Commit 407d97af authored by Leo's avatar Leo
Browse files

main/unbound: fix CVE-2019-18934

ref #10965
parent d7d7d0f8
......@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=unbound
pkgver=1.9.1
pkgrel=3
pkgrel=4
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
......@@ -21,6 +21,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-dbg
source="https://unbound.net/downloads/$pkgname-$pkgver.tar.gz
conf.patch
CVE-2019-16866.patch
CVE-2019-18934.patch
migrate-dnscache-to-unbound
$pkgname.initd
$pkgname.confd
......@@ -28,6 +29,8 @@ source="https://unbound.net/downloads/$pkgname-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.9.1-r4:
# - CVE-2019-18934
# 1.9.1-r3:
# - CVE-2019-16866
......@@ -114,6 +117,7 @@ migrate() {
sha512sums="5dfac7ce3892f73109fdfe0f81863643b1f4c10cee2d4e2d1a28132f1b9ea4d4f89242e4e6348fdadf998f1c75d53577cbf4f719e98faa1342fc3c5de2e8903d unbound-1.9.1.tar.gz
f9b90c6e717f99f3927a20320c5ec9e666af9eb4ad732520cd6de12c9ea98375c44dbbc598bef955a7c0243fbce0b29d9015ccc85b909b62509967cd8976a3c8 conf.patch
da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch
b2ae6363d89c4effa9e926210c4b876eb8fefa79bf459047107e6fb8eb8aca2b9844a4a8bdabe361248be2eeb36519aac7bbc4fe7b805447958088bcc18a83d2 CVE-2019-18934.patch
0a5c7b8f2b8c79c5384bce05962c8f8f5f31ce3aeb967b0e897361a24ea7065eb4e7c28ff3acfb0fb0d46be966d4e526e64b231f49b589ec63f576c25433bb59 migrate-dnscache-to-unbound
a2b39cb00d342c3bae70ae714dc2bd7c15d0475b35f7afff11fb0bd4c1786f83dd5425a5900a7b4d6c17915a6c546e37f82404bceb44f79c054629e999f23152 unbound.initd
40c660f275a78f93677761f52bdf7ef151941e8469dd17767a947dbe575880e0d113c320d15c7ea7e12ef636d8ec9453eeae804619678293fa35e3d4c7e75a71 unbound.confd"
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
index c8400c6..9e916d6 100644
--- a/ipsecmod/ipsecmod.c
+++ b/ipsecmod/ipsecmod.c
@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
return 1;
}
+/**
+ * Check if the string passed is a valid domain name with safe characters to
+ * pass to a shell.
+ * This will only allow:
+ * - digits
+ * - alphas
+ * - hyphen (not at the start)
+ * - dot (not at the start, or the only character)
+ * - underscore
+ * @param s: pointer to the string.
+ * @param slen: string's length.
+ * @return true if s only contains safe characters; false otherwise.
+ */
+static int
+domainname_has_safe_characters(char* s, size_t slen) {
+ size_t i;
+ for(i = 0; i < slen; i++) {
+ if(s[i] == '\0') return 1;
+ if((s[i] == '-' && i != 0)
+ || (s[i] == '.' && (i != 0 || s[1] == '\0'))
+ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
+ || (s[i] >= 'A' && s[i] <= 'Z')
+ || (s[i] >= 'a' && s[i] <= 'z')) {
+ continue;
+ }
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
+ * a shell.
+ * This is only relevant for checking the gateway when the gateway type is 3
+ * (domainname).
+ * @param s: pointer to the string.
+ * @param slen: string's length.
+ * @return true if s contains only safe characters; false otherwise.
+ */
+static int
+ipseckey_has_safe_characters(char* s, size_t slen) {
+ int precedence, gateway_type, algorithm;
+ char* gateway;
+ gateway = (char*)calloc(slen, sizeof(char));
+ if(!gateway) {
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+ if(sscanf(s, "%d %d %d %s ",
+ &precedence, &gateway_type, &algorithm, gateway) != 4) {
+ free(gateway);
+ return 0;
+ }
+ if(gateway_type != 3) {
+ free(gateway);
+ return 1;
+ }
+ if(domainname_has_safe_characters(gateway, slen)) {
+ free(gateway);
+ return 1;
+ }
+ free(gateway);
+ return 0;
+}
+
/**
* Prepare the data and call the hook.
