~alpine/devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
1

[alpine-devel] [PATCH] testing/dnscrypt-proxy: update to 1.4.0

Stuart Cardall <developer@it-offshore.co.uk>
Details
Message ID
<1400236238-26292-1-git-send-email-developer@it-offshore.co.uk>
Sender timestamp
1400236238
DKIM signature
missing
Download raw message
9 years ago
Patch: +105 -93 
* Version 1.4.0:
 - Security: versions 0.11 to 1.3.3 were vulnerable to a denial of
service when running out of output buffer space.

/sbin/setup-dnscrypt now also sets the correct loopback address if
unbound is removed outside of the script.
---
 testing/dnscrypt-proxy/APKBUILD             |  16 +--
 testing/dnscrypt-proxy/dnscrypt-proxy.setup | 182 +++++++++++++++-------------
 2 files changed, 105 insertions(+), 93 deletions(-)

diff --git a/testing/dnscrypt-proxy/APKBUILD b/testing/dnscrypt-proxy/APKBUILD
index 3446a7e..53e2488 100644
--- a/testing/dnscrypt-proxy/APKBUILD
+++ b/testing/dnscrypt-proxy/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Francesco Colista <francesco.colista@gmail.com>
# Maintainer: Francesco Colista <francesco.colista@gmail.com>
pkgname=dnscrypt-proxy
pkgver=1.3.3
pkgrel=3
pkgver=1.4.0
pkgrel=0
pkgdesc="A tool for securing communications between a client and a DNS resolver"
url="http://dnscrypt.org/"
arch="all"
@@ -52,15 +52,15 @@ package() {
	rm -rf $pkgdir/usr/lib/*.la
}

md5sums="6a10b1d6018bfeed9a6dbc3b49cc39d8  dnscrypt-proxy-1.3.3.tar.gz
md5sums="64b5f5ababbcf72d6c32c57a092785c5  dnscrypt-proxy-1.4.0.tar.gz
fc51d5d38e7f3066221300fff821d81f  dnscrypt-proxy.initd
223bc3032b229ca961bec2a3f3c44d4d  dnscrypt-proxy.confd
b09abb720e277b9faa81aeaf573e11a8  dnscrypt-proxy.setup"
sha256sums="b797b1cc2ce6b7a01bc8a8d119367971f0cff20beea506cd0aeaa613fd5eaa24  dnscrypt-proxy-1.3.3.tar.gz
4b1c9ffcd06dee8ac1cdd7832e463c95  dnscrypt-proxy.setup"
sha256sums="d750d4b0f100ea454a50194062230f7a12db5df897fb4a528d3585ce277dc3d9  dnscrypt-proxy-1.4.0.tar.gz
a56cb07b4bcedd0e9bb994f93f5f721c276ba61b576c3059a1bfad4e56c786ac  dnscrypt-proxy.initd
8291300235a79932ce753f948f850d0817f374159f28bfbbf527f8a3dcefb1c7  dnscrypt-proxy.confd
908a65309fa563c1ae484af91d32798c30c338d5414c8939f0585591ad5a8da3  dnscrypt-proxy.setup"
sha512sums="e0d668446eaf65dce358b6d90fc7cf9905e49e267f0ff6c4d399c54b4ccc13d1c9f9622ac68f5fd992ce0b0c275b4e07bd98bc35404c822f521f20a244287dce  dnscrypt-proxy-1.3.3.tar.gz
06c79b5add8f9adc1d59823326dbc053239596a910032a78dbdd516fb1272621  dnscrypt-proxy.setup"
sha512sums="a9542797f27bc4ac7b39ae4d7fcba3f7a6f83ebe1a66feeadca5c1e240047276577aed8271463af33c131102b634f7a19af90a66dbb59be03bb993a1bdae2a4e  dnscrypt-proxy-1.4.0.tar.gz
e5516c7e1fd6baf391059407aee65a837c7324698f15a675d0368fd34de10f023fe39671e95bc951bee260254fb4e3613fde6045cdf2faf085f322b769969864  dnscrypt-proxy.initd
70be47b2954bb95341a678b3e6d68c8684e16644b8162b52c736fbac314928e1fa1d7fa9f97b4034b38d443808526fecd833b1d356df1a5e74a443e96e97d8e5  dnscrypt-proxy.confd
be8bd445af5d72f75bb1b0f73db8d8655a5e40f4fccd83111496eb804969025229b8f346dc52ddc53946c094a76a2c18bff54637616cd756c5d32dbe07da262d  dnscrypt-proxy.setup"
e4b395ed374d98f888ff84f350631b953257719058b2a5cf9701ad719a3e178ce36cb414ae40de4d0729fe83362953d8277a7c54ce320b49b238549216452304  dnscrypt-proxy.setup"
diff --git a/testing/dnscrypt-proxy/dnscrypt-proxy.setup b/testing/dnscrypt-proxy/dnscrypt-proxy.setup
index 3fb58ad..f82e7c3 100644
--- a/testing/dnscrypt-proxy/dnscrypt-proxy.setup
+++ b/testing/dnscrypt-proxy/dnscrypt-proxy.setup
@@ -42,10 +42,9 @@ die() {
}

restart_interface(){

INTERFACES=$(echo | ifconfig | grep "Link encap" | sed '/lo/d' | cut -d"L" -f1)
print_question "\nChoose external interface to restart from the following:"
print_question "\n\n$INTERFACES" "[ default - eth0 ]"
print_question "\n\n$INTERFACES" "[ default: eth0 ]"

while :
do
@@ -68,9 +67,8 @@ done
}

choose_ip(){

IPADDR=$(ifconfig |grep -B1 "inet addr" |awk '{ if ( $1 == "inet" ) { print $2 } else if ( $2 == "Link" ) { printf "%s:" ,$1 } }' |awk -F" " '{ print $1 ": " $3 }'| sed 's/addr//')
if echo "$IPADDR" | grep -e "127.0.0.2" 1>/dev/null; then
if echo "$IPADDR" | grep -e "127.0.0.2" 1>/dev/null && which unbound 1> /dev/null; then
        defaultip='127.0.0.2'
	IPADDR_CHOICE=$(echo "$IPADDR" | sed '/lo::127.0.0.1:/d')
else
@@ -78,13 +76,8 @@ else
	IPADDR_CHOICE=$(echo "$IPADDR" | sed '/lo:1::127.0.0.2:/d')
fi

if [ "$removecache" = "Y" ] || [ "$removecache" = "y" ]; then
        defaultip='127.0.0.1'
        IPADDR_CHOICE=$(echo "$IPADDR" | sed '/lo:1::127.0.0.2:/d')
fi

print_question "\nChoose Dnscrypt IP from the following addresses:\n"
print_question "\n$IPADDR_CHOICE\t" "[ default - $defaultip ]"
print_question "\n$IPADDR_CHOICE\t" "[ default: $defaultip ]"

while :
do
@@ -105,14 +98,13 @@ done
}

choose_port(){

if grep -e "127.0.0.2" /etc/network/interfaces 1>/dev/null; then
	defaultport=40
else
	defaultport=53
fi

print_question "\nChoose Dnscrypt Port:" "[ default = $defaultport ]"
print_question "\nChoose Dnscrypt Port:" "[ default: $defaultport ]"
while :
do
        read DNSPORT
@@ -160,6 +152,60 @@ print_green "--------------------------------------------------------"
fi
}

restart_services(){
# add / restart services - dnscrypt must be restarted first
echo ""
for srv in "dnscrypt-proxy" "unbound"; do
        if which $srv 1> /dev/null; then
                rc-status default | grep $srv 1> /dev/null
                if [ "$?" != "0" ]; then
                        print_green "Adding $srv to Default Run Level"
                        rc-update add $srv default
                fi
                rc-service $srv restart
        fi
done
}

modify_config(){
choose_ip; choose_port

# update dnscrypt listening ip & port
LINE=$(sed -n '/DNSCRYPT_LOCALIP=/=' $config)
sed "$LINE c DNSCRYPT_LOCALIP=$IP_CLEAN:$DNSPORT_CLEAN" $config -i

# update dhclient.conf
if [ -f $dhcpconfig ]; then
	if grep 'supersede domain-name-servers' $dhcpconfig 1>/dev/null; then
		LINE=$(sed -n '/supersede domain-name-servers/=' $dhcpconfig)
		sed "$LINE c supersede domain-name-servers $IP" $dhcpconfig -i
	else
		echo "supersede domain-name-servers $IP" >> $dhcpconfig
	fi
fi

