Control: tags 924966 + patch
Control: tags 924966 + pending
Dear maintainer,
I've prepared an NMU for pdns (versioned as 4.1.6-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
There is a corresponding merge request at
https://salsa.debian.org/dns-team/pdns/merge_requests/1 .
Regards,
Salvatore
diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog
--- pdns-4.1.6/debian/changelog 2019-02-03 15:20:23.0 +0100
+++ pdns-4.1.6/debian/changelog 2019-03-29 15:28:50.0 +0100
@@ -1,3 +1,11 @@
+pdns (4.1.6-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Insufficient validation in the HTTP remote backend (CVE-2019-3871)
+(Closes: #924966)
+
+ -- Salvatore Bonaccorso Fri, 29 Mar 2019 15:28:50 +0100
+
pdns (4.1.6-1) unstable; urgency=medium
* New upstream version 4.1.6
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-3871-auth-4.1.6.patch pdns-4.1.6/debian/patches/CVE-2019-3871-auth-4.1.6.patch
--- pdns-4.1.6/debian/patches/CVE-2019-3871-auth-4.1.6.patch 1970-01-01 01:00:00.0 +0100
+++ pdns-4.1.6/debian/patches/CVE-2019-3871-auth-4.1.6.patch 2019-03-29 15:28:50.0 +0100
@@ -0,0 +1,147 @@
+Description: Insufficient validation in the HTTP remote backend
+Origin: upstream, https://downloads.powerdns.com/patches/2019-03/CVE-2019-3871-auth-4.1.6.patch
+Bug: https://github.com/PowerDNS/pdns/issues/7573
+Bug-Debian: https://bugs.debian.org/924966
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3871
+Forwarded: not-needed
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2019-03-29
+Applied-Upstream: 4.1.7
+
+diff -ru pdns-4.1.6.orig/modules/remotebackend/httpconnector.cc pdns-4.1.6/modules/remotebackend/httpconnector.cc
+--- pdns-4.1.6.orig/modules/remotebackend/httpconnector.cc 2019-01-31 10:17:33.0 +0100
pdns-4.1.6/modules/remotebackend/httpconnector.cc 2019-03-15 13:29:51.102891481 +0100
+@@ -35,7 +35,22 @@
+ #endif
+
+ HTTPConnector::HTTPConnector(std::map options) {
++
++if (options.find("url") == options.end()) {
++ throw PDNSException("Cannot find 'url' option in the remote backend HTTP connector's parameters");
++}
++
+ this->d_url = options.find("url")->second;
++
++try {
++ YaHTTP::URL url(d_url);
++ d_host = url.host;
++ d_port = url.port;
++}
++catch(const std::exception& e) {
++ throw PDNSException("Error parsing the 'url' option provided to the remote backend HTTP connector: " + std::string(e.what()));
++}
++
+ if (options.find("url-suffix") != options.end()) {
+ this->d_url_suffix = options.find("url-suffix")->second;
+ } else {
+@@ -71,7 +86,7 @@
+ void HTTPConnector::addUrlComponent(const Json , const string& element, std::stringstream& ss) {
+ std::string sparam;
+ if (parameters[element] != Json())
+- ss << "/" << asString(parameters[element]);
++ ss << "/" << YaHTTP::Utility::encodeURL(asString(parameters[element]), false);
+ }
+
+ std::string HTTPConnector::buildMemberListArgs(std::string prefix, const Json& args) {
+@@ -81,9 +96,9 @@
+ if (pair.second.is_bool()) {
+ stream << (pair.second.bool_value()?"1":"0");
+ } else if (pair.second.is_null()) {
+- stream << prefix << "[" << pair.first << "]=";
++ stream << prefix << "[" << YaHTTP::Utility::encodeURL(pair.first, false) << "]=";
+ } else {
+- stream << prefix << "[" << pair.first << "]=" << this->asString(pair.second);
++ stream << prefix << "[" << YaHTTP::Utility::encodeURL(pair.first, false) << "]=" << YaHTTP::Utility::encodeURL(this->asString(pair.second), false);
+ }
+ stream << "&";
+ }
+@@ -334,45 +349,41 @@
+ delete this->d_socket;
+ this->d_socket = NULL;
+
+-if (req.url.protocol == "unix") {
+- // connect using unix socket
+-} else {
+- // connect using tcp
+- struct addrinfo *gAddr, *gAddrPtr, hints;
+- std::string sPort = std::to_string(req.url.port);
+- memset(,0,sizeof hints);
+- hints.ai_family = AF_UNSPEC;
+- hints.ai_flags = AI_ADDRCONFIG;
+- hints.ai_socktype = SOCK_STREAM;
+- hints.ai_protocol = 6; // tcp
+- if ((ec = getaddrinfo(req.url.host.c_str(), sPort.c_str(), , )) == 0) {
+-// try to connect to each address.
+-gAddrPtr = gAddr;
++// connect using tcp
++struct addrinfo *gAddr, *gAddrPtr, hints;
++std::string sPort = std::to_string(d_port);
++memset(,0,sizeof hints);
++hints.ai_family = AF_UNSPEC;
++hints.ai_flags = AI_ADDRCONFIG;
++hints.ai_socktype = SOCK_STREAM;
++hints.ai_protocol = 6; // tcp
++if ((ec = getaddrinfo(d_host.c_str(), sPort.c_str(), , )) == 0) {
++ // try to connect to each address.
++ gAddrPtr = gAddr;
+
+-while(gAddrPtr) {
+- try {
+-d_socket = new Socket(gAddrPtr->ai_family, gAddrPtr->ai_socktype, gAddrPtr->ai_protocol);