*
@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
{
size_t slen, tempdata_len, tempstring_len, i;
char str[65535], *s, *tempstring;
- int w;
+ int w = 0, w_temp, qtype;
struct ub_packed_rrset_key* rrset_key;
struct packed_rrset_data* rrset_data;
uint8_t *tempdata;
@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
memset(s, 0, slen);
/* Copy the hook into the buffer. */
- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the qname into the buffer. */
tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
qstate->qinfo.qname_len);
@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
log_err("ipsecmod: out of memory when calling the hook");
return 0;
}
- sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
+ log_err("ipsecmod: qname has unsafe characters");
+ free(tempstring);
+ return 0;
+ }
+ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
free(tempstring);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the IPSECKEY TTL into the buffer. */
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
- /* Copy the A/AAAA record(s) into the buffer. Start and end this section
- * with a double quote. */
+ w += sldns_str_print(&s, &slen, " ");
rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
qstate->return_msg->rep);
+ /* Double check that the records are indeed A/AAAA.
+ * This should never happen as this function is only executed for A/AAAA
+ * queries but make sure we don't pass anything other than A/AAAA to the
+ * shell. */
+ qtype = ntohs(rrset_key->rk.type);
+ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
+ log_err("ipsecmod: Answer is not of A or AAAA type");
+ return 0;
+ }
rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
- sldns_str_print(&s, &slen, "\"");
+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ w += sldns_str_print(&s, &slen, "\"");
for(i=0; i<rrset_data->count; i++) {
if(i > 0) {
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
}
/* Ignore the first two bytes, they are the rr_data len. */
- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
- if(w < 0) {
+ if(w_temp < 0) {
/* Error in printout. */
- return -1;
- } else if((size_t)w >= slen) {
+ log_err("ipsecmod: Error in printing IP address");
+ return 0;
+ } else if((size_t)w_temp >= slen) {
s = NULL; /* We do not want str to point outside of buffer. */
slen = 0;
- return -1;
+ log_err("ipsecmod: shell command too long");
+ return 0;
} else {
- s += w;
- slen -= w;
+ s += w_temp;
+ slen -= w_temp;
+ w += w_temp;
}
}
- sldns_str_print(&s, &slen, "\"");
+ w += sldns_str_print(&s, &slen, "\"");
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
* with a double quote. */
- sldns_str_print(&s, &slen, "\"");
+ w += sldns_str_print(&s, &slen, "\"");
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
for(i=0; i<rrset_data->count; i++) {
if(i > 0) {
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
}
/* Ignore the first two bytes, they are the rr_data len. */
tempdata = rrset_data->rr_data[i] + 2;
tempdata_len = rrset_data->rr_len[i] - 2;
/* Save the buffer pointers. */
tempstring = s; tempstring_len = slen;
- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
- NULL, 0);
+ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
+ &slen, NULL, 0);
/* There was an error when parsing the IPSECKEY; reset the buffer
* pointers to their previous values. */
- if(w == -1){
+ if(w_temp == -1) {
s = tempstring; slen = tempstring_len;
+ } else if(w_temp > 0) {
+ if(!ipseckey_has_safe_characters(
+ tempstring, tempstring_len - slen)) {
+ log_err("ipsecmod: ipseckey has unsafe characters");
+ return 0;
+ }
+ w += w_temp;
}
}
- sldns_str_print(&s, &slen, "\"");
- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+ w += sldns_str_print(&s, &slen, "\"");
+ if(w >= (int)sizeof(str)) {
+ log_err("ipsecmod: shell command too long");
+ return 0;
+ }
+ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
/* ipsecmod-hook should return 0 on success. */
if(system(str) != 0)
return 0;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment