Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
> On 8. Nov 2019, at 12:43, Stuart Henderson wrote: > On 2019/11/08 11:46, Frederic Cambus wrote: >> >> Here is a diff to update gdnsd to 2.4.3. This fixes CVE-2019-13952. >> >> While there, switch MASTER_SITES to HTTPS. > > OK. > > I looked at updating to 3.x earlier but then I read "The TL;DR here is > that gdnsd doesn't manage its own OS security or privileges anymore. It > just runs and assumes the environment was already secured by the init > system or script, and assumes it can bind port 53" and put it in the > "too-hard basket”. Actually, I found some time to look into this and I got recent version 3.x compiling and working with a few patches. But the removed privileges are indeed an issue… How are we supposed to handle such ports in general? I guess with the raise of systemd there will be more such types of “daemons" coming. For the user environment, I believe rc script can already start things as daemon_user=“_gdnsd”. But since we have no authbind, CAP_NET_BIND_SERVICE (Linux), or mac_portacl (FreeBSD) the actual port binding will be a problem. What are our options here? Maybe just suggest in pkg README to add a “transparent" PF rule to redirect port 53 -> 5353 (with an example)? Use some other kind of user-space tcp proxy in front, e.g. net/balance? Any other ideas? Thanks, Regards, Joerg ps: the author seems upset about his own choices here and even apologises, see (last paragraph): https://github.com/gdnsd/gdnsd/blob/master/VERSION3.md
Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
On Fri, Nov 08, 2019 at 04:10:58PM +, Stuart Henderson wrote: > > > RUN_DEPENDS should be updated from GeoIP -> libmaxminddb > > > > As-is, it doesn't pick up libmaxminddb so it probably can't use the > > new db. But here's an new diff that enables it. > > Regenerated against -current. (The configure.ac change isn't required > for this but it's better practice to modify the input file rather than > generated configure script). I came up with a similar diff for the libmaxminddb changes, so this looks good to me. Agreed for the configure.ac change, makes things cleaner. OK fcambus@
Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
On 2019/11/08 16:04, Stuart Henderson wrote: > On 2019/11/08 16:07, Joerg Jung wrote: > > > > > On 8. Nov 2019, at 11:46, Frederic Cambus wrote: > > > > > > Hi ports@, > > > > > > Here is a diff to update gdnsd to 2.4.3. This fixes CVE-2019-13952. > > > > > > While there, switch MASTER_SITES to HTTPS. > > > > > > Comments? OK? > > > > ok jung@ > > > > RUN_DEPENDS should be updated from GeoIP -> libmaxminddb > > As-is, it doesn't pick up libmaxminddb so it probably can't use the > new db. But here's an new diff that enables it. Regenerated against -current. (The configure.ac change isn't required for this but it's better practice to modify the