[Python-modules-commits] r6056 - in packages/python-dns/trunk/debian (3 files)
kitterma-guest at users.alioth.debian.org
kitterma-guest at users.alioth.debian.org
Sun Jul 27 04:01:54 UTC 2008
Date: Sunday, July 27, 2008 @ 04:01:52
Author: kitterma-guest
Revision: 6056
Update for CVE-2008-1447 fix.
Added:
packages/python-dns/trunk/debian/patches/source-tid-random.patch
Modified:
packages/python-dns/trunk/debian/changelog
Deleted:
packages/python-dns/trunk/debian/patches/tid-random.patch
Modified: packages/python-dns/trunk/debian/changelog
===================================================================
--- packages/python-dns/trunk/debian/changelog 2008-07-26 17:12:59 UTC (rev 6055)
+++ packages/python-dns/trunk/debian/changelog 2008-07-27 04:01:52 UTC (rev 6056)
@@ -1,3 +1,19 @@
+python-dns (2.3.1-6) unstable; urgency=high
+
+ * Fix debian/patches/source-tid-random.patch so it doesn't lose socket
+ errors other than port already in use
+
+ -- Scott Kitterman <scott at kitterman.com> Sat, 26 Jul 2008 22:05:24 -0400
+
+python-dns (2.3.1-5) unstable; urgency=high
+
+ * Replace debian/patches/tid-random.patch with source-tid-random.patch
+ to fully address CVE-2008-1447 (Closes: #490217)
+ - Randomize TID (from previous patch - it works for retries too)
+ - Add source port randomization to cover all cases
+
+ -- Scott Kitterman <scott at kitterman.com> Sat, 26 Jul 2008 00:46:56 -0400
+
python-dns (2.3.1-4) unstable; urgency=low
* Add simple-patchsys.mk to debian/rules
@@ -37,10 +53,6 @@
* Add XS-DM-Upload-Allowed: yes flag for Scott Kitterman.
* Upload.
- [ Carlos Galisteo ]
- * debian/control:
- - Added Homepage field.
-
-- Debian Python Modules Team <python-modules-team at lists.alioth.debian.org> Sun, 30 Mar 2008 00:27:17 +0100
python-dns (2.3.1-2) unstable; urgency=low
Added: packages/python-dns/trunk/debian/patches/source-tid-random.patch
===================================================================
--- packages/python-dns/trunk/debian/patches/source-tid-random.patch (rev 0)
+++ packages/python-dns/trunk/debian/patches/source-tid-random.patch 2008-07-27 04:01:52 UTC (rev 6056)
@@ -0,0 +1,153 @@
+diff -Nur -x '*.orig' -x '*~' python-dns-2.3.1/DNS/Base.py python-dns-2.3.1.new/DNS/Base.py
+--- python-dns-2.3.1/DNS/Base.py 2007-05-22 16:28:31.000000000 -0400
++++ python-dns-2.3.1.new/DNS/Base.py 2008-07-26 22:08:21.000000000 -0400
+@@ -12,6 +12,11 @@
+ import socket, string, types, time
+ import Type,Class,Opcode
+ import asyncore
++try:
++ from random import SystemRandom
++ random = SystemRandom()
++except:
++ import random
+
+ class DNSError(Exception): pass
+
+@@ -58,6 +63,7 @@
+ self.defaults = {}
+ self.argparse(name,args)
+ self.defaults = self.args
++ self.tid = 0
+
+ def argparse(self,name,args):
+ if not name and self.defaults.has_key('name'):
+@@ -87,7 +93,7 @@
+ r,w,e = select.select([self.s],[],[],self.args['timeout'])
+ if not len(r):
+ raise DNSError, 'Timeout'
+- self.reply = self.s.recv(1024)
++ (self.reply, self.from_address) = self.s.recvfrom(65535)
+ self.time_finish=time.time()
+ self.args['server']=self.ns
+ return self.processReply()
+@@ -133,7 +139,21 @@
+ # u = Lib.Munpacker(reply)
+ # Lib.dumpM(u)
+
++ def getSource(self):
++ # Get random source port to avoid DNS cache poisoning attack.
