From 8af3d73b9bc98a78f1d1758cb23b5ac4b504e611 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Thu, 21 May 2020 22:48:57 +0200 Subject: [PATCH 1/7] - Fix for integer overflow when printing RDF_TYPE_TIME. --- doc/Changelog | 3 +++ sldns/parseutil.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index ec84296f8..75b3822d3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +21 May 2020: George + - Fix for integer overflow when printing RDF_TYPE_TIME. + 19 May 2020: Wouter - CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. diff --git a/sldns/parseutil.c b/sldns/parseutil.c index 82dbc0fe1..3515d64c5 100644 --- a/sldns/parseutil.c +++ b/sldns/parseutil.c @@ -167,7 +167,7 @@ sldns_gmtime64_r(int64_t clock, struct tm *result) static int64_t sldns_serial_arithmetics_time(int32_t time, time_t now) { - int32_t offset = time - (int32_t) now; + int32_t offset = (int32_t)((uint32_t) time - (uint32_t) now); return (int64_t) now + offset; } From 21cd836e82dd3dd03079096eea338901b637164b Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Mon, 25 May 2020 11:47:51 +0200 Subject: [PATCH 2/7] - Update contrib/aaaa-filter-iterator.patch for the recent generate_sub_request() change and to apply cleanly. --- contrib/aaaa-filter-iterator.patch | 14 +++++++------- doc/Changelog | 4 ++++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/contrib/aaaa-filter-iterator.patch b/contrib/aaaa-filter-iterator.patch index b5c526822..9881bde89 100644 --- a/contrib/aaaa-filter-iterator.patch +++ b/contrib/aaaa-filter-iterator.patch @@ -13,9 +13,9 @@ Index: trunk/doc/unbound.conf.5.in +This also causes an additional A query to be sent for each AAAA query. +This breaks DNSSEC! +.TP - .B private\-address: \fI - Give IPv4 of IPv6 addresses or classless subnets. These are addresses - on your private network, and are not allowed to be returned for + .B aggressive\-nsec: \fI + Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + and other denials, using information from previous NXDOMAINs answers. Index: trunk/iterator/iter_scrub.c =================================================================== --- trunk/iterator/iter_scrub.c (revision 4357) @@ -125,7 +125,7 @@ Index: trunk/iterator/iterator.c + * ASN: This event state was added as an intermediary step between + * QUERYTARGETS_STATE and the next step, in order to cast a subquery for the + * purpose of caching A records for the queried name. -+ * ++ * + * @param qstate: query state. + * @param iq: iterator query state. + * @param ie: iterator shared global environment. @@ -147,9 +147,9 @@ Index: trunk/iterator/iterator.c + + /* re-throw same query, but with a different type */ + if(!generate_sub_request(iq->qchase.qname, -+ iq->qchase.qname_len, LDNS_RR_TYPE_A, ++ iq->qchase.qname_len, LDNS_RR_TYPE_A, + iq->qchase.qclass, qstate, id, iq, -+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) { + log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: failed " + "preloading of A record for", + iq->qchase.qname, LDNS_RR_TYPE_A, @@ -188,7 +188,7 @@ Index: trunk/iterator/iterator.c return 0; } -+/** ++/** + * ASN: Do final processing on responses to A queries originated from AAAA + * queries. Events reach this state after the iterative resolution algorithm + * terminates. diff --git a/doc/Changelog b/doc/Changelog index 75b3822d3..0fa850ed0 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +25 May 2020: George + - Update contrib/aaaa-filter-iterator.patch for the recent + generate_sub_request() change and to apply cleanly. + 21 May 2020: George - Fix for integer overflow when printing RDF_TYPE_TIME. From c93b4b3158ce451b3dbc4658e3cdf1568f79fc4b Mon Sep 17 00:00:00 2001 From: Robert Edmonds Date: Mon, 25 May 2020 17:58:37 -0400 Subject: [PATCH 3/7] contrib/libunbound.pc.in: Do not use "Requires:" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit updates contrib/libunbound.pc.in to remove the "Requires:" directive and move its contents to "Requires.private:". The pkg-config manpage documents the Requires/Libs fields as follows: Requires: This is a comma-separated list of packages that are required by your package. Flags from dependent packages will be merged in to the flags reported for your package. Optionally, you can specify the version of the required package (using the operators =, <, >, >=, <=); specifying a version allows pkg-config to perform extra sanity checks. You may only mention the same package one time on the Requires: line. If the version of a package is un‐ specified, any version will be used with no checking. Requires.private: A list of packages required by this package. The difference from Requires is that the packages listed under Requires.private are not taken into account when a flag list is computed for dynami‐ cally linked executable (i.e., when --static was not specified). In the situation where each .pc file corresponds to a library, Requires.private shall be used exclusively to specify the depen‐ dencies between the libraries. Libs: This line should give the link flags specific to your package. Don't add any flags for required packages; pkg-config will add those automatically. Libs.private: This line should list any private libraries in use. Private li‐ braries are libraries which are not exposed through your li‐ brary, but are needed in the case of static linking. This dif‐ fers from Requires.private in that it references libraries that do not have package files installed. In other words: 1) "Requires:" should specify the name of .pc packages that are required to be installed to compile and dynamically link against libunbound. This corresponds to needing the -dev (or -devel) package containing the .pc file to be installed on the system. Since libunbound's header files actually do not have any includes on any other library's headers, the "Requires:" directive should be empty. 