Re: patch libcares on -stable (was: Re: Update to libcares-1.12.0)
On Tue, 11 Oct 2016 22:26:51 +0200, Daniel Jakotswrote: > On Mon, 10 Oct 2016 21:46:54 +0200, Daniel Jakots > wrote: > > > Hi, > > > > This fixes CVE-2016-5180. ping > I had a look for -stable. The patch use a function that doesn't exist > in 1.10.0: > > > + buf = ares_malloc(len); > > I guess it appears in 1.11.0 because in the ChangeLog there is > > > Allow library-wide override of malloc/free > > So just backporting the diff doesn't work. Debian just > uses malloc in their backport (thanks olasd!): > https://sources.debian.net/src/c-ares/1.10.0-2%2Bdeb8u1/debian/patches/CVE-2016-5180.diff/ > > Doing the same thing and make package works. > > Comments? OK? > > Cheers, > Daniel > > Index: Makefile > === > RCS file: /cvs/ports/net/libcares/Makefile,v > retrieving revision 1.16 > diff -u -p -r1.16 Makefile > --- Makefile 11 Mar 2016 19:59:15 - 1.16 > +++ Makefile 11 Oct 2016 20:26:07 - > @@ -7,7 +7,7 @@ DISTNAME= c-ares-${V} > PKGNAME= libcares-${V} > CATEGORIES= net devel > MASTER_SITES=${HOMEPAGE}download/ > -REVISION=0 > +REVISION=1 > > SHARED_LIBS= cares 2.5 > > Index: patches/patch-ares_create_query_c > === > RCS file: patches/patch-ares_create_query_c > diff -N patches/patch-ares_create_query_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-ares_create_query_c 11 Oct 2016 20:26:07 > - @@ -0,0 +1,136 @@ > +$OpenBSD$ > + > +Patch for CVE-2016-5180 https://c-ares.haxx.se/adv_20160929.html > + > +--- ares_create_query.c.orig Wed Feb 13 11:01:50 2013 > ares_create_query.c Tue Oct 11 22:15:41 2016 > +@@ -85,57 +85,31 @@ > + */ > + > + int ares_create_query(const char *name, int dnsclass, int type, > +- unsigned short id, int rd, unsigned char > **buf, +- int *buflen, int max_udp_size) > ++ unsigned short id, int rd, unsigned char > **bufp, ++ int *buflenp, int max_udp_size) > + { > +- int len; > ++ size_t len; > + unsigned char *q; > + const char *p; > ++ size_t buflen; > ++ unsigned char *buf; > + > + /* Set our results early, in case we bail out early with an > error. */ +- *buflen = 0; > +- *buf = NULL; > ++ *buflenp = 0; > ++ *bufp = NULL; > + > +- /* Compute the length of the encoded name so we can check buflen. > +- * Start counting at 1 for the zero-length label at the end. */ > +- len = 1; > +- for (p = name; *p; p++) > +-{ > +- if (*p == '\\' && *(p + 1) != 0) > +-p++; > +- len++; > +-} > +- /* If there are n periods in the name, there are n + 1 labels, and > +- * thus n + 1 length fields, unless the name is empty or ends > with a +- * period. So add 1 unless name is empty or ends with a > period. ++ /* Allocate a memory area for the maximum size this > packet might need. +2 ++ * is for the length byte and zero > termination if no dots or ecscaping is ++ * used. > +*/ > +- if (*name && *(p - 1) != '.') > +-len++; > ++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ + > ++(max_udp_size ? EDNSFIXEDSZ : 0); > ++ buf = malloc(len); > ++ if (!buf) > ++return ARES_ENOMEM; > + > +- /* Immediately reject names that are longer than the maximum of > 255 +- * bytes that's specified in RFC 1035 ("To simplify > implementations, +- * the total