, p, plen, rdlen)) -@@ -1556,7 +1645,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - } - - if (type_found == T_NSEC) -- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); -+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); - else if (type_found == T_NSEC3) - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); - else Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-04-11 21:59:44 UTC (rev 380218) +++ PKGBUILD 2020-04-12 07:56:44 UTC (rev 380219) @@ -4,10 +4,10 @@ # Contributor: Tom Newsom <[email protected]> pkgname=dnsmasq -pkgver=2.80 -pkgrel=4 -pkgdesc="Lightweight, easy to configure DNS forwarder and DHCP server" -url="http://www.thekelleys.org.uk/dnsmasq/doc.html"; +pkgver=2.81 +pkgrel=1 +pkgdesc='Lightweight, easy to configure DNS forwarder and DHCP server' +url='http://www.thekelleys.org.uk/dnsmasq/doc.html' arch=('x86_64') license=('GPL') depends=('glibc' 'gmp' 'libidn2' 'libdbus' 'libnetfilter_conntrack' 'nettle') @@ -14,24 +14,15 @@ backup=('etc/dnsmasq.conf') validpgpkeys=('D6EACBD6EE46B834248D111215CDDA6AE19135A2') # Simon Kelley <[email protected]> source=("http://www.thekelleys.org.uk/$pkgname/$pkgname-$pkgver.tar.xz"{,.asc} - 'nettle-3.5.patch' 'dnsmasq-sysusers.conf' 'dnsmasq.service') -sha256sums=('cdaba2785e92665cf090646cba6f94812760b9d7d8c8d0cfb07ac819377a63bb' +sha256sums=('749ca903537c5197c26444ac24b0dce242cf42595fdfe6b9a5b9e4c7ad32f8fb' 'SKIP' - 'd9e54439eb20ccd99c263d9c80013002fecb60b387fb8fefd787c7958fdb96c6' '7f6ff6a709038ae580758f4b6a754451d7f7ce22957b88a36b97f7b643d3c2ab' '983a3c7a68ce114cf7b44f0d9c59b74c266647a9e5ac34c1d1d5161610bc57fe') -_build_copts="-DHAVE_DNSSEC -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_CONNTRACK" +_build_copts='-DHAVE_DNSSEC -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_CONNTRACK' -prepare() { - cd "$pkgname-$pkgver" - - # fix build with nettle 3.5 (patch from PLD Linux) - patch -Np1 -i ../nettle-3.5.patch -} - build() { cd "$pkgname-$pkgver" Deleted: nettle-3.5.patch =================================================================== --- nettle-3.5.patch 2020-04-11 21:59:44 UTC (rev 380218) +++ nettle-3.5.patch 2020-04-12 07:56:44 UTC (rev 380219) @@ -1,20 +0,0 @@ ---- dnsmasq-2.80/src/crypto.c~ 2018-10-18 20:21:55.000000000 +0200 -+++ dnsmasq-2.80/src/crypto.c 2019-06-27 09:32:24.587948846 +0200 -@@ -294,7 +294,7 @@ - if (!(key_256 = whine_malloc(sizeof(struct ecc_point)))) - return 0; - -- nettle_ecc_point_init(key_256, &nettle_secp_256r1); -+ nettle_ecc_point_init(key_256, nettle_get_secp_256r1()); - } - - key = key_256; -@@ -307,7 +307,7 @@ - if (!(key_384 = whine_malloc(sizeof(struct ecc_point)))) - return 0; - -- nettle_ecc_point_init(key_384, &nettle_secp_384r1); -+ nettle_ecc_point_init(key_384, nettle_get_secp_384r1()); - } - - key = key_384;
