1 files changed, 47 insertions, 0 deletions

diff --git a/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
new file mode 100644
index 000000000000..2695830b4420
--- /dev/null
+++ b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
@@ -0,0 +1,47 @@
+diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc
+--- pdns-recursor-4.0.6.orig/ws-recursor.cc	2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/ws-recursor.cc	2017-11-02 18:13:55.762458134 +0100
+@@ -76,10 +76,11 @@
+       throw ApiException("'value' must be an array");
+     }
+ 
++    NetmaskGroup nmg;
+     for (auto value : jlist.array_items()) {
+       try {
+-        Netmask(value.string_value());
+-      } catch (NetmaskException &e) {
++        nmg.addMask(value.string_value());
++      } catch (const NetmaskException &e) {
+         throw ApiException(e.reason);
+       }
+     }
+@@ -91,9 +92,7 @@
+ 
+     // Clear allow-from, and provide a "parent" value
+     ss << "allow-from=" << endl;
+-    for (auto value : jlist.array_items()) {
+-      ss << "allow-from+=" << value.string_value() << endl;
+-    }
++    ss << "allow-from+=" << nmg.toString() << endl;
+ 
+     apiWriteConfigFile("allow-from", ss.str());
+ 
+@@ -201,10 +200,15 @@
+       if (server == "") {
+         throw ApiException("Forwarded-to server must not be an empty string");
+       }
+-      if (!serverlist.empty()) {
+-        serverlist += ";";
++      try {
++        ComboAddress ca = parseIPAndPort(server, 53);
++        if (!serverlist.empty()) {
++          serverlist += ";";
++        }
++        serverlist += ca.toStringWithPort();
++      } catch (const PDNSException &e) {
++        throw ApiException(e.reason);
+       }
+-      serverlist += server;
+     }
+     if (serverlist == "")
+       throw ApiException("Need at least one upstream server when forwarding");