length of a domain name (i.e., > label octets and label +- * length octets) is restricted to 255 > octets or less."). We aren't +- * doing this just to be a stickler > about RFCs. For names that are +- * too long, 'dnscache' closes its > TCP connection to us immediately +- * (when using TCP) and ignores > the request when using UDP, and +- * BIND's named returns ServFail > (TCP or UDP). Sending a request +- * that we know will cause > 'dnscache' to close the TCP connection is +- * painful, since that > makes any other outstanding requests on that +- * connection fail. > And sending a UDP request that we know +- * 'dnscache' will ignore > is bad because resources will be tied up +- * until we time-out the > request. +- */ > +- if (len > MAXCDNAME) > +-return ARES_EBADNAME; > +- > +- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? > EDNSFIXEDSZ : 0); +- *buf = malloc(*buflen); > +- if (!*buf) > +- return ARES_ENOMEM; > +- > + /* Set up the header. */ > +- q = *buf; > ++ q = buf; > + memset(q, 0, HFIXEDSZ); > + DNS_HEADER_SET_QID(q, id); > + DNS_HEADER_SET_OPCODE(q, QUERY); > +@@ -159,8 +133,10 @@ int ares_create_query(const char *name, int > dnsclass, > + q += HFIXEDSZ; > + while (*name) > + { > +- if (*name == '.') > ++ if (*name == '.') { > ++free (buf); > + return ARES_EBADNAME; > ++ } > + > + /* Count the number of bytes in this label. */ > +
patch libcares on -stable (was: Re: Update to libcares-1.12.0)
On Mon, 10 Oct 2016 21:46:54 +0200, Daniel Jakotswrote: > Hi, > > This fixes CVE-2016-5180. I had a look for -stable. The patch use a function that doesn't exist in 1.10.0: > + buf = ares_malloc(len); I guess it appears in 1.11.0 because in the ChangeLog there is > Allow library-wide override of malloc/free So just backporting the diff doesn't work. Debian just uses malloc in their backport (thanks olasd!): https://sources.debian.net/src/c-ares/1.10.0-2%2Bdeb8u1/debian/patches/CVE-2016-5180.diff/ Doing the same thing and make package works. Comments? OK? Cheers, Daniel Index: Makefile === RCS file: /cvs/ports/net/libcares/Makefile,v retrieving revision 1.16 diff -u -p -r1.16 Makefile --- Makefile11 Mar 2016 19:59:15 - 1.16 +++ Makefile11 Oct 2016 20:26:07 - @@ -7,7 +7,7 @@ DISTNAME= c-ares-${V} PKGNAME= libcares-${V} CATEGORIES=net devel MASTER_SITES= ${HOMEPAGE}download/ -REVISION= 0 +REVISION= 1 SHARED_LIBS= cares 2.5 Index: patches/patch-ares_create_query_c === RCS file: patches/patch-ares_create_query_c diff -N patches/patch-ares_create_query_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-ares_create_query_c 11 Oct 2016 20:26:07 - @@ -0,0 +1,136 @@ +$OpenBSD$ + +Patch for CVE-2016-5180 https://c-ares.haxx.se/adv_20160929.html + +--- ares_create_query.c.orig Wed Feb 13 11:01:50 2013 ares_create_query.cTue Oct 11 22:15:41 2016 +@@ -85,57 +85,31 @@ + */ + + int ares_create_query(const char *name, int dnsclass, int type, +- unsigned short id, int rd, unsigned char **buf, +- int *buflen, int max_udp_size) ++ unsigned short id, int rd, unsigned char **bufp, ++ int *buflenp, int max_udp_size) + { +- int len; ++ size_t len; + unsigned char *q; + const char *p; ++ size_t buflen; ++ unsigned char *buf; + + /* Set