Friday, June 30, 2017

Re: [SECURITY] knot-2.4.5

On 2017/06/27 16:24, Jeremie Courreges-Anglas wrote:
> No update for -stable, no idea if the 1.6.x series was affected.

It is - here's a diff.

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/knot/Makefile,v
retrieving revision 1.13
diff -u -p -r1.13 Makefile
--- Makefile 30 Dec 2016 15:47:55 -0000 1.13
+++ Makefile 30 Jun 2017 10:53:29 -0000
@@ -6,6 +6,7 @@ PORTROACH_COMMENT = knot-2.x uses __thre
COMMENT = authoritative DNS server

DISTNAME = knot-1.6.8
+REVISION = 0

SHARED_LIBS += zscanner 0.0 # .0.1
SHARED_LIBS += knot 0.0 # .0.1
Index: patches/patch-src_libknot_tsig-op_c
===================================================================
RCS file: patches/patch-src_libknot_tsig-op_c
diff -N patches/patch-src_libknot_tsig-op_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_libknot_tsig-op_c 30 Jun 2017 10:53:29 -0000
@@ -0,0 +1,48 @@
+$OpenBSD$
+
+From 909d2b8a4d6e6013548f58bf943f8f73a6b783e2 Mon Sep 17 00:00:00 2001
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Tue, 20 Jun 2017 23:20:59 +0200
+Subject: [PATCH] tsig: move signature validity period check after the
+ signature validity check
+
+When the signature validity period check returned KNOT_TSIG_EBADTIME,
+the itself signature validity check was omitted and the response TSIG
+contained a non-empty signature, based on the unverified data.
+
+Index: src/libknot/tsig-op.c
+--- src/libknot/tsig-op.c.orig
++++ src/libknot/tsig-op.c
+@@ -657,16 +657,8 @@ static int knot_tsig_check_digest(const knot_rrset_t *
+ return KNOT_TSIG_EBADKEY;
+ }
+
+- /* Check time signed. */
+- int ret = knot_tsig_check_time_signed(tsig_rr, prev_time_signed);
+- if (ret != KNOT_EOK) {
+- return ret;
+- }
+-
+- dbg_tsig_verb("TSIG: time checked.\n");
+-
+ /* Check that libknot knows the algorithm. */
+- ret = knot_tsig_check_algorithm(tsig_rr);
++ int ret = knot_tsig_check_algorithm(tsig_rr);
+ if (ret != KNOT_EOK) {
+ return ret;
+ }
+@@ -743,6 +735,14 @@ static int knot_tsig_check_digest(const knot_rrset_t *
+ if (memcmp(tsig_mac, digest_tmp, mac_length) != 0) {
+ return KNOT_TSIG_EBADSIG;
+ }
++
++ /* Check time signed. */
++ ret = knot_tsig_check_time_signed(tsig_rr, prev_time_signed);
++ if (ret != KNOT_EOK) {
++ return ret;
++ }
++
++ dbg_tsig_verb("TSIG: time checked.\n");
+
+ return KNOT_EOK;
+ }

No comments:

Post a Comment