From 842227f12341d17db6eaffb64ea9fb2b565a5f0d Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 12 Oct 2020 10:08:08 +0200
Subject: [PATCH] Backport of CVE-2020-25829 (any-cache-update) to 4.1.x

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5,
and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a
given name to be updated to the Bogus DNSSEC validation state, instead of their
actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of
service for installation that always validate (dnssec=validate), and for
clients requesting validation when on-demand validation is enabled
(dnssec=process).

Origin: https://github.com/PowerDNS/pdns/commit/77409aab0be43071b365760213894d6388c3df30.patch
Bug: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
Bug-Debian: https://bugs.debian.org/972159
Reviewed-by: Daniel Leidert <dleidert@debian.org>

Gbp-Pq: Name CVE-2020-25829.patch
---
 recursor_cache.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/recursor_cache.cc b/recursor_cache.cc
index 9ccecf8..216245c 100644
--- a/recursor_cache.cc
+++ b/recursor_cache.cc
@@ -413,9 +413,14 @@ bool MemRecursorCache::doAgeCache(time_t now, const DNSName& name, uint16_t qtyp
 
 bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState)
 {
+  if (qt == QType::ANY || qt == QType::ADDR) {
+    // not doing that
+    return false;
+  }
+
   bool updated = false;
   uint16_t qtype = qt.getCode();
-  if (qtype != QType::ANY && qtype != QType::ADDR && !d_ecsIndex.empty()) {
+  if (!d_ecsIndex.empty()) {
     auto entry = getEntryUsingECSIndex(now, qname, qtype, requireAuth, who);
     if (entry == d_cache.end()) {
       return false;
@@ -434,8 +439,7 @@ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname,
     i->d_state = newState;
     updated = true;
 
-    if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done
-      break;
+    break;
   }
 
   return updated;
-- 
2.30.2