Backport of CVE-2020-25829 (any-cache-update) to 4.1.x

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5,
and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a
given name to be updated to the Bogus DNSSEC validation state, instead of their
actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of
service for installation that always validate (dnssec=validate), and for
clients requesting validation when on-demand validation is enabled
(dnssec=process).

Origin: https://github.com/PowerDNS/pdns/commit/77409aab0be43071b365760213894d6388c3df30.patch
Bug: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
Bug-Debian: https://bugs.debian.org/972159
Reviewed-by: Daniel Leidert <dleidert@debian.org>
Gbp-Pq: Name CVE-2020-25829.patch

diff --git a/recursor_cache.cc b/recursor_cache.cc
index 9ccecf8c59830c1244e81bc7f116b0e922bee180..216245ca431091180fa98b5b3d635e40dd1b8707 100644 (file)
--- a/recursor_cache.cc
+++ b/recursor_cache.cc
@@ -413,9 +413,14 @@ bool MemRecursorCache::doAgeCache(time_t now, const DNSName& name, uint16_t qtyp
 
 bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState)
 {
+  if (qt == QType::ANY || qt == QType::ADDR) {
+    // not doing that
+    return false;
+  }
+
   bool updated = false;
   uint16_t qtype = qt.getCode();
-  if (qtype != QType::ANY && qtype != QType::ADDR && !d_ecsIndex.empty()) {
+  if (!d_ecsIndex.empty()) {
     auto entry = getEntryUsingECSIndex(now, qname, qtype, requireAuth, who);
     if (entry == d_cache.end()) {
       return false;
@@ -434,8 +439,7 @@ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname,
     i->d_state = newState;
     updated = true;
 
-    if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done
-      break;
+    break;
   }
 
   return updated;