Add SA-14:30

svn path=/head/; revision=46095

share/security/advisories/FreeBSD-SA-14:30.unbound.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:30.unbound                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          unbound remote denial of service vulnerability
+
+Category:       contrib
+Module:         unbound
+Announced:      2014-12-17
+Affects:        FreeBSD 10.0-RELEASE and later
+Credits:        Florian Maury (ANSSI)
+Corrected:      2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
+                2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
+                2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
+CVE Name:       CVE-2014-8602
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Unbound is a validating, recursive, and caching DNS resolver.
+
+II.  Problem Description
+
+By causing queries to be made against a maliciously-constructed zone or
+against a malicious DNS server, an attacker who is able to cause
+specific queries to be sent to a nameserver can trick unbound(8) resolver
+into following an endless series of delegations, which consumes a lot of
+resources.
+
+III. Impact
+
+Unbound will spend a lot of resources on this query, and this will impact
+unbound's CPU and network resources.  Unbound may therefore lose some
+ability or timelines for the service of customer queries (a denial of
+service).  Unbound will continue to respond normally for cached queries.
+
+IV.  Workaround
+
+No workaround is available, but hosts not running unbound(8) are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch
+# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc
+# gpg --verify unbound.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the unbound(8) daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r275853
+releng/10.0/                                                      r275854
+releng/10.1/                                                      r275854
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://unbound.net/downloads/CVE-2014-8602.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY
+GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4
+oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am
+lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM
+aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK
+sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU
+ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX
+8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO
+WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+
+3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6
+z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/
+9PFQzCA+8snPiCyUhAaC
+=fkvr
+-----END PGP SIGNATURE-----

share/security/patches/SA-14:30/unbound.patch

@@ -0,0 +1,149 @@
+Index: contrib/unbound/iterator/iterator.c
+===================================================================
+--- contrib/unbound/iterator/iterator.c.orig
++++ contrib/unbound/iterator/iterator.c
+@@ -117,6 +117,7 @@
+ 	iq->query_restart_count = 0;
+ 	iq->referral_count = 0;
+ 	iq->sent_count = 0;
++	iq->target_count = NULL;
+ 	iq->wait_priming_stub = 0;
+ 	iq->refetch_glue = 0;
+ 	iq->dnssec_expected = 0;
+@@ -442,6 +443,26 @@
+ 	return 1;
+ }
+ 
++/** create target count structure for this query */
++static void
++target_count_create(struct iter_qstate* iq)
++{
++	if(!iq->target_count) {
++		iq->target_count = (int*)calloc(2, sizeof(int));
++		/* if calloc fails we simply do not track this number */
++		if(iq->target_count)
++			iq->target_count[0] = 1;
++	}
++}
++
++static void
++target_count_increase(struct iter_qstate* iq, int num)
++{
++	target_count_create(iq);
++	if(iq->target_count)
++		iq->target_count[1] += num;
++}
++
+ /**
+  * Generate a subrequest.
+  * Generate a local request event. Local events are tied to this module, and
+@@ -513,6 +534,10 @@
+ 		subiq = (struct iter_qstate*)subq->minfo[id];
+ 		memset(subiq, 0, sizeof(*subiq));
+ 		subiq->num_target_queries = 0;
++		target_count_create(iq);
++		subiq->target_count = iq->target_count;
++		if(iq->target_count)
++			iq->target_count[0] ++; /* extra reference */
+ 		subiq->num_current_queries = 0;
+ 		subiq->depth = iq->depth+1;
+ 		outbound_list_init(&subiq->outlist);
+@@ -1339,6 +1364,12 @@
+ 
+ 	if(iq->depth == ie->max_dependency_depth)
+ 		return 0;
++	if(iq->depth > 0 && iq->target_count &&
++		iq->target_count[1] > MAX_TARGET_COUNT) {
++		verbose(VERB_QUERY, "request has exceeded the maximum "
++			"number of glue fetches %d", iq->target_count[1]);
++		return 0;
++	}
+ 
+ 	iter_mark_cycle_targets(qstate, iq->dp);
+ 	missing = (int)delegpt_count_missing_targets(iq->dp);
+@@ -1487,6 +1518,7 @@
+ 			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ 		}
+ 		iq->num_target_queries += qs;
++		target_count_increase(iq, qs);
+ 		if(qs != 0) {
+ 			qstate->ext_state[id] = module_wait_subquery;
+ 			return 0; /* and wait for them */
+@@ -1496,6 +1528,12 @@
+ 		verbose(VERB_QUERY, "maxdepth and need more nameservers, fail");
+ 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ 	}
++	if(iq->depth > 0 && iq->target_count &&
++		iq->target_count[1] > MAX_TARGET_COUNT) {
++		verbose(VERB_QUERY, "request has exceeded the maximum "
++			"number of glue fetches %d", iq->target_count[1]);
++		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
++	}
+ 	/* mark cycle targets for parent-side lookups */
+ 	iter_mark_pside_cycle_targets(qstate, iq->dp);
+ 	/* see if we can issue queries to get nameserver addresses */
+@@ -1525,6 +1563,7 @@
+ 		if(query_count != 0) { /* suspend to await results */
+ 			verbose(VERB_ALGO, "try parent-side glue lookup");
+ 			iq->num_target_queries += query_count;
++			target_count_increase(iq, query_count);
+ 			qstate->ext_state[id] = module_wait_subquery;
+ 			return 0;
+ 		}
+@@ -1680,6 +1719,7 @@
+ 			return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ 		}
+ 		iq->num_target_queries += extra;
++		target_count_increase(iq, extra);
+ 		if(iq->num_target_queries > 0) {
+ 			/* wait to get all targets, we want to try em */
+ 			verbose(VERB_ALGO, "wait for all targets for fallback");
+@@ -1720,6 +1760,7 @@
+ 		/* errors ignored, these targets are not strictly necessary for
+ 		 * this result, we do not have to reply with SERVFAIL */
+ 		iq->num_target_queries += extra;
++		target_count_increase(iq, extra);
+ 	}
+ 
+ 	/* Add the current set of unused targets to our queue. */
+@@ -1765,6 +1806,7 @@
+ 					return 1;
+ 				}
+ 				iq->num_target_queries += qs;
++				target_count_increase(iq, qs);
+ 			}
+ 			/* Since a target query might have been made, we 
+ 			 * need to check again. */
+@@ -2847,6 +2889,8 @@
+ 	iq = (struct iter_qstate*)qstate->minfo[id];
+ 	if(iq) {
+ 		outbound_list_clear(&iq->outlist);
++		if(iq->target_count && --iq->target_count[0] == 0)
++			free(iq->target_count);
+ 		iq->num_current_queries = 0;
+ 	}
+ 	qstate->minfo[id] = NULL;
+Index: contrib/unbound/iterator/iterator.h
+===================================================================
+--- contrib/unbound/iterator/iterator.h.orig
++++ contrib/unbound/iterator/iterator.h
+@@ -52,6 +52,8 @@
+ struct iter_prep_list;
+ struct iter_priv;
+ 
++/** max number of targets spawned for a query and its subqueries */
++#define MAX_TARGET_COUNT	32
+ /** max number of query restarts. Determines max number of CNAME chain. */
+ #define MAX_RESTART_COUNT       8
+ /** max number of referrals. Makes sure resolver does not run away */
+@@ -254,6 +256,10 @@
+ 
+ 	/** number of queries fired off */
+ 	int sent_count;
++	
++	/** number of target queries spawned in [1], for this query and its
++	 * subqueries, the malloced-array is shared, [0] refcount. */
++	int* target_count;
+ 
+ 	/**
+ 	 * The query must store NS records from referrals as parentside RRs

