mstevens pushed to pdns (el6). "Patch for CVE-2015-1868"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Apr 27 12:21:53 UTC 2015
>From 20ffbcb71577ba5d004587b5aff16069cdc919f6 Mon Sep 17 00:00:00 2001
From: Morten Stevens <mstevens at imt-systems.com>
Date: Mon, 27 Apr 2015 14:21:46 +0200
Subject: Patch for CVE-2015-1868
diff --git a/CVE-2015-1868.patch b/CVE-2015-1868.patch
new file mode 100644
index 0000000..5c695de
--- /dev/null
+++ b/CVE-2015-1868.patch
@@ -0,0 +1,26 @@
+diff --git a/pdns/dnsparser.cc b/pdns/dnsparser.cc
+index 595a4af..b89d840 100644
+--- a/pdns/dnsparser.cc
++++ b/pdns/dnsparser.cc
+@@ -455,9 +455,10 @@ string PacketReader::getText(bool multi)
+
+ void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t& frompos, string& ret, int recurs)
+ {
+- if(recurs > 1000) // the forward reference-check below should make this test 100% obsolete
++ if(recurs > 100) // the forward reference-check below should make this test 100% obsolete
+ throw MOADNSException("Loop");
+
++ int pos = frompos;
+ for(;;) {
+ unsigned char labellen=content.at(frompos++);
+
+@@ -470,7 +471,7 @@ void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t&
+ uint16_t offset=256*(labellen & ~0xc0) + (unsigned int)content.at(frompos++) - sizeof(dnsheader);
+ // cout<<"This is an offset, need to go to: "<<offset<<endl;
+
+- if(offset >= frompos-2)
++ if(offset >= pos)
+ throw MOADNSException("forward reference during label decompression");
+ return getLabelFromContent(content, offset, ret, ++recurs);
+ }
+
diff --git a/pdns.spec b/pdns.spec
index 3a186f3..db36065 100644
--- a/pdns.spec
+++ b/pdns.spec
@@ -2,7 +2,7 @@
Name: pdns
Version: 3.3.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A modern, advanced and high performance authoritative-only nameserver
Group: System Environment/Daemons
License: GPLv2
@@ -10,6 +10,7 @@ URL: http://powerdns.com
Source0: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.gz
Patch0: pdns-default-config.patch
Patch1: pdns-fixinit.patch
+Patch2: CVE-2015-1868.patch
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig
@@ -20,7 +21,6 @@ BuildRequires: boost-devel
BuildRequires: lua-devel
BuildRequires: cryptopp-devel
BuildRequires: bison
-BuildRequires: polarssl-devel
Provides: powerdns = %{version}-%{release}
%description
@@ -119,9 +119,7 @@ This package contains the SQLite backend for %{name}
%setup -q
%patch0 -p1 -b .default-config-patch
%patch1 -p1 -b .fixinit
-
-# No inclusion of pre-built binaries or libraries
-rm -rf pdns/ext/polarssl-*
+%patch2 -p1 -b .CVE-2015-1868
%build
export CPPFLAGS="-DLDAP_DEPRECATED"
@@ -130,13 +128,16 @@ export CPPFLAGS="-DLDAP_DEPRECATED"
--sysconfdir=%{_sysconfdir}/%{name} \
--libdir=%{_libdir}/%{name} \
--disable-static \
+ --disable-dependency-tracking \
+ --disable-silent-rules \
--with-modules='' \
- --with-system-polarssl \
--with-lua \
--with-dynmodules='%{backends}' \
--enable-cryptopp \
--enable-tools \
- --enable-remotebackend-http
+ --enable-remotebackend-http \
+ --enable-unit-tests
+
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -152,6 +153,9 @@ make install DESTDIR=%{buildroot}
chmod 600 %{buildroot}%{_sysconfdir}/%{name}/pdns.conf
+%check
+make %{?_smp_mflags} -C pdns check
+
%pre
getent group pdns >/dev/null || groupadd -r pdns
getent passwd pdns >/dev/null || \
@@ -238,6 +242,11 @@ fi
%{_libdir}/%{name}/libgsqlite3backend.so
%changelog
+* Mon Apr 27 2015 Morten Stevens <mstevens at imt-systems.com> - 3.3.1-2
+- CVE-2015-1868
+- Run the unit tests during check
+- Remove polarssl-devel as build dependency
+
* Tue Dec 17 2013 Morten Stevens <mstevens at imt-systems.com> - 3.3.1-1
- Update to latest upstream release 3.3.1
- Some more DNSSEC improvements
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/pdns.git/commit/?h=el6&id=20ffbcb71577ba5d004587b5aff16069cdc919f6
More information about the scm-commits
mailing list