Date: Wed, 17 Dec 2014 08:29:54 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46095 - in head/share: security/advisories security/patches/SA-14:30 xml Message-ID: <201412170829.sBH8TsoF038693@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Wed Dec 17 08:29:53 2014 New Revision: 46095 URL: https://svnweb.freebsd.org/changeset/doc/46095 Log: Add SA-14:30 Added: head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc (contents, props changed) head/share/security/patches/SA-14:30/ head/share/security/patches/SA-14:30/unbound.patch (contents, props changed) head/share/security/patches/SA-14:30/unbound.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc Wed Dec 17 08:29:53 2014 (r46095) @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:30.unbound Security Advisory + The FreeBSD Project + +Topic: unbound remote denial of service vulnerability + +Category: contrib +Module: unbound +Announced: 2014-12-17 +Affects: FreeBSD 10.0-RELEASE and later +Credits: Florian Maury (ANSSI) +Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE) + 2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2) + 2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14) +CVE Name: CVE-2014-8602 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Unbound is a validating, recursive, and caching DNS resolver. + +II. Problem Description + +By causing queries to be made against a maliciously-constructed zone or +against a malicious DNS server, an attacker who is able to cause +specific queries to be sent to a nameserver can trick unbound(8) resolver +into following an endless series of delegations, which consumes a lot of +resources. + +III. Impact + +Unbound will spend a lot of resources on this query, and this will impact +unbound's CPU and network resources. Unbound may therefore lose some +ability or timelines for the service of customer queries (a denial of +service). Unbound will continue to respond normally for cached queries. + +IV. Workaround + +No workaround is available, but hosts not running unbound(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch +# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc +# gpg --verify unbound.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the unbound(8) daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r275853 +releng/10.0/ r275854 +releng/10.1/ r275854 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://unbound.net/downloads/CVE-2014-8602.txt>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY +GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4 +oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am +lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM +aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK +sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU +ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX +8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO +WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+ +3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6 +z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/ +9PFQzCA+8snPiCyUhAaC +=fkvr +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:30/unbound.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:30/unbound.patch Wed Dec 17 08:29:53 2014 (r46095) @@ -0,0 +1,149 @@ +Index: contrib/unbound/iterator/iterator.c +=================================================================== +--- contrib/unbound/iterator/iterator.c.orig ++++ contrib/unbound/iterator/iterator.c +@@ -117,6 +117,7 @@ + iq->query_restart_count = 0; + iq->referral_count = 0; + iq->sent_count = 0; ++ iq->target_count = NULL; + iq->wait_priming_stub = 0; + iq->refetch_glue = 0; + iq->dnssec_expected = 0; +@@ -442,6 +443,26 @@ + return 1; + } + ++/** create target count structure for this query */ ++static void ++target_count_create(struct iter_qstate* iq) ++{ ++ if(!iq->target_count) { ++ iq->target_count = (int*)calloc(2, sizeof(int)); ++ /* if calloc fails we simply do not track this number */ ++ if(iq->target_count) ++ iq->target_count[0] = 1; ++ } ++} ++ ++static void ++target_count_increase(struct iter_qstate* iq, int num) ++{ ++ target_count_create(iq); ++ if(iq->target_count) ++ iq->target_count[1] += num; ++} ++ + /** + * Generate a subrequest. + * Generate a local request event. Local events are tied to this module, and +@@ -513,6 +534,10 @@ + subiq = (struct iter_qstate*)subq->minfo[id]; + memset(subiq, 0, sizeof(*subiq)); + subiq->num_target_queries = 0; ++ target_count_create(iq); ++ subiq->target_count = iq->target_count; ++ if(iq->target_count) ++ iq->target_count[0] ++; /* extra reference */ + subiq->num_current_queries = 0; + subiq->depth = iq->depth+1; + outbound_list_init(&subiq->outlist); +@@ -1339,6 +1364,12 @@ + + if(iq->depth == ie->max_dependency_depth) + return 0; ++ if(iq->depth > 0 && iq->target_count && ++ iq->target_count[1] > MAX_TARGET_COUNT) { ++ verbose(VERB_QUERY, "request has exceeded the maximum " ++ "number of glue fetches %d", iq->target_count[1]); ++ return 0; ++ } + + iter_mark_cycle_targets(qstate, iq->dp); + missing = (int)delegpt_count_missing_targets(iq->dp); +@@ -1487,6 +1518,7 @@ + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + iq->num_target_queries += qs; ++ target_count_increase(iq, qs); + if(qs != 0) { + qstate->ext_state[id] = module_wait_subquery; + return 0; /* and wait for them */ +@@ -1496,6 +1528,12 @@ + verbose(VERB_QUERY, "maxdepth and need more nameservers, fail"); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ if(iq->depth > 0 && iq->target_count && ++ iq->target_count[1] > MAX_TARGET_COUNT) { ++ verbose(VERB_QUERY, "request has exceeded the maximum " ++ "number of glue fetches %d", iq->target_count[1]); ++ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); ++ } + /* mark cycle targets for parent-side lookups */ + iter_mark_pside_cycle_targets(qstate, iq->dp); + /* see if we can issue queries to get nameserver addresses */ +@@ -1525,6 +1563,7 @@ + if(query_count != 0) { /* suspend to await results */ + verbose(VERB_ALGO, "try parent-side glue lookup"); + iq->num_target_queries += query_count; ++ target_count_increase(iq, query_count); + qstate->ext_state[id] = module_wait_subquery; + return 0; + } +@@ -1680,6 +1719,7 @@ + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + iq->num_target_queries += extra; ++ target_count_increase(iq, extra); + if(iq->num_target_queries > 0) { + /* wait to get all targets, we want to try em */ + verbose(VERB_ALGO, "wait for all targets for fallback"); +@@ -1720,6 +1760,7 @@ + /* errors ignored, these targets are not strictly necessary for + * this result, we do not have to reply with SERVFAIL */ + iq->num_target_queries += extra; ++ target_count_increase(iq, extra); + } + + /* Add the current set of unused targets to our queue. */ +@@ -1765,6 +1806,7 @@ + return 1; + } + iq->num_target_queries += qs; ++ target_count_increase(iq, qs); + } + /* Since a target query might have been made, we + * need to check again. */ +@@ -2847,6 +2889,8 @@ + iq = (struct iter_qstate*)qstate->minfo[id]; + if(iq) { + outbound_list_clear(&iq->outlist); ++ if(iq->target_count && --iq->target_count[0] == 0) ++ free(iq->target_count); + iq->num_current_queries = 0; + } + qstate->minfo[id] = NULL; +Index: contrib/unbound/iterator/iterator.h +=================================================================== +--- contrib/unbound/iterator/iterator.h.orig ++++ contrib/unbound/iterator/iterator.h +@@ -52,6 +52,8 @@ + struct iter_prep_list; + struct iter_priv; + ++/** max number of targets spawned for a query and its subqueries */ ++#define MAX_TARGET_COUNT 32 + /** max number of query restarts. Determines max number of CNAME chain. */ + #define MAX_RESTART_COUNT 8 + /** max number of referrals. Makes sure resolver does not run away */ +@@ -254,6 +256,10 @@ + + /** number of queries fired off */ + int sent_count; ++ ++ /** number of target queries spawned in [1], for this query and its ++ * subqueries, the malloced-array is shared, [0] refcount. */ ++ int* target_count; + + /** + * The query must store NS records from referrals as parentside RRs Added: head/share/security/patches/SA-14:30/unbound.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:30/unbound.patch.asc Wed Dec 17 08:29:53 2014 (r46095) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUkTgmAAoJEO1n7NZdz2rn1OUP/1ERY7/RPW53T3mkpm1gFCTt +R7DVRj7QuMkyKqUOnKtN/QahgY+fr5BA/QT5zh60+gXr7GtkwM4TjP5r/CTqPjZS ++sO3/FR6Vg2M2HoTqCVtXUyJybbayXWfBht508NHWc3y8DniVO3138rnydT6T1bJ +vQPhgbmHaxQa7ghW2y9u3w1MR1Y+gnjcqA/o9qsNPypCZp/ZhWRgnSK1Jdp2Zshl +rukFU0hI/1wwRRMznFwlTVGCIzAK73AqLs155BpyjN9ppodJ0NLHvslrBnnuT2ag +/vUx7x+dfL1EVvbzcQ4DLM0c5TPIl9a2tLfEAhqy7g69VfTNiNlGQ7IqHIIoIBMs +P0RMEnoiBXKoXVZ+ccVsCOsOZleiBeKrY3I5sfJ29eeTnRhwWiDYHVpN/wDuLYMb +9KzJDre1eCPZmllT5CQkW2qZWrOTTnFmuHf9OBuCWBrf7RZghnOhegKsBGWofktC +issxVfcT4RlSd2gg6pO/hgC3t4pOCXf7WK8qc5ikTyR9UcvuN0UGsqY3GWP4TfjD +DkDj0TC2WwFNWPa1RjMX3r3njXqjeBNUm65hrtiiQl8MTczysguQjY8C/p86R79A +D+A2D6bhf+uHY0FRtFTOuC+Ttooi928hPOrCC2MuiUXKVCENQNuEWAgTldNvQKx9 +Iu8S3h8qAXzs8cwAWZIB +=fSbR +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Sun Dec 14 22:39:44 2014 (r46094) +++ head/share/xml/advisories.xml Wed Dec 17 08:29:53 2014 (r46095) @@ -11,6 +11,14 @@ <name>12</name> <day> + <name>17</name> + + <advisory> + <name>FreeBSD-SA-14:30.unbound</name> + </advisory> + </day> + + <day> <name>10</name> <advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412170829.sBH8TsoF038693>