share/security/patches/SA-14:30/unbound.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUkTgmAAoJEO1n7NZdz2rn1OUP/1ERY7/RPW53T3mkpm1gFCTt
+R7DVRj7QuMkyKqUOnKtN/QahgY+fr5BA/QT5zh60+gXr7GtkwM4TjP5r/CTqPjZS
++sO3/FR6Vg2M2HoTqCVtXUyJybbayXWfBht508NHWc3y8DniVO3138rnydT6T1bJ
+vQPhgbmHaxQa7ghW2y9u3w1MR1Y+gnjcqA/o9qsNPypCZp/ZhWRgnSK1Jdp2Zshl
+rukFU0hI/1wwRRMznFwlTVGCIzAK73AqLs155BpyjN9ppodJ0NLHvslrBnnuT2ag
+/vUx7x+dfL1EVvbzcQ4DLM0c5TPIl9a2tLfEAhqy7g69VfTNiNlGQ7IqHIIoIBMs
+P0RMEnoiBXKoXVZ+ccVsCOsOZleiBeKrY3I5sfJ29eeTnRhwWiDYHVpN/wDuLYMb
+9KzJDre1eCPZmllT5CQkW2qZWrOTTnFmuHf9OBuCWBrf7RZghnOhegKsBGWofktC
+issxVfcT4RlSd2gg6pO/hgC3t4pOCXf7WK8qc5ikTyR9UcvuN0UGsqY3GWP4TfjD
+DkDj0TC2WwFNWPa1RjMX3r3njXqjeBNUm65hrtiiQl8MTczysguQjY8C/p86R79A
+D+A2D6bhf+uHY0FRtFTOuC+Ttooi928hPOrCC2MuiUXKVCENQNuEWAgTldNvQKx9
+Iu8S3h8qAXzs8cwAWZIB
+=fSbR
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,14 @@
     <month>
       <name>12</name>
 
+      <day>
+        <name>17</name>
+
+        <advisory>
+          <name>FreeBSD-SA-14:30.unbound</name>
+        </advisory>
+      </day>
+
       <day>
 	<name>10</name>