Pullup ticket #4573 - requested by roy

net/powerdns-recursor: security patch

Revisions pulled up:
- net/powerdns-recursor/Makefile                                1.16
- net/powerdns-recursor/distinfo                                1.12
- net/powerdns-recursor/patches/patch-CVE-2014-8601             1.1

---
   Module Name:    pkgsrc
   Committed By:   roy
   Date:           Thu Dec 11 20:18:17 UTC 2014

   Modified Files:
           pkgsrc/net/powerdns-recursor: Makefile distinfo
   Added Files:
           pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601

   Log Message:
   Add upstream patch to fix CVE-2014-8601.
   Remove myself as maintainer.

3 files changed, 65 insertions, 4 deletions

diff --git a/net/powerdns-recursor/Makefile b/net/powerdns-recursor/Makefile
index 5d293b69a7f..bfa1ee61ff9 100644
--- a/net/powerdns-recursor/Makefile
+++ b/net/powerdns-recursor/Makefile
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.14 2014/05/03 13:01:24 alnsn Exp $
+# $NetBSD: Makefile,v 1.14.4.1 2014/12/16 23:23:22 tron Exp $
 #
 
 DISTNAME=		pdns-recursor-3.3
-PKGREVISION=		3
+PKGREVISION=		5
 CATEGORIES=		net
 MASTER_SITES=		http://downloads.powerdns.com/releases/
 EXTRACT_SUFX=		.tar.bz2
 
-MAINTAINER=		roy@NetBSD.org
+MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.powerdns.com/
 COMMENT=		PowerDNS resolver/recursing nameserver
 LICENSE=		gnu-gpl-v2
diff --git a/net/powerdns-recursor/distinfo b/net/powerdns-recursor/distinfo
index 6e498b052dd..4716191279a 100644
--- a/net/powerdns-recursor/distinfo
+++ b/net/powerdns-recursor/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.11 2013/06/27 10:56:22 wiz Exp $
+$NetBSD: distinfo,v 1.11.12.1 2014/12/16 23:23:22 tron Exp $
 
 SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac
 RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6
 Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes
+SHA1 (patch-CVE-2014-8601) = dae3dec54e53022183a8889eb1c741b00d08cd0b
 SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e
 SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26
 SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499
diff --git a/net/powerdns-recursor/patches/patch-CVE-2014-8601 b/net/powerdns-recursor/patches/patch-CVE-2014-8601
new file mode 100644
index 00000000000..03e70358999
--- /dev/null
+++ b/net/powerdns-recursor/patches/patch-CVE-2014-8601
@@ -0,0 +1,60 @@
+$NetBSD: patch-CVE-2014-8601,v 1.1.2.2 2014/12/16 23:23:22 tron Exp $
+
+Upstream backported fix for CVE-2014-8601
+
+commit 62d189c81359c70821523d7ba9831d0f6e57b012
+Author: Your Name <you@example.com>
+Date:   Tue Dec 2 08:50:41 2014 +0000
+
+    backport query limiter to 3.3
+
+diff --git pdns_recursor.cc pdns_recursor.cc
+index 0f9b08f..3bb71e0 100644
+--- pdns_recursor.cc
++++ pdns_recursor.cc
+@@ -522,7 +522,14 @@ void startDoResolve(void *p)
+     bool variableAnswer = false;
+     // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
+     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
+-       res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
++      try {
++        res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
++      }
++      catch(ImmediateServFailException &e) {
++        L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
++
++        res = RCode::ServFail;
++      }
+ 
+       if(t_pdl->get()) {
+         if(res == RCode::NXDomain)
+diff --git a/syncres.cc b/syncres.cc
+index 4b05acf..08b2930 100644
+--- syncres.cc
++++ syncres.cc
+@@ -874,6 +874,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
+           }
+           else {
+             s_outqueries++; d_outqueries++;
++            if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
+           TryTCP:
+             if(doTCP) {
+               LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
+diff --git a/syncres.hh b/syncres.hh
+index e3249d2..6c151e0 100644
+--- syncres.hh
++++ syncres.hh
+@@ -502,6 +502,13 @@ private:
+   static AtomicCounter s_currentConnections; //!< total number of current TCP connections
+ };
+ 
++class ImmediateServFailException
++{
++public:
++  ImmediateServFailException(string r){reason=r;};
++
++  string reason; //! Print this to tell the user what went wrong
++};
+ 
+ struct RemoteKeeper
+ {