input file rather than generated configure script). Index: Makefile === RCS file: /cvs/ports/net/gdnsd/Makefile,v retrieving revision 1.23 diff -u -p -r1.23 Makefile --- Makefile8 Nov 2019 15:48:27 - 1.23 +++ Makefile8 Nov 2019 16:10:16 - @@ -3,6 +3,7 @@ COMMENT= geographically-aware, authoritative-only DNS server V= 2.4.3 +REVISION= 0 DISTNAME= gdnsd-$V EXTRACT_SUFX= .tar.xz @@ -15,7 +16,7 @@ MAINTAINER= Joerg Jung https://github.com/gdnsd/gdnsd/releases/download/v$V/ @@ -28,9 +29,10 @@ BUILD_DEPENDS= devel/ragel # used for tests BUILD_DEPENDS+=archivers/xz \ net/curl -LIB_DEPENDS= devel/libev -RUN_DEPENDS= net/GeoIP,-city \ - net/GeoIP,-db +LIB_DEPENDS= devel/libev \ + net/libmaxminddb +RUN_DEPENDS= net/libmaxminddb,-city \ + net/libmaxminddb,-db TEST_DEPENDS= ${BUILD_DEPENDS} \ www/p5-libwww \ net/p5-Socket6 \ @@ -39,11 +41,12 @@ TEST_DEPENDS= ${BUILD_DEPENDS} \ LIBTOOL_FLAGS= --tag=disable-static -CONFIGURE_STYLE= gnu +CONFIGURE_STYLE= autoconf +AUTOCONF_VERSION= 2.69 CONFIGURE_ARGS+= --with-rundir=${VARBASE}/run/ \ --with-rootdir=${VARBASE}/gdnsd -CONFIGURE_ENV= LIBEV_LIBS="-L${LOCALBASE}/lib -lev" \ - LIBEV_CFLAGS="-I${LOCALBASE}/include" +CONFIGURE_ENV= LDFLAGS="-L${LOCALBASE}/lib" \ + CPPFLAGS="-I${LOCALBASE}/include" SUBST_VARS+= VARBASE Index: patches/patch-configure === RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 9 Jan 2018 19:56:56 - 1.3 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,24 +0,0 @@ -$OpenBSD: patch-configure,v 1.3 2018/01/09 19:56:56 jung Exp $ - -Silence warnings about base headers, drowning real warnings. - -Index: configure configure.orig -+++ configure -@@ -14630,7 +14630,6 @@ for flag in \ - -Wnull-dereference \ - -Wold-style-definition \ - -Wpointer-arith \ ---Wredundant-decls \ - -Wshadow \ - -Wsign-conversion \ - -Wshift-overflow=2 \ -@@ -16283,7 +16282,7 @@ else - fi - - GDNSD_DEFPATH_CONFIG="${sysconfdir}/${PACKAGE_NAME}" --GDNSD_DEFPATH_STATE="${localstatedir}/lib/${PACKAGE_NAME}" -+GDNSD_DEFPATH_STATE="${localstatedir}/${PACKAGE_NAME}" - GDNSD_DEFPATH_LIB="${libdir}/${PACKAGE_NAME}" - GDNSD_DEFPATH_LIBEXEC="${libexecdir}/${PACKAGE_NAME}" - Index: patches/patch-configure_ac === RCS file: patches/patch-configure_ac diff -N patches/patch-configure_ac --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-configure_ac 8 Nov 2019 16:10:16 - @@ -0,0 +1,24 @@ +$OpenBSD$ + +Silence warnings about base headers, drowning real warnings. + +Index: configure.ac +--- configure.ac.orig configure.ac +@@ -167,7 +167,6 @@ AX_APPEND_COMPILE_FLAGS([\ + -Wnull-dereference \ + -Wold-style-definition \ + -Wpointer-arith \ +--Wredundant-decls \ + -Wshadow \ + -Wsign-conversion \ + -Wshift-overflow=2 \ +@@ -445,7 +444,7 @@ AC_ARG_WITH([rundir],[AS_HELP_STRING([--with-rundir=LO + GDNSD_DEFPATH_RUN="${localstatedir}/run/${PACKAGE_NAME}" + ]) + GDNSD_DEFPATH_CONFIG="${sysconfdir}/${PACKAGE_NAME}" +-GDNSD_DEFPATH_STATE="${localstatedir}/lib/${PACKAGE_NAME}" ++GDNSD_DEFPATH_STATE="${localstatedir}/${PACKAGE_NAME}" + GDNSD_DEFPATH_LIB="${libdir}/${PACKAGE_NAME}" + GDNSD_DEFPATH_LIBEXEC="${libexecdir}/${PACKAGE_NAME}" + AC_SUBST([GDNSD_DEFPATH_RUN])
Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
On 2019/11/08 16:07, Joerg Jung wrote: > > > On 8. Nov 2019, at 11:46, Frederic Cambus wrote: > > > > Hi ports@, > > > > Here is a diff to update gdnsd to 2.4.3. This fixes CVE-2019-13952. > > > > While there, switch MASTER_SITES to HTTPS. > > > > Comments? OK? > > ok jung@ > > RUN_DEPENDS should be updated from GeoIP -> libmaxminddb As-is, it doesn't pick up libmaxminddb so it probably can't use the new db. But here's an new diff that enables it. Index: Makefile === RCS file: /cvs/ports/net/gdnsd/Makefile,v retrieving revision 1.22 diff -u -p -r1.22 Makefile --- Makefile12 Jul 2019 20:48:26 - 1.22 +++ Makefile8 Nov 2019 16:02:28 - @@ -2,7 +2,7 @@ COMMENT= geographically-aware, authoritative-only DNS server -V= 2.4.0 +V= 2.4.3 DISTNAME= gdnsd-$V EXTRACT_SUFX= .tar.xz @@ -15,7 +15,7 @@ MAINTAINER= Joerg Jung https://github.com/gdnsd/gdnsd/releases/download/v$V/ @@ -28,9 +28,10 @@ BUILD_DEPENDS= devel/ragel # used for tests BUILD_DEPENDS+=archivers/xz \ net/curl -LIB_DEPENDS= devel/libev -RUN_DEPENDS= net/GeoIP,-city \ - net/GeoIP,-db +LIB_DEPENDS= devel/libev \ + net/libmaxminddb +RUN_DEPENDS= net/libmaxminddb,-city \ + net/libmaxminddb,-db TEST_DEPENDS= ${BUILD_DEPENDS} \ www/p5-libwww \ net/p5-Socket6 \ @@ -39,11 +40,12 @@ TEST_DEPENDS= ${BUILD_DEPENDS} \ LIBTOOL_FLAGS= --tag=disable-static -CONFIGURE_STYLE= gnu +CONFIGURE_STYLE= autoconf +AUTOCONF_VERSION= 2.69 CONFIGURE_ARGS+= --with-rundir=${VARBASE}/run/ \ --with-rootdir=${VARBASE}/gdnsd -CONFIGURE_ENV= LIBEV_LIBS="-L${LOCALBASE}/lib -lev" \ - LIBEV_CFLAGS="-I${LOCALBASE}/include" +CONFIGURE_ENV= LDFLAGS="-L${LOCALBASE}/lib" \ + CPPFLAGS="-I${LOCALBASE}/include" SUBST_VARS+= VARBASE Index: distinfo === RCS file: /cvs/ports/net/gdnsd/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- distinfo12 Jul 2018 16:31:10 - 1.4 +++ distinfo8 Nov 2019 16:02:28 - @@ -1,2 +1,2 @@ -SHA256 (gdnsd-2.4.0.tar.xz) = PVbMuycFTcFVg52U3xNtdgrDYavoaKpqjD2/yeRku5k= -SIZE (gdnsd-2.4.0.tar.xz) = 641820 +SHA256 (gdnsd-2.4.3.tar.xz) = I318pId2027zSaFd2kpYEGze8uvgRzqwXfmW31NueBc= +SIZE (gdnsd-2.4.3.tar.xz) = 641580 Index: patches/patch-configure === RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 9 Jan 2018 19:56:56 - 1.3 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,24 +0,0 @@ -$OpenBSD: patch-configure,v 1.3 2018/01/09 19:56:56 jung Exp $ - -Silence warnings about base headers, drowning real warnings. - -Index: configure configure.orig -+++ configure -@@ -14630,7 +14630,6 @@ for flag in \ - -Wnull-dereference \ - -Wold-style-definition \ - -Wpointer-arith \ ---Wredundant-decls \ - -Wshadow \ - -Wsign-conversion \ - -Wshift-overflow=2 \ -@@ -16283,7 +16282,7 @@ else - fi - - GDNSD_DEFPATH_CONFIG="${sysconfdir}/${PACKAGE_NAME}" --GDNSD_DEFPATH_STATE="${localstatedir}/lib/${PACKAGE_NAME}" -+GDNSD_DEFPATH_STATE="${localstatedir}/${PACKAGE_NAME}" - GDNSD_DEFPATH_LIB="${libdir}/${PACKAGE_NAME}" - GDNSD_DEFPATH_LIBEXEC="${libexecdir}/${PACKAGE_NAME}" - Index: patches/patch-configure_ac === RCS file: patches/patch-configure_ac diff -N patches/patch-configure_ac --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-configure_ac 8 Nov 2019 16:02:28 - @@ -0,0 +1,24 @@ +$OpenBSD$ + +Silence warnings about base headers, drowning real warnings. + +Index: configure.ac +--- configure.ac.orig configure.ac +@@ -167,7 +167,6 @@ AX_APPEND_COMPILE_FLAGS([\ + -Wnull-dereference \ + -Wold-style-definition \ + -Wpointer-arith \ +--Wredundant-decls \ + -Wshadow \ + -Wsign-conversion \ + -Wshift-overflow=2 \ +@@ -445,7 +444,7 @@ AC_ARG_WITH([rundir],[AS_HELP_STRING([--with-rundir=LO + GDNSD_DEFPATH_RUN="${localstatedir}/run/${PACKAGE_NAME}" + ]) + GDNSD_DEFPATH_CONFIG="${sysconfdir}/${PACKAGE_NAME}" +-GDNSD_DEFPATH_STATE="${localstatedir}/lib/${PACKAGE_NAME}" ++GDNSD_DEFPATH_STATE="${localstatedir}/${PACKAGE_NAME}" + GDNSD_DEFPATH_LIB="${libdir}/${PACKAGE_NAME}" + GDNSD_DEFPATH_LIBEXEC="${libexecdir}/${PACKAGE_NAME}" + AC_SUBST([GDNSD_DEFPATH_RUN]) Index: pkg/PLIST === RCS file: /cvs/ports/net/gdnsd/pkg/PLIST,v retrieving
Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
> On 8. Nov 2019, at 11:46, Frederic Cambus wrote: > > Hi ports@, > > Here is a diff to update gdnsd to 2.4.3. This fixes CVE-2019-13952. > > While there, switch MASTER_SITES to HTTPS. > > Comments? OK? ok jung@ RUN_DEPENDS should be updated from GeoIP -> libmaxminddb > Index: Makefile > === > RCS file: /cvs/ports/net/gdnsd/Makefile,v > retrieving revision 1.22 > diff -u -p -r1.22 Makefile > --- Makefile 12 Jul 2019 20:48:26 - 1.22 > +++ Makefile 7 Nov 2019 22:04:09 - > @@ -2,13 +2,13 @@ > > COMMENT= geographically-aware, authoritative-only DNS server > > -V= 2.4.0 > +V= 2.4.3 > DISTNAME= gdnsd-$V > EXTRACT_SUFX= .tar.xz > > CATEGORIES= net > > -HOMEPAGE=http://gdnsd.org/ > +HOMEPAGE=https://gdnsd.org/ > > MAINTAINER= Joerg Jung > > Index: distinfo > === > RCS file: /cvs/ports/net/gdnsd/distinfo,v > retrieving revision 1.4 > diff -u -p -r1.4 distinfo > --- distinfo 12 Jul 2018 16:31:10 - 1.4 > +++ distinfo 7 Nov 2019 22:04:09 - > @@ -1,2 +1,2 @@ > -SHA256 (gdnsd-2.4.0.tar.xz) = PVbMuycFTcFVg52U3xNtdgrDYavoaKpqjD2/yeRku5k= > -SIZE (gdnsd-2.4.0.tar.xz) = 641820 > +SHA256 (gdnsd-2.4.3.tar.xz) = I318pId2027zSaFd2kpYEGze8uvgRzqwXfmW31NueBc= > +SIZE (gdnsd-2.4.3.tar.xz) = 641580 > Index: pkg/PLIST > === > RCS file: /cvs/ports/net/gdnsd/pkg/PLIST,v > retrieving revision 1.3 > diff -u -p -r1.3 PLIST > --- pkg/PLIST 23 Jun 2016 16:15:58 - 1.3 > +++ pkg/PLIST 7 Nov 2019 22:04:09 - > @@ -2,6 +2,9 @@ > @newgroup _gdnsd:743 > @newuser _gdnsd:743:_gdnsd:daemon:gdns user:/var/empty:/sbin/nologin > @extraunexec rm -f ${SYSCONFDIR}/gdnsd/* ${SYSCONFDIR}/gdnsd/zones/* > +@sample ${SYSCONFDIR}/gdnsd/ > +@sample ${SYSCONFDIR}/gdnsd/zones/ > +@rcscript ${RCDIR}/gdnsd > @bin bin/gdnsd_geoip_test > include/gdnsd/ > include/gdnsd/alloc.h > @@ -63,6 +66,3 @@ share/doc/gdnsd/NEWS > share/doc/gdnsd/README.md > share/doc/gdnsd/gdnsd_manual.txt > @sample ${VARBASE}/gdnsd/ > -@sample ${SYSCONFDIR}/gdnsd/ > -@sample ${SYSCONFDIR}/gdnsd/zones/ > -@rcscript ${RCDIR}/gdnsd
Re: [UPDATE] net/gdnsd to 2.4.3 (Fixes CVE-2019-13952)
On 2019/11/08 11:46, Frederic Cambus wrote: > Hi ports@, > > Here is a diff to update gdnsd to 2.4.3. This fixes CVE-2019-13952. > > While there, switch MASTER_SITES to HTTPS. OK. I looked at updating to 3.x earlier but then I read "The TL;DR here is that gdnsd doesn't manage its own OS security or privileges anymore. It just runs and assumes the environment was already secured by the init system or script, and assumes it can bind port 53" and put it in the "too-hard basket". > Comments? OK? > > Index: Makefile > === > RCS file: /cvs/ports/net/gdnsd/Makefile,v > retrieving revision 1.22 > diff -u -p -r1.22 Makefile > --- Makefile 12 Jul 2019 20:48:26 - 1.22 > +++ Makefile 7 Nov 2019 22:04:09 - > @@ -2,13 +2,13 @@ > > COMMENT= geographically-aware, authoritative-only DNS server > > -V= 2.4.0 > +V= 2.4.3 > DISTNAME=gdnsd-$V > EXTRACT_SUFX=.tar.xz > > CATEGORIES= net > > -HOMEPAGE=http://gdnsd.org/ > +HOMEPAGE=https://gdnsd.org/ > > MAINTAINER= Joerg Jung > > Index: distinfo > === > RCS file: /cvs/ports/net/gdnsd/distinfo,v > retrieving revision 1.4 > diff -u -p -r1.4 distinfo > --- distinfo 12 Jul 2018 16:31:10 - 1.4 > +++ distinfo 7 Nov 2019 22:04:09 - > @@ -1,2 +1,2 @@ > -SHA256 (gdnsd-2.4.0.tar.xz) = PVbMuycFTcFVg52U3xNtdgrDYavoaKpqjD2/yeRku5k= > -SIZE (gdnsd-2.4.0.tar.xz) = 641820 > +SHA256 (gdnsd-2.4.3.tar.xz) = I318pId2027zSaFd2kpYEGze8uvgRzqwXfmW31NueBc= > +SIZE (gdnsd-2.4.3.tar.xz) = 641580 > Index: pkg/PLIST > === > RCS file: /cvs/ports/net/gdnsd/pkg/PLIST,v > retrieving revision 1.3 > diff -u -p -r1.3 PLIST > --- pkg/PLIST 23 Jun 2016 16:15:58 - 1.3 > +++ pkg/PLIST 7 Nov 2019 22:04:09 - > @@ -2,6 +2,9 @@ > @newgroup _gdnsd:743 > @newuser _gdnsd:743:_gdnsd:daemon:gdns user:/var/empty:/sbin/nologin > @extraunexec rm -f ${SYSCONFDIR}/gdnsd/* ${SYSCONFDIR}/gdnsd/zones/* > +@sample ${SYSCONFDIR}/gdnsd/ > +@sample ${SYSCONFDIR}/gdnsd/zones/ > +@rcscript ${RCDIR}/gdnsd > @bin bin/gdnsd_geoip_test > include/gdnsd/ > include/gdnsd/alloc.h > @@ -63,6 +66,3 @@ share/doc/gdnsd/NEWS > share/doc/gdnsd/README.md > share/doc/gdnsd/gdnsd_manual.txt > @sample ${VARBASE}/gdnsd/ > -@sample ${SYSCONFDIR}/gdnsd/ > -@sample ${SYSCONFDIR}/gdnsd/zones/ > -@rcscript ${RCDIR}/gdnsd >