++ try:
++ source = random.randint(1024,65535)
++ self.s.bind(('', source))
++ except socket.error, msg:
++ # Error 98, 'Address already in use'
++ if msg[0] == 98:
++ self.getSource()
++ else:
++ raise
++
+ def conn(self):
++ # Source is source port we'll take a reply from.
++ self.getSource()
+ self.s.connect((self.ns,self.port))
+
+ def req(self,*name,**args):
+@@ -144,6 +164,7 @@
+ # raise DNSError,'reinitialize request before reuse'
+ protocol = self.args['protocol']
+ self.port = self.args['port']
++ self.tid = random.randint(0,65535)
+ opcode = self.args['opcode']
+ rd = self.args['rd']
+ server=self.args['server']
+@@ -164,7 +185,7 @@
+ #print 'QTYPE %d(%s)' % (qtype, Type.typestr(qtype))
+ m = Lib.Mpacker()
+ # jesus. keywords and default args would be good. TODO.
+- m.addHeader(0,
++ m.addHeader(self.tid,
+ 0, opcode, 0, 0, rd, 0, 0, 0,
+ 1, 0, 0, 0)
+ m.addQuestion(qname, qtype, Class.IN)
+@@ -187,20 +208,31 @@
+ self.socketInit(socket.AF_INET, socket.SOCK_DGRAM)
+ for self.ns in server:
+ try:
+- # TODO. Handle timeouts &c correctly (RFC)
+- #self.s.connect((self.ns, self.port))
+- self.conn()
+- self.time_start=time.time()
+- if not self.async:
+- self.s.send(self.request)
+- self.response=self.processUDPReply()
+- #except socket.error:
+- except None:
+- continue
++ try:
++ # TODO. Handle timeouts &c correctly (RFC)
++ #self.s.connect((self.ns, self.port))
++ self.conn()
++ self.s.setblocking(0)
++ self.time_start=time.time()
++ if not self.async:
++ self.s.send(self.request)
++ r=self.processUDPReply()
++ # Since we bind to the source port, we don't need to check that
++ # here, but do make sure it's actually a DNS request that the packet
++ # is in reply to.
++ while r.header['id'] != self.tid or self.from_address[1] != 53:
++ r=self.processUDPReply()
++ self.response = r
++ # FIXME: check waiting async queries
++ #except socket.error:
++ except None:
++ continue
++ finally:
++ self.s.close()
+ break
+ if not self.response:
+ if not self.async:
+- raise DNSError,'no working nameservers found'
++ raise DNSError,('no working nameservers found')
+
+ def sendTCPRequest(self, server):
+ " do the work of sending a TCP request "
+@@ -208,14 +240,21 @@
+ self.response=None
+ for self.ns in server:
+ try:
+- self.socketInit(socket.AF_INET, socket.SOCK_STREAM)
+- self.time_start=time.time()
+- self.conn()
+- self.s.send(Lib.pack16bit(len(self.request))+self.request)
+- self.s.shutdown(1)
+- self.response=self.processTCPReply()
+- except socket.error:
+- continue
++ try:
++ # TODO. Handle timeouts &c correctly (RFC)
++ self.socketInit(socket.AF_INET, socket.SOCK_STREAM)
++ self.time_start=time.time()
++ self.conn()
++ self.s.setblocking(0)
++ self.s.sendall(Lib.pack16bit(len(self.request))+self.request)
++ self.s.shutdown(socket.SHUT_WR)
++ r=self.processTCPReply()
++ if r.header['id'] != self.tid: continue
++ self.response = r
++ except socket.error:
++ continue
++ finally:
++ self.s.close()
+ break
+ if not self.response:
+ raise DNSError,'no working nameservers found'
+@@ -234,6 +273,8 @@
+ self.async=1
+ def conn(self):
+ import time
++ # Source is source port we'll take a reply from.
