Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

2017-08-23 Thread Adam D. Barratt 
Control: tags -1 + pending

On Tue, 2017-08-22 at 21:17 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2017-08-22 at 15:11 +, Christian Hofstaedtler wrote:
> > this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
> > purely based on version-targetted patches from upstream.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

2017-08-22 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2017-08-22 at 15:11 +, Christian Hofstaedtler wrote:
> this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
> purely based on version-targetted patches from upstream.

Please go ahead.

Regards,

Adam

Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

2017-08-22 Thread Martin Zobel-Helas 
Hi, 

On Tue Aug 22, 2017 at 15:11:33 +, Christian Hofstaedtler wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
> purely based on version-targetted patches from upstream.

these patches look good and are pretty small, a fixed version is already
also in unstable.

A stable release manager will most probably ACK that.

Cheers,
Martin
-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

2017-08-22 Thread Christian Hofstaedtler 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.

Thanks,
Chris
diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog  2016-12-31 15:50:47.0 +
+++ dnsdist-1.1.0/debian/changelog  2017-08-22 13:58:05.0 +
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+(Closes: #872854)
+
+ -- Christian Hofstaedtler   Tue, 22 Aug 2017 13:58:05 +
+
 dnsdist (1.1.0-2) unstable; urgency=medium
 
   * Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch2017-08-22 
13:58:05.0 +
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
 b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const 
size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const 
uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+   unsigned char* p = optionsStart;
+-  const unsigned char* end = p + optionsLen;
+-  while ((p + 4) <= end) {
++  size_t pos = 0;
++  while ((pos + 4) <= optionsLen) {
+ unsigned char* optionBegin = p;
+ const uint16_t optionCode = 0x100*p[0] + p[1];
+ p += sizeof(optionCode);
++pos += sizeof(optionCode);
+ const uint16_t optionLen = 0x100*p[0] + p[1];
+ p += sizeof(optionLen);
+-if ((p + optionLen) > end) {
++pos += sizeof(optionLen);
++if ((pos + optionLen) > optionsLen) {
+   return EINVAL;
+ }
+ if (optionCode == optionCodeToRemove) {
+-  if (p + optionLen < end) {
++  if (pos + optionLen < optionsLen) {
+ /* move remaining options over the removed one,
+if any */
+-memmove(optionBegin, p + optionLen, end - (p + optionLen));
++memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+   }
+   *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) + 
optionLen);
+   return 0;
+ }
+ p += optionLen;
++pos += optionLen;
+   }
+   return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc2017-08-22 
13:58:05.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-END PGP SIGNATURE-
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch  1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch  2017-08-22 
13:58:05.0 +
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
 b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+   apiWriteConfigFile("acl", content);
+ }
+ 
+-static bool compareAuthorization(YaHTTP::Request& req, const string 
_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string& 
expectedApiKey)
+ {
+-  // validate password
+-  YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+-  bool auth_ok = false;
+-  if (header != req.headers.end() && toLower(header->second).find("basic ") 
== 0) {
+-string cookie = header->second.substr(6);
++  if (expectedApiKey.empty()) {
++return false;
++  }
++
++  const auto header = req.headers.find("x-api-key");
++  if (header != req.headers.end()) {
++return (header->second == expectedApiKey);
++  }
++
++  return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string 
_password)
++{
++  static const char basicStr[] = "basic ";
++
++  const auto header = req.headers.find("authorization");
++
++  if (header != req.headers.end() && toLower(header->second).find(basicStr) 
== 0) {
++string cookie = header->second.substr(sizeof(basicStr) - 1);
+ 
+