Hello community, here is the log from the commit of package adns for openSUSE:Leap:15.2 checked in at 2020-06-14 04:44:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/adns (Old) and /work/SRC/openSUSE:Leap:15.2/.adns.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "adns" Sun Jun 14 04:44:37 2020 rev:14 rq:814143 version:1.5.1 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/adns/adns.changes 2020-01-15 14:46:29.121255291 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.adns.new.3606/adns.changes 2020-06-14 04:44:38.378703233 +0200 @@ -1,0 +2,12 @@ +Mon Jun 8 12:04:21 UTC 2020 - Kristyna Streitova <[email protected]> + +- add the following patches to fix multiple vulnerabilities [bsc#1172265] + * adns-1.5.1-CVE-2017-9103.patch [CVE-2017-9103] + * adns-1.5.1-CVE-2017-9104.patch [CVE-2017-9104] + * adns-1.5.1-CVE-2017-9105.patch [CVE-2017-9105] + * adns-1.5.1-CVE-2017-9106.patch [CVE-2017-9106] + * adns-1.5.1-CVE-2017-9107.patch [CVE-2017-9107] + * adns-1.5.1-CVE-2017-9108.patch [CVE-2017-9108] + * adns-1.5.1-CVE-2017-9109.patch [CVE-2017-9109] + +------------------------------------------------------------------- New: ---- adns-1.5.1-CVE-2017-9103.patch adns-1.5.1-CVE-2017-9104.patch adns-1.5.1-CVE-2017-9105.patch adns-1.5.1-CVE-2017-9106.patch adns-1.5.1-CVE-2017-9107.patch adns-1.5.1-CVE-2017-9108.patch adns-1.5.1-CVE-2017-9109.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ adns.spec ++++++ --- /var/tmp/diff_new_pack.eXJQ5V/_old 2020-06-14 04:44:38.790704572 +0200 +++ /var/tmp/diff_new_pack.eXJQ5V/_new 2020-06-14 04:44:38.790704572 +0200 @@ -32,6 +32,13 @@ Patch0: adns-1.4-destdir.patch Patch1: adns-1.4-configure.patch Patch2: adns-visibility.patch +Patch3: adns-1.5.1-CVE-2017-9103.patch +Patch4: adns-1.5.1-CVE-2017-9104.patch +Patch5: adns-1.5.1-CVE-2017-9105.patch +Patch6: adns-1.5.1-CVE-2017-9106.patch +Patch7: adns-1.5.1-CVE-2017-9107.patch +Patch8: adns-1.5.1-CVE-2017-9108.patch +Patch9: adns-1.5.1-CVE-2017-9109.patch BuildRequires: autoconf %description @@ -63,6 +70,13 @@ %patch0 %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 cp %{SOURCE3} . %build ++++++ adns-1.5.1-CVE-2017-9103.patch ++++++ >From 020d86e2eccc2dbdfa9dcca08ddb327cc7ca3ae2 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Wed, 23 Nov 2016 21:03:40 +0000 Subject: [PATCH 02/32] SECURITY: pap_mailbox822: Properly check st from adns__findlabel_next Without this, an uninitialised stack value can be used as the first label length. Depending on the circumstances, an attacker might be able to trick adns into crashing the calling program, leaking aspects of the contents of some of its memory, causing it to allocate lots of memory, or perhaps overrunning a buffer. This is only possible with applications which make non-raw queries for SOA or RP records. Found by AFL 2.35b. CVE-2017-9103. Signed-off-by: Ian Jackson <[email protected]> --- src/types.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/types.c b/src/types.c index a4478fa..5e2bd14 100644 --- a/src/types.c +++ b/src/types.c @@ -1278,6 +1278,7 @@ static adns_status pap_mailbox822(const parseinfo *pai, pai->dgram, pai->dglen, max, *cbyte_io, cbyte_io); st= adns__findlabel_next(&fls,&lablen,&labstart); + if (st) return st; if (!lablen) { adns__vbuf_appendstr(vb,"."); goto x_ok; -- 2.20.1 ++++++ adns-1.5.1-CVE-2017-9104.patch ++++++ >From 7ba7a232de0516d2cce934bdc91627b33b46ef47 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Thu, 1 Dec 2016 01:42:56 +0000 Subject: [PATCH 03/32] SECURITY: Do not hang, eating CPU, if we encounter a compression pointer loop Found by AFL 2.35b. CVE-2017-9104. Signed-off-by: Ian Jackson <[email protected]> --- src/parse.