diff --git a/CVE-2015-1868.patch b/CVE-2015-1868.patch new file mode 100644 index 0000000..5c695de --- /dev/null +++ b/CVE-2015-1868.patch @@ -0,0 +1,26 @@ +diff --git a/pdns/dnsparser.cc b/pdns/dnsparser.cc +index 595a4af..b89d840 100644 +--- a/pdns/dnsparser.cc ++++ b/pdns/dnsparser.cc +@@ -455,9 +455,10 @@ string PacketReader::getText(bool multi) + + void PacketReader::getLabelFromContent(const vector& content, uint16_t& frompos, string& ret, int recurs) + { +- if(recurs > 1000) // the forward reference-check below should make this test 100% obsolete ++ if(recurs > 100) // the forward reference-check below should make this test 100% obsolete + throw MOADNSException("Loop"); + ++ int pos = frompos; + for(;;) { + unsigned char labellen=content.at(frompos++); + +@@ -470,7 +471,7 @@ void PacketReader::getLabelFromContent(const vector& content, uint16_t& + uint16_t offset=256*(labellen & ~0xc0) + (unsigned int)content.at(frompos++) - sizeof(dnsheader); + // cout<<"This is an offset, need to go to: "<= frompos-2) ++ if(offset >= pos) + throw MOADNSException("forward reference during label decompression"); + return getLabelFromContent(content, offset, ret, ++recurs); + } + diff --git a/pdns.spec b/pdns.spec index 3a186f3..db36065 100644 --- a/pdns.spec +++ b/pdns.spec @@ -2,7 +2,7 @@ Name: pdns Version: 3.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A modern, advanced and high performance authoritative-only nameserver Group: System Environment/Daemons License: GPLv2 @@ -10,6 +10,7 @@ URL: http://powerdns.com Source0: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.gz Patch0: pdns-default-config.patch Patch1: pdns-fixinit.patch +Patch2: CVE-2015-1868.patch Requires(pre): shadow-utils Requires(post): /sbin/chkconfig @@ -20,7 +21,6 @@ BuildRequires: boost-devel BuildRequires: lua-devel BuildRequires: cryptopp-devel BuildRequires: bison -BuildRequires: polarssl-devel Provides: powerdns = %{version}-%{release} %description @@ -119,9 +119,7 @@ This package contains the SQLite backend for %{name} %setup -q %patch0 -p1 -b .default-config-patch %patch1 -p1 -b .fixinit - -# No inclusion of pre-built binaries or libraries -rm -rf pdns/ext/polarssl-* +%patch2 -p1 -b .CVE-2015-1868 %build export CPPFLAGS="-DLDAP_DEPRECATED" @@ -130,13 +128,16 @@ export CPPFLAGS="-DLDAP_DEPRECATED" --sysconfdir=%{_sysconfdir}/%{name} \ --libdir=%{_libdir}/%{name} \ --disable-static \ + --disable-dependency-tracking \ + --disable-silent-rules \ --with-modules='' \ - --with-system-polarssl \ --with-lua \ --with-dynmodules='%{backends}' \ --enable-cryptopp \ --enable-tools \ - --enable-remotebackend-http + --enable-remotebackend-http \ + --enable-unit-tests + sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -152,6 +153,9 @@ make install DESTDIR=%{buildroot} chmod 600 %{buildroot}%{_sysconfdir}/%{name}/pdns.conf +%check +make %{?_smp_mflags} -C pdns check + %pre getent group pdns >/dev/null || groupadd -r pdns getent passwd pdns >/dev/null || \ @@ -238,6 +242,11 @@ fi %{_libdir}/%{name}/libgsqlite3backend.so %changelog +* Mon Apr 27 2015 Morten Stevens - 3.3.1-2 +- CVE-2015-1868 +- Run the unit tests during check +- Remove polarssl-devel as build dependency + * Tue Dec 17 2013 Morten Stevens - 3.3.1-1 - Update to latest upstream release 3.3.1 - Some more DNSSEC improvements