our results early, in case we bail out early with an error. */ +- *buflen = 0; +- *buf = NULL; ++ *buflenp = 0; ++ *bufp = NULL; + +- /* Compute the length of the encoded name so we can check buflen. +- * Start counting at 1 for the zero-length label at the end. */ +- len = 1; +- for (p = name; *p; p++) +-{ +- if (*p == '\\' && *(p + 1) != 0) +-p++; +- len++; +-} +- /* If there are n periods in the name, there are n + 1 labels, and +- * thus n + 1 length fields, unless the name is empty or ends with a +- * period. So add 1 unless name is empty or ends with a period. ++ /* Allocate a memory area for the maximum size this packet might need. +2 ++ * is for the length byte and zero termination if no dots or ecscaping is ++ * used. +*/ +- if (*name && *(p - 1) != '.') +-len++; ++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ + ++(max_udp_size ? EDNSFIXEDSZ : 0); ++ buf = malloc(len); ++ if (!buf) ++return ARES_ENOMEM; + +- /* Immediately reject names that are longer than the maximum of 255 +- * bytes that's specified in RFC 1035 ("To simplify implementations, +- * the total length of a domain name (i.e., label octets and label +- * length octets) is restricted to 255 octets or less."). We aren't +- * doing this just to be a stickler about RFCs. For names that are +- * too long, 'dnscache' closes its TCP connection to us immediately +- * (when using TCP) and ignores the request when using UDP, and +- * BIND's named returns ServFail (TCP or UDP). Sending a request +- * that we know will cause 'dnscache' to close the TCP connection is +- * painful, since that makes any other outstanding requests on that +- * connection fail. And sending a UDP request that we know +- * 'dnscache' will ignore is bad because resources will be tied up +- * until we time-out the request. +- */ +- if (len > MAXCDNAME) +-return ARES_EBADNAME; +- +- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0); +- *buf = malloc(*buflen); +- if (!*buf) +- return ARES_ENOMEM; +- + /* Set up the header. */ +- q = *buf; ++ q = buf; + memset(q, 0, HFIXEDSZ); + DNS_HEADER_SET_QID(q, id); + DNS_HEADER_SET_OPCODE(q, QUERY); +@@ -159,8 +133,10 @@ int ares_create_query(const char *name, int dnsclass, + q += HFIXEDSZ; + while (*name) + { +- if (*name == '.') ++ if (*name == '.') { ++free (buf); + return ARES_EBADNAME; ++ } + + /* Count the number of bytes in this label. */ + len = 0; +@@ -170,8 +146,10 @@ int ares_create_query(const char *name, int dnsclass, + p++; + len++; + } +- if (len > MAXLABEL) ++ if (len > MAXLABEL) { ++free (buf); + return ARES_EBADNAME; ++ } + + /* Encode the length and copy the data. */ + *q++ = (unsigned char)len; +@@
Re: Update to libcares-1.12.0
Daniel Jakotswrites: > On Tue, 11 Oct 2016 15:50:22 +0200, Jeremie Courreges-Anglas > wrote: > >> > So I just bumped the minor. >> >> Upstream bumped the major. Looking at the headers, some structs have >> additional members, so it might be a true ABI break. > > Indeed, new patch now bumping the major to take no chance. ok jca@ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: Update to libcares-1.12.0
On Tue, 11 Oct 2016 15:50:22 +0200, Jeremie Courreges-Anglaswrote: > > So I just bumped the minor. > > Upstream bumped the major. Looking at the headers, some structs have > additional members, so it might be a true ABI break. Indeed, new patch now bumping the major to take no chance. Index: Makefile === RCS file: /cvs/ports/net/libcares/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- Makefile10 Sep 2016 13:03:40 - 1.17 +++ Makefile11 Oct 2016 18:25:57 - @@ -2,14 +2,13 @@ COMMENT= asynchronous resolver library -V= 1.10.0 +V= 1.12.0 DISTNAME= c-ares-${V} PKGNAME= libcares-${V} CATEGORIES=net devel MASTER_SITES= ${HOMEPAGE}download/ -REVISION= 1 -SHARED_LIBS= cares 2.5 +SHARED_LIBS += cares3.0 # 4.0 HOMEPAGE= http://c-ares.haxx.se/ Index: distinfo === RCS file: /cvs/ports/net/libcares/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- distinfo11 Sep 2013 18:05:34 - 1.8 +++ distinfo11 Oct 2016 18:25:57 - @@ -1,2 +1,2 @@ -SHA256 (c-ares-1.10.0.tar.gz) = PXAWdGFdEVjlalmq7eeJHy3ePaD0am08aE4K5w9S09s= -SIZE (c-ares-1.10.0.tar.gz) = 809073 +SHA256 (c-ares-1.12.0.tar.gz) = hpL5QDzc35NhMOBFyEAhZlEY7pv+qQXRp28E1ObzZfs= +SIZE (c-ares-1.12.0.tar.gz) = 1769879 Index: pkg/PLIST === RCS file: /cvs/ports/net/libcares/pkg/PLIST,v retrieving revision 1.8 diff -u -p -r1.8 PLIST --- pkg/PLIST 22 May 2015 11:31:17 - 1.8 +++ pkg/PLIST 11 Oct 2016 18:25:57 - @@ -20,6 +20,7 @@ lib/pkgconfig/libcares.pc @man man/man3/ares_free_hostent.3 @man man/man3/ares_free_string.3 @man man/man3/ares_get_servers.3 +@man man/man3/ares_get_servers_ports.3 @man man/man3/ares_gethostbyaddr.3 @man man/man3/ares_gethostbyname.3 @man man/man3/ares_gethostbyname_file.3 @@ -46,8 +47,16 @@ lib/pkgconfig/libcares.pc @man man/man3/ares_save_options.3 @man man/man3/ares_search.3 @man man/man3/ares_send.3 +@man man/man3/ares_set_local_dev.3 +@man man/man3/ares_set_local_ip4.3 +@man man/man3/ares_set_local_ip6.3 @man man/man3/ares_set_servers.3 +@man man/man3/ares_set_servers_csv.3 +@man man/man3/ares_set_servers_ports.3 +@man man/man3/ares_set_servers_ports_csv.3 @man man/man3/ares_set_socket_callback.3 +@man man/man3/ares_set_socket_configure_callback.3 +@man man/man3/ares_set_sortlist.3 @man man/man3/ares_strerror.3 @man man/man3/ares_timeout.3 @man man/man3/ares_version.3
Re: Update to libcares-1.12.0
Daniel Jakotswrites: > Hi, > > This fixes CVE-2016-5180. > > ChangeLog is available: https://c-ares.haxx.se/changelog.html > > $ diff -up libcares-10 libcares-12 > --- libcares-10 Mon Oct 10 21:07:50 2016 > +++ libcares-12 Mon Oct 10 21:07:58 2016 > @@ -12,6 +12,7 @@ T ares_free_data > T ares_free_hostent > T ares_free_string > T ares_get_servers > +T ares_get_servers_ports > T ares_gethostbyaddr > T ares_gethostbyname > T ares_gethostbyname_file > @@ -23,6 +24,8 @@ T ares_init > T ares_init_options > T ares_library_cleanup > T ares_library_init > +T ares_library_init_mem > +T ares_library_initialized > T ares_mkquery > T ares_parse_a_reply > T ares_parse__reply > @@ -33,6 +36,7 @@ T ares_parse_ptr_reply > T ares_parse_soa_reply > T ares_parse_srv_reply > T ares_parse_txt_reply > +T ares_parse_txt_reply_ext > T ares_process > T ares_process_fd > T ares_query > @@ -44,7 +48,11 @@ T ares_set_local_ip4 > T ares_set_local_ip6 > T ares_set_servers > T ares_set_servers_csv > +T ares_set_servers_ports > +T ares_set_servers_ports_csv > T ares_set_socket_callback > +T ares_set_socket_configure_callback > +T ares_set_sortlist > T ares_strerror > T ares_timeout > T ares_version > > > So I just bumped the minor. Upstream bumped the major. Looking at the headers, some structs have additional members, so it might be a true ABI break. > LIB_DEPENDS are: > /usr/ports/devel/py-gevent > /usr/ports/games/bzflag > /usr/ports/net/sipsak > /usr/ports/net/wireshark,-text > /usr/ports/www/aria2 > /usr/ports/x11/e17/ecore > > I did make package for py-gevent, sipsak and aria2, no problem. The others build fine here, except for wireshark but it looks like an unrelated error. > Comments? OK? > > Cheers, > Daniel > > Index: Makefile > === > RCS file: /cvs/ports/net/libcares/Makefile,v > retrieving revision 1.17 > diff -u -p -r1.17 Makefile > --- Makefile 10 Sep 2016 13:03:40 - 1.17 > +++ Makefile 10 Oct 2016 19:36:29 - > @@ -2,14 +2,13 @@ > > COMMENT= asynchronous resolver library > > -V= 1.10.0 > +V= 1.12.0 > DISTNAME=c-ares-${V} > PKGNAME= libcares-${V} > CATEGORIES= net devel > MASTER_SITES=${HOMEPAGE}download/ > -REVISION=1 > > -SHARED_LIBS= cares 2.5 > +SHARED_LIBS += cares2.6 # 4.0 > > HOMEPAGE=http://c-ares.haxx.se/ > > Index: distinfo > === > RCS file: /cvs/ports/net/libcares/distinfo,v > retrieving revision 1.8 > diff -u -p -r1.8 distinfo > --- distinfo 11 Sep 2013 18:05:34 - 1.8 > +++ distinfo 10 Oct 2016 19:36:29 - > @@ -1,2 +1,2 @@ > -SHA256 (c-ares-1.10.0.tar.gz) = PXAWdGFdEVjlalmq7eeJHy3ePaD0am08aE4K5w9S09s= > -SIZE (c-ares-1.10.0.tar.gz) = 809073 > +SHA256 (c-ares-1.12.0.tar.gz) = hpL5QDzc35NhMOBFyEAhZlEY7pv+qQXRp28E1ObzZfs= > +SIZE (c-ares-1.12.0.tar.gz) = 1769879 > Index: pkg/PLIST > === > RCS file: /cvs/ports/net/libcares/pkg/PLIST,v > retrieving revision 1.8 > diff -u -p -r1.8 PLIST > --- pkg/PLIST 22 May 2015 11:31:17 - 1.8 > +++ pkg/PLIST 10 Oct 2016 19:36:29 - > @@ -20,6 +20,7 @@ lib/pkgconfig/libcares.pc > @man man/man3/ares_free_hostent.3 > @man man/man3/ares_free_string.3 > @man man/man3/ares_get_servers.3 > +@man man/man3/ares_get_servers_ports.3 > @man man/man3/ares_gethostbyaddr.3 > @man man/man3/ares_gethostbyname.3 > @man man/man3/ares_gethostbyname_file.3 > @@ -46,8 +47,16 @@ lib/pkgconfig/libcares.pc > @man man/man3/ares_save_options.3 > @man man/man3/ares_search.3 > @man man/man3/ares_send.3 > +@man man/man3/ares_set_local_dev.3 > +@man man/man3/ares_set_local_ip4.3 > +@man man/man3/ares_set_local_ip6.3 > @man man/man3/ares_set_servers.3 > +@man man/man3/ares_set_servers_csv.3 > +@man man/man3/ares_set_servers_ports.3 > +@man man/man3/ares_set_servers_ports_csv.3 > @man man/man3/ares_set_socket_callback.3 > +@man man/man3/ares_set_socket_configure_callback.3 > +@man man/man3/ares_set_sortlist.3 > @man man/man3/ares_strerror.3 > @man man/man3/ares_timeout.3 > @man man/man3/ares_version.3 > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Update to libcares-1.12.0