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/parse.c b/src/parse.c index 07d0614..790c8ce 100644 --- a/src/parse.c +++ b/src/parse.c @@ -71,6 +71,7 @@ adns_status adns__findlabel_next(findlabel_state *fls, int *lablen_r, int *labstart_r) { int lablen, jumpto; const char *dgram; + int had_pointer= 0; dgram= fls->dgram; for (;;) { @@ -81,6 +82,7 @@ adns_status adns__findlabel_next(findlabel_state *fls, if ((lablen & 0x0c0) != 0x0c0) return adns_s_unknownformat; if (fls->cbyte >= fls->dglen) goto x_truncated; if (fls->cbyte >= fls->max) goto x_badresponse; + if (had_pointer++ >= 2) goto x_loop; GET_B(fls->cbyte,jumpto); jumpto |= (lablen&0x3f)<<8; if (fls->dmend_r) *(fls->dmend_r)= fls->cbyte; @@ -109,6 +111,11 @@ adns_status adns__findlabel_next(findlabel_state *fls, adns__diag(fls->ads,fls->serv,fls->qu, "label in domain runs beyond end of domain"); return adns_s_invalidresponse; + + x_loop: + adns__diag(fls->ads,fls->serv,fls->qu, + "compressed label pointer chain"); + return adns_s_invalidresponse; } adns_status adns__parse_domain(adns_state ads, int serv, adns_query qu, -- 2.20.1 ++++++ adns-1.5.1-CVE-2017-9105.patch ++++++ >From 17afb298d90c5aafed76bd3855a5fe7dcd58594c Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Thu, 1 Dec 2016 02:48:09 +0000 Subject: [PATCH 04/32] SECURITY: adns: Do not corrupt pointer when nameserver speaks first Wrong number of pointer dereferences. This bug may well be exploitable as a remote code execution. Found by AFL 2.35b. CVE-2017-9105. Signed-off-by: Ian Jackson <[email protected]> --- src/event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/event.c b/src/event.c index dcc49e9..b36288d 100644 --- a/src/event.c +++ b/src/event.c @@ -461,7 +461,7 @@ int adns_processwriteable(adns_state ads, int fd, const struct timeval *now) { } assert(FD_ISSET(ads->tcpsocket,&writeable)); if (!adns__vbuf_ensure(&ads->tcprecv,1)) { r= ENOMEM; goto xit; } - r= read(ads->tcpsocket,&ads->tcprecv.buf,1); + r= read(ads->tcpsocket,ads->tcprecv.buf,1); if (r==0 || (r<0 && (errno==EAGAIN || errno==EWOULDBLOCK))) { tcp_connected(ads,*now); r= 0; goto xit; -- 2.20.1 ++++++ adns-1.5.1-CVE-2017-9106.patch ++++++ A merger of these 2 patches: ----- >From 54d811a530e9cf16148998cd9fdd168dbf8e14d5 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Sat, 3 Dec 2016 14:51:18 +0000 Subject: [PATCH 06/32] cs_inthost*: Break out csp_intofinthost No functional change. This removes some duplication, enabling the following security patch to fix just the one copy. Signed-off-by: Ian Jackson <[email protected]> --- src/types.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) ----- >From 37792aacaf7abbcdac6a02715a5ef794b5147f13 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Sat, 3 Dec 2016 14:51:54 +0000 Subject: [PATCH 07/32] SECURITY: Defend adns_rr_info (somewhat) from bogus *datap The general pattern for formatting integers is to sprintf into a fixed-size buffer. This is correct if the input is in the right range; if it isn't, the buffer may be overrun (depending on the sizes of the types on the current platform). Of course the inputs ought to be right. And there are pointers in there too, so perhaps we could say that the caller ought to check these things. I think it's better to require the caller to make the pointer structure right, but to have the code here be defensive about (and tolerate with an erro but without crashing) out-of-range integer values. So: defend each of these integer conversion sites with a check for the actual permitted range, and return adns_s_invaliddata if not. The lack of this check causes the SOA sign extension bug to be a serious security problem: the sign extended SOA value is out of range, and will overrun the buffer when reconverted. Found by AFL 2.35b. CVE-2017-9106. Signed-off-by: Ian Jackson <[email protected]> --- src/types.