++ self.getSource()
+ self.connect((self.ns,self.port))
+ self.time_start=time.time()
+ if self.args.has_key('start') and self.args['start']:
Deleted: packages/python-dns/trunk/debian/patches/tid-random.patch
===================================================================
--- packages/python-dns/trunk/debian/patches/tid-random.patch 2008-07-26 17:12:59 UTC (rev 6055)
+++ packages/python-dns/trunk/debian/patches/tid-random.patch 2008-07-27 04:01:52 UTC (rev 6056)
@@ -1,88 +0,0 @@
-diff -Nur -x '*.orig' -x '*~' python-dns-2.3.1/DNS/Base.py python-dns-2.3.1.new/DNS/Base.py
---- python-dns-2.3.1/DNS/Base.py 2007-05-22 16:28:31.000000000 -0400
-+++ python-dns-2.3.1.new/DNS/Base.py 2008-07-11 00:33:12.000000000 -0400
-@@ -1,5 +1,5 @@
- """
--$Id: Base.py,v 1.12.2.4 2007/05/22 20:28:31 customdesigned Exp $
-+$Id: Base.py,v 1.14 2008/07/11 03:41:42 customdesigned Exp $
-
- This file is part of the pydns project.
- Homepage: http://pydns.sourceforge.net
-@@ -12,6 +12,11 @@
- import socket, string, types, time
- import Type,Class,Opcode
- import asyncore
-+try:
-+ from random import SystemRandom
-+ random = SystemRandom()
-+except:
-+ import random
-
- class DNSError(Exception): pass
-
-@@ -58,6 +63,7 @@
- self.defaults = {}
- self.argparse(name,args)
- self.defaults = self.args
-+ self.tid = 0
-
- def argparse(self,name,args):
- if not name and self.defaults.has_key('name'):
-@@ -144,6 +150,7 @@
- # raise DNSError,'reinitialize request before reuse'
- protocol = self.args['protocol']
- self.port = self.args['port']
-+ self.tid = random.randint(0,65535)
- opcode = self.args['opcode']
- rd = self.args['rd']
- server=self.args['server']
-@@ -164,7 +171,7 @@
- #print 'QTYPE %d(%s)' % (qtype, Type.typestr(qtype))
- m = Lib.Mpacker()
- # jesus. keywords and default args would be good. TODO.
-- m.addHeader(0,
-+ m.addHeader(self.tid,
- 0, opcode, 0, 0, rd, 0, 0, 0,
- 1, 0, 0, 0)
- m.addQuestion(qname, qtype, Class.IN)
-@@ -193,7 +200,11 @@
- self.time_start=time.time()
- if not self.async:
- self.s.send(self.request)
-- self.response=self.processUDPReply()
-+ r=self.processUDPReply()
-+ while r.header['id'] != self.tid:
-+ r=self.processUDPReply()
-+ self.response = r
-+ # FIXME: check waiting async queries
- #except socket.error:
- except None:
- continue
-@@ -211,9 +222,11 @@
- self.socketInit(socket.AF_INET, socket.SOCK_STREAM)
- self.time_start=time.time()
- self.conn()
-- self.s.send(Lib.pack16bit(len(self.request))+self.request)
-- self.s.shutdown(1)
-- self.response=self.processTCPReply()
-+ self.s.sendall(Lib.pack16bit(len(self.request))+self.request)
-+ self.s.shutdown(socket.SHUT_WR)
-+ r=self.processTCPReply()
-+ if r.header['id'] != self.tid: continue
-+ self.response = r
- except socket.error:
- continue
- break
-@@ -256,6 +269,12 @@
-
- #
- # $Log: Base.py,v $
-+# Revision 1.14 2008/07/11 03:41:42 customdesigned
-+# New TID for each req.
-+#
-+# Revision 1.13 2008/05/05 04:35:24 customdesigned
-+# Use random tid in requests and check for matching response.
-+#
- # Revision 1.12.2.4 2007/05/22 20:28:31 customdesigned
- # Missing import Lib
- #
More information about the Python-modules-commits
mailing list