Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.
Thanks,
Chris
diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog 2016-12-31 15:50:47.0 +
+++ dnsdist-1.1.0/debian/changelog 2017-08-22 13:58:05.0 +
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+(Closes: #872854)
+
+ -- Christian Hofstaedtler Tue, 22 Aug 2017 13:58:05 +
+
dnsdist (1.1.0-2) unstable; urgency=medium
* Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch1970-01-01
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch2017-08-22
13:58:05.0 +
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const
size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const
uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+ unsigned char* p = optionsStart;
+- const unsigned char* end = p + optionsLen;
+- while ((p + 4) <= end) {
++ size_t pos = 0;
++ while ((pos + 4) <= optionsLen) {
+ unsigned char* optionBegin = p;
+ const uint16_t optionCode = 0x100*p[0] + p[1];
+ p += sizeof(optionCode);
++pos += sizeof(optionCode);
+ const uint16_t optionLen = 0x100*p[0] + p[1];
+ p += sizeof(optionLen);
+-if ((p + optionLen) > end) {
++pos += sizeof(optionLen);
++if ((pos + optionLen) > optionsLen) {
+ return EINVAL;
+ }
+ if (optionCode == optionCodeToRemove) {
+- if (p + optionLen < end) {
++ if (pos + optionLen < optionsLen) {
+ /* move remaining options over the removed one,
+if any */
+-memmove(optionBegin, p + optionLen, end - (p + optionLen));
++memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+ }
+ *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) +
optionLen);
+ return 0;
+ }
+ p += optionLen;
++pos += optionLen;
+ }
+ return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc1970-01-01
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc2017-08-22
13:58:05.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-END PGP SIGNATURE-
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 1970-01-01
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 2017-08-22
13:58:05.0 +
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+ apiWriteConfigFile("acl", content);
+ }
+
+-static bool compareAuthorization(YaHTTP::Request& req, const string
_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string&
expectedApiKey)
+ {
+- // validate password
+- YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+- bool auth_ok = false;
+- if (header != req.headers.end() && toLower(header->second).find("basic ")
== 0) {
+-string cookie = header->second.substr(6);
++ if (expectedApiKey.empty()) {
++return false;
++ }
++
++ const auto header = req.headers.find("x-api-key");
++ if (header != req.headers.end()) {
++return (header->second == expectedApiKey);
++ }
++
++ return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string
_password)
++{
++ static const char basicStr[] = "basic ";
++
++ const auto header = req.headers.find("authorization");
++
++ if (header != req.headers.end() && toLower(header->second).find(basicStr)
== 0) {
++string cookie = header->second.substr(sizeof(basicStr) - 1);
+
+