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Index: adns-1.5.1/src/types.c =================================================================== --- adns-1.5.1.orig/src/types.c +++ adns-1.5.1/src/types.c @@ -1108,13 +1108,23 @@ static void mf_inthostaddr(adns_query qu mfp_hostaddr(qu,&rrp->ha); } -static adns_status cs_inthostaddr(vbuf *vb, const void *datap) { - const adns_rr_inthostaddr *rrp= datap; +static adns_status csp_intofinthost(vbuf *vb, int i) { char buf[10]; - sprintf(buf,"%u ",rrp->i); + if (i < 0 || i > 0xffff) + /* currently only used for MX whose priorities are 16-bit */ + return adns_s_invaliddata; + + sprintf(buf,"%u ",i); CSP_ADDSTR(buf); + return adns_s_ok; +} +static adns_status cs_inthostaddr(vbuf *vb, const void *datap) { + const adns_rr_inthostaddr *rrp= datap; + adns_status st; + + st = csp_intofinthost(vb,rrp->i); if (st) return st; return csp_hostaddr(vb,&rrp->ha); } @@ -1124,10 +1134,9 @@ static adns_status cs_inthostaddr(vbuf * static adns_status cs_inthost(vbuf *vb, const void *datap) { const adns_rr_intstr *rrp= datap; - char buf[10]; + adns_status st; - sprintf(buf,"%u ",rrp->i); - CSP_ADDSTR(buf); + st = csp_intofinthost(vb,rrp->i); if (st) return st; return csp_domain(vb,rrp->str); } @@ -1409,6 +1418,8 @@ static adns_status cs_soa(vbuf *vb, cons st= csp_mailbox(vb,rrp->rname); if (st) return st; for (i=0; i<5; i++) { + if (rrp->serial > 0xffffffffUL) + return adns_s_invaliddata; sprintf(buf," %lu",(&rrp->serial)[i]); CSP_ADDSTR(buf); } @@ -1497,6 +1508,10 @@ static int di_srv(adns_state ads, const static adns_status csp_srv_begin(vbuf *vb, const adns_rr_srvha *rrp /* might be adns_rr_srvraw* */) { char buf[30]; + if (rrp->priority < 0 || rrp->priority > 0xffff || + rrp->weight < 0 || rrp->weight > 0xffff || + rrp->port < 0 || rrp->port > 0xffff) + return adns_s_invaliddata; sprintf(buf,"%u %u %u ", rrp->priority, rrp->weight, rrp->port); CSP_ADDSTR(buf); return adns_s_ok; @@ -1612,6 +1627,9 @@ static adns_status cs_opaque(vbuf *vb, c int l; unsigned char *p; + if (rrp->len < 0 || rrp->len > 0xffff) + return adns_s_invaliddata; + sprintf(buf,"\\# %d",rrp->len); CSP_ADDSTR(buf); ++++++ adns-1.5.1-CVE-2017-9107.patch ++++++ >From 278f8eee581c4c4a0ddd0f98c4dc8c2974cf6b90 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Mon, 5 Dec 2016 22:47:34 +0000 Subject: [PATCH 09/32] SECURITY: Do not overrun reading buffer if domain ends with backslash If the query domain ended with \, and adns_qf_quoteok_query was specified, qdparselabel would read additional bytes from the buffer and try to treat them as the escape sequence. It would depart the input buffer and start processing many bytes of arbitrary heap data as if it were the query domain. Eventually it would run out of input or find some other kind of error, and declare the query domain invalid. But before then it might outrun available memory and crash. In principle this could be a denial of service attack. Found by AFL 2.35b. CVE-2017-9107. Signed-off-by: Ian Jackson <[email protected]> --- src/transmit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/transmit.c b/src/transmit.c index 33c3329..4984986 100644 --- a/src/transmit.c +++ b/src/transmit.c @@ -87,6 +87,7 @@ static adns_status qdparselabel(adns_state ads, while (p!