Hi, This fixes CVE-2016-5180. ChangeLog is available: https://c-ares.haxx.se/changelog.html $ diff -up libcares-10 libcares-12 --- libcares-10 Mon Oct 10 21:07:50 2016 +++ libcares-12 Mon Oct 10 21:07:58 2016 @@ -12,6 +12,7 @@ T ares_free_data T ares_free_hostent T ares_free_string T ares_get_servers +T ares_get_servers_ports T ares_gethostbyaddr T ares_gethostbyname T ares_gethostbyname_file @@ -23,6 +24,8 @@ T ares_init T ares_init_options T ares_library_cleanup T ares_library_init +T ares_library_init_mem +T ares_library_initialized T ares_mkquery T ares_parse_a_reply T ares_parse__reply @@ -33,6 +36,7 @@ T ares_parse_ptr_reply T ares_parse_soa_reply T ares_parse_srv_reply T ares_parse_txt_reply +T ares_parse_txt_reply_ext T ares_process T ares_process_fd T ares_query @@ -44,7 +48,11 @@ T ares_set_local_ip4 T ares_set_local_ip6 T ares_set_servers T ares_set_servers_csv +T ares_set_servers_ports +T ares_set_servers_ports_csv T ares_set_socket_callback +T ares_set_socket_configure_callback +T ares_set_sortlist T ares_strerror T ares_timeout T ares_version So I just bumped the minor. LIB_DEPENDS are: /usr/ports/devel/py-gevent /usr/ports/games/bzflag /usr/ports/net/sipsak /usr/ports/net/wireshark,-text /usr/ports/www/aria2 /usr/ports/x11/e17/ecore I did make package for py-gevent, sipsak and aria2, no problem. Comments? OK? Cheers, Daniel Index: Makefile === RCS file: /cvs/ports/net/libcares/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- Makefile10 Sep 2016 13:03:40 - 1.17 +++ Makefile10 Oct 2016 19:36:29 - @@ -2,14 +2,13 @@ COMMENT= asynchronous resolver library -V= 1.10.0 +V= 1.12.0 DISTNAME= c-ares-${V} PKGNAME= libcares-${V} CATEGORIES=net devel MASTER_SITES= ${HOMEPAGE}download/ -REVISION= 1 -SHARED_LIBS= cares 2.5 +SHARED_LIBS += cares2.6 # 4.0 HOMEPAGE= http://c-ares.haxx.se/ Index: distinfo === RCS file: /cvs/ports/net/libcares/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- distinfo11 Sep 2013 18:05:34 - 1.8 +++ distinfo10 Oct 2016 19:36:29 - @@ -1,2 +1,2 @@ -SHA256 (c-ares-1.10.0.tar.gz) = PXAWdGFdEVjlalmq7eeJHy3ePaD0am08aE4K5w9S09s= -SIZE (c-ares-1.10.0.tar.gz) = 809073 +SHA256 (c-ares-1.12.0.tar.gz) = hpL5QDzc35NhMOBFyEAhZlEY7pv+qQXRp28E1ObzZfs= +SIZE (c-ares-1.12.0.tar.gz) = 1769879 Index: pkg/PLIST === RCS file: /cvs/ports/net/libcares/pkg/PLIST,v retrieving revision 1.8 diff -u -p -r1.8 PLIST --- pkg/PLIST 22 May 2015 11:31:17 - 1.8 +++ pkg/PLIST 10 Oct 2016 19:36:29 - @@ -20,6 +20,7 @@ lib/pkgconfig/libcares.pc @man man/man3/ares_free_hostent.3 @man man/man3/ares_free_string.3 @man man/man3/ares_get_servers.3 +@man man/man3/ares_get_servers_ports.3 @man man/man3/ares_gethostbyaddr.3 @man man/man3/ares_gethostbyname.3 @man man/man3/ares_gethostbyname_file.3 @@ -46,8 +47,16 @@ lib/pkgconfig/libcares.pc @man man/man3/ares_save_options.3 @man man/man3/ares_search.3 @man man/man3/ares_send.3 +@man man/man3/ares_set_local_dev.3 +@man man/man3/ares_set_local_ip4.3 +@man man/man3/ares_set_local_ip6.3 @man man/man3/ares_set_servers.3 +@man man/man3/ares_set_servers_csv.3 +@man man/man3/ares_set_servers_ports.3 +@man man/man3/ares_set_servers_ports_csv.3 @man man/man3/ares_set_socket_callback.3 +@man man/man3/ares_set_socket_configure_callback.3 +@man man/man3/ares_set_sortlist.3 @man man/man3/ares_strerror.3 @man man/man3/ares_timeout.3 @man man/man3/ares_version.3