2) "Requires.private:" specifies the name of .pc packages that correspond to libraries that are required to be installed to statically link against libunbound. E.g., if libunbound.a has undefined symbols event_* that are in libevent.a, statically linking against libunbound.a requires statically linking libevent.a, and because libevent has a .pc file, this means "libevent" should appear in libunbound.pc's "Requires.private:" directive. 3) "Libs:" specifies the link flags needed to link against libunbound, only, not including any dependencies. 4) "Libs.private:" specifies the link flags needed to statically link against libraries that libunbound depends on that do not have .pc files. I think it's possible for unbound's build system to actually declare link flags under "Libs.private:" for some libraries that do have .pc files (e.g. libcrypto/-lcrypto, libssl/-lssl, for OpenSSL) but in practice this appears to be harmless. Given #1 above that libunbound does not have any header dependencies against any other packages it does not appear that "Requires:" is needed at all. See https://bugs.debian.org/958331 for an example of a bug report that this causes. We should not need to install the nettle-dev package only for building binaries that compile against the libunbound headers and link against the libunbound library. --- contrib/libunbound.pc.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 1442ed523..453bf7d4f 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -7,8 +7,7 @@ Name: unbound Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ -Requires: @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ -Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ +Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ Libs: -L${libdir} -lunbound Libs.private: @SSLLIB@ @LIBS@ Cflags: -I${includedir} From 062f7b7ba2f32b6edb59f11ef24afd8cb113c75b Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Wed, 27 May 2020 18:25:29 +0200 Subject: [PATCH 4/7] - Changelog entry for PR #241. --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 0fa850ed0..ef0c7e18f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +27 May 2020: George + - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use + "Requires:". + 25 May 2020: George - Update contrib/aaaa-filter-iterator.patch for the recent generate_sub_request() change and to apply cleanly. From c053513cbddb31340a578d4f9a39763c0ce465b0 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 8 Jun 2020 08:35:10 +0200 Subject: [PATCH 5/7] - Mention tls name possible when tls is enabled for stub-addr in the man page. --- doc/Changelog | 4 ++++ doc/unbound.conf.5.in | 3 +++ 2 files changed, 7 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index ef0c7e18f..4f847da48 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +8 June 2020: Wouter + - Mention tls name possible when tls is enabled for stub-addr in the + man page. + 27 May 2020: George - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use "Requires:". diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 2f2733773..6bb7ca09f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1614,6 +1614,9 @@ Name of stub zone nameserver. Is itself resolved before it is used. .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check +the tls authentication certificates with that name. If you combine +the '@' and '#', the '@' comes first. .TP .B stub\-prime: \fI This option is by default no. If enabled it performs NS set priming, From 6e0756e819779d9cc2a14741b501cadffe446c93 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 17 Jun 2020 08:20:52 +0200 Subject: [PATCH 6/7] - Fix default explanation in man page for qname-minimisation-strict. --- doc/Changelog | 3 +++ doc/unbound.conf.5.in | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 4f847da48..17bbc3bad 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +17 June 2020: Wouter + - Fix default explanation in man page for qname-minimisation-strict. + 8 June 2020: Wouter - Mention tls name possible when tls is enabled for stub-addr in the man page. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 6bb7ca09f..de5a333bd 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -864,7 +864,7 @@ NXDOMAIN from a DNSSEC signed zone. Default is yes. QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. -This option only has effect when qname-minimisation is enabled. Default is off. +This option only has effect when qname-minimisation is enabled. Default is no. .TP .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN From 5203954068285d2260a65a6997fd60928b80a581 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 17 Jun 2020 14:32:57 +0200 Subject: [PATCH 7/7] - Fix display of event loop method with libev. --- doc/Changelog | 1 + util/ub_event.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 17bbc3bad..00d2ecfcf 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 17 June 2020: Wouter - Fix default explanation in man page for qname-minimisation-strict. + - Fix display of event loop method with libev. 8 June 2020: Wouter - Mention tls name possible when tls is enabled for stub-addr in the diff --git a/util/ub_event.c b/util/ub_event.c index 9af476ad4..68f633bb0 100644 --- a/util/ub_event.c +++ b/util/ub_event.c @@ -148,7 +148,7 @@ const char* ub_event_get_version(void) return event_get_version(); } -#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EVBACKEND_SELECT) +#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EV_FEATURE_BACKENDS) static const char* ub_ev_backend2str(int b) { switch(b) { @@ -184,7 +184,7 @@ ub_get_event_sys(struct ub_event_base* base, const char** n, const char** s, *n = "libev"; if (!b) b = (struct event_base*)ev_default_loop(EVFLAG_AUTO); -# ifdef EVBACKEND_SELECT +# ifdef EV_FEATURE_BACKENDS *m = ub_ev_backend2str(ev_backend((struct ev_loop*)b)); # else *m = "not obtainable";