=pe && (c= *p++)!='.') { if (c=='\\') { if (!(flags & adns_qf_quoteok_query)) return adns_s_querydomaininvalid; + if (p==pe) return adns_s_querydomaininvalid; if (ctype_digit(p[0])) { if (p+1==pe || p+2==pe) return adns_s_querydomaininvalid; if (ctype_digit(p[1]) && ctype_digit(p[2])) { -- 2.20.1 ++++++ adns-1.5.1-CVE-2017-9108.patch ++++++ >From 72c6bfd77dfdb34457a792874fd1c3030fca90ac Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Tue, 6 Dec 2016 12:51:44 +0000 Subject: [PATCH 10/32] SECURITY: adnshost: Fix missing-final-newline handling on stdin read It is wrong to increment used as well as setting r, since used is incremented according to r, later. Rather we should be doing what read() would have done. Without this fix, adnshost may read and process one byte beyond the buffer, perhaps crashing or perhaps somehow leaking the value of that byte. Found by AFL 2.35b. CVE-2017-9108. Signed-off-by: Ian Jackson <[email protected]> --- client/adh-main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/adh-main.c b/client/adh-main.c index 9709be2..31335b7 100644 --- a/client/adh-main.c +++ b/client/adh-main.c @@ -206,7 +206,7 @@ static void read_stdin(void) { if (r == 0) { if (used) { /* fake up final newline */ - buf[used++]= '\n'; + buf[used]= '\n'; r= 1; } else { ov_pipe= 0; -- 2.20.1 ++++++ adns-1.5.1-CVE-2017-9109.patch ++++++ >From fcf2b4e1faf22accb6184cca595aaee602839868 Mon Sep 17 00:00:00 2001 From: Ian Jackson <[email protected]> Date: Sat, 10 Dec 2016 23:32:49 +0000 Subject: [PATCH 11/32] SECURITY: Ignore apparent answers before first RR we found the first time This way the second answer scan finds the same RRs at the first. Otherwise, adns can be confused by interleaving answers for the CNAME target, with the CNAME itself. In that case the answer data structure (on the heap) can be overrun. With this change, we prefer to look only at the answer RRs which come after the CNAME, which is at least arguably correct. Found by AFL 2.35b. CVE-2017-9109. Signed-off-by: Ian Jackson <[email protected]> --- src/reply.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/reply.c b/src/reply.c index bd2d0e8..0379ca4 100644 --- a/src/reply.c +++ b/src/reply.c @@ -35,7 +35,7 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen, int flg_ra, flg_rd, flg_tc, flg_qr, opcode; int rrtype, rrclass, rdlength, rdstart; int anstart, nsstart; - int ownermatched, l, nrrs; + int ownermatched, l, nrrs, restartfrom; unsigned long ttl, soattl; const typeinfo *typei; adns_query qu, nqu; @@ -162,6 +162,7 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen, * If it has any CNAMEs we stuff them in the answer. */ wantedrrs= 0; + restartfrom= -1; cbyte= anstart; for (rri= 0; rri<ancount; rri++) { rrstart= cbyte; @@ -229,6 +230,7 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen, */ } } else if (rrtype == (qu->answer->type & adns_rrt_typemask)) { + if (restartfrom==-1) restartfrom= rri; wantedrrs++; } else { adns__debug(ads,serv,qu,"ignoring answer RR" @@ -331,12 +333,14 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen, pai.arcount= arcount; pai.now= now; + assert(restartfrom>=0); for (rri=0, nrrs=0; rri<ancount; rri++) { st= adns__findrr(qu,serv, dgram,dglen,&cbyte, &rrtype,&rrclass,&ttl, &rdlength,&rdstart, &ownermatched); assert(!st); assert(rrtype != -1); - if (rrclass != DNS_CLASS_IN || + if (rri < restartfrom || + rrclass != DNS_CLASS_IN || rrtype != (qu->answer->type & adns_rrt_typemask) || !ownermatched) continue; -- 2.20.1
