[Pkg-dns-devel] Bug#831060: ods-signerd/zonelistparser: XML TextReader API is misused, bleeds data from next zone

equinox at diac24.net equinox at diac24.net
Thu Jul 14 04:17:10 UTC 2016 

Package: opendnssec-signer
Version: 1:1.4.6-6
Severity: important

Dear Debian DNS Maintainers,

[upstream bug https://issues.opendnssec.org/browse/SUPPORT-197
discovered on Debian production opendnssec setup.]

ods-signerd fails to correctly process its zonelist.xml configuration file.
This results in zones not being properly signed as they should.

This issue is security (as in availability) critical.  Failing to sign its
zones, RRSIG records will expire and validating clients will refuse to use
returned records, making all hostnames in affected zones unavailable after some
time.

Posted patch https://issues.opendnssec.org/secure/attachment/11811/0001-zonelist-don-t-read-elements-from-other-zones.patch
tested on Debian amd64 install by rebuilding and installing the package with
the patch listed in debian/patches.  Note the same issue exists in
ods-enforcerd and ods-ksmutil.


Description as posted upstream:

The Zonelist parser (i.e. parse_zonelist_zones()) assumes that
xmlTextReaderRead / xmlTextReaderExpand only load one XML node, which is the
current <Zone> to be processed. This assumption is incorrect, especially if the
XML is very short in its serialised form. (e.g. no extra whitespace, short zone
filenames, etc.)

This, in turn, makes the later XPath lookups match nodes from both the current
and the next <Zone> element, which caused the following two behaviours in our
setup:

- one zone had the next zone's input file applied to it. Resulting error
  (because it was loading the wrong zonefile):
  "[adapter] unable to add rr to zone: soa record has invalid owner name"
  "[adapter] error adding RR at line 11: @ 86400 IN SOA <...>"
- another zone used the empty string as output filename (because the XML node
  for that zone was not fully loaded, the attribute was still empty/in
processing). Resulting error:
  "[adapter] unable to write file: failed to rename .tmp to (No such file or directory)"

Attached fix is against 1.4.6 and only changes signer code; enforcer and
ksmutil can potentially exhibit the same issue. Signer patch is tested &
confirmed to fix the issues.

Note this bug hard-breaks operation since some zones will fail signing;
signatures will expire and the zone's records will start being rejected by
validating clients.


-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages opendnssec-signer depends on:
ii  dpkg               1.17.26
ii  libc6              2.19-18+deb8u4
ii  libldns1           1.6.17-5+b1
ii  libssl1.0.0        1.0.1t-1+deb8u2
ii  libxml2            2.9.1+dfsg1-5+deb8u2
ii  opendnssec-common  1:1.4.6-6

Versions of packages opendnssec-signer recommends:
ii  opendnssec           1:1.4.6-6
ii  opendnssec-enforcer  1:1.4.6-6
ii  softhsm              1.3.7-2+deb8u1

opendnssec-signer suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-zonelist-don-t-read-elements-from-other-zones.patch
Type: text/x-diff
Size: 2678 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20160714/994b4270/attachment.patch>

More information about the pkg-dns-devel mailing list