# update resolv.conf & unbound
LINE=$(sed -n '/nameserver/=' /etc/resolv.conf)
sed "$LINE c nameserver 127.0.0.1" /etc/resolv.conf -i
if [ "$removecache" != "Y" ] && [ "$removecache" != "y" ]; then
	update_unbound
fi

restart_interface

print_strong "\n/etc/conf.d/dnscrypt-proxy Listening Address updated to:"
print_green "--------------------------------------------------------"
print_table "DNSCRYPT_LOCALIP=$IP_CLEAN:$DNSPORT_CLEAN"
print_green "--------------------------------------------------------\n"
}

rm_loopback(){
START=$(sed -n "\%Settings from $SCRIPT%=" /etc/network/interfaces)
LINE=$(expr $START + 4)
sed -i ''$START','$LINE'd' /etc/network/interfaces
print_green "2nd Loopback interface removed"
}

# END Functions ###################################################################################

# Do some sanity checking.
@@ -216,17 +262,17 @@ clear

# colour table ##################################################################################

colourheading=$(awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s%s\n"
colourheading=$(awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s\n"
	printf format, "#", "Name", "Location", "DNSSEC", "No Logs", "Namecoin", "Resolver Address" }')

colourline=$(awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s%s\n"
colourline=$(awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s\n"
	printf format, "---", "----------------------------------------", "------------------", "----------",\
			"----------", "----------", "------------------------------------------" }')

print_green "$colourheading"
print_green "$colourline"

awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s%s\n" }
awk 'BEGIN { format = "%-3s%-40s%-18s%-10s%-10s%-10s%-25s\n" }
        { printf format,$1,$3,$5,$9,$10,$11,$12 }' FS=\| $output

print_green "$colourline"
@@ -282,94 +328,60 @@ print_green "-------------------------------------------------------------------

# install unbound
if ! which unbound 1> /dev/null; then
   print_question "Install Unbound (Caching DNS Server)" "[ Y / N ]"
   print_question "Install Unbound (Caching DNS Server)" "[ Y / N: Default ]"
   read installsrv
   if [ "$installsrv" = "Y" ] || [ "$installsrv" = "y" ]; then
   if [ "$(echo $installsrv | tr '[A-Z]' '[a-z]')" = "y" ]; then
      apk add -q unbound
   else
      echo "nameserver 127.0.0.1" > /etc/resolv.conf
      exit 0
   fi
fi

# check for / setup secondary loopback for dns caching
if which unbound 1> /dev/null && ! grep "address 127.0.0.2" /etc/network/interfaces 1> /dev/null; then
	print_question "Configure DNS Caching (create a 2nd loopback interface @ 127.0.0.2) " "[ Y / N ]"
	read install2ndloop
	if [ "$install2ndloop" = "Y" ] || [ "$install2ndloop" = "y" ]; then
	IP=127.0.0.2
	echo "##### Settings from $SCRIPT #####" >> /etc/network/interfaces
	echo "auto lo:1" >> /etc/network/interfaces
	echo "iface lo:1 inet static" >> /etc/network/interfaces
	echo "address $IP" >> /etc/network/interfaces
	echo "netmask 255.0.0.0" >> /etc/network/interfaces
	ifconfig lo:1 $IP up
fi

# modify caching 
if grep "address 127.0.0.2" /etc/network/interfaces 1> /dev/null && [ ! $installsrv ]; then
	print_question "\nRemove DNS Caching (Unbound) / Secondary loopback device ?" "[ Y / N: Default ]"; read removecache
	if [ "$(echo $removecache | tr '[A-Z]' '[a-z]')" = "y" ]; then
		# remove loopback settings
		rm_loopback
		echo -e ""; rc-service unbound stop; apk del unbound
	else
		print_green "\nSecondary Loopback for DNS Caching configured @ 127.0.0.2"
		IP=127.0.0.2
		echo "##### Settings from $SCRIPT #####" >> /etc/network/interfaces
		echo "auto lo:1" >> /etc/network/interfaces
		echo "iface lo:1 inet static" >> /etc/network/interfaces
		echo "address $IP" >> /etc/network/interfaces
		echo "netmask 255.0.0.0" >> /etc/network/interfaces
		ifconfig lo:1 $IP up
	fi
fi

# modify caching / ports
if grep "address 127.0.0.2" /etc/network/interfaces 1> /dev/null && [ ! $install2ndloop ]; then
	print_question "\nRemove DNS Caching (Unbound) / Secondary loopback device ?" "[ Y / N ]"; read removecache
		if [ "$removecache" = "Y" ] || [ "$removecache" = "y" ]; then
			# remove loopback settings
			START=$(sed -n "\%Settings from $SCRIPT%=" /etc/network/interfaces)
                	LINE=$(expr $START + 4)
			sed -i ''$START','$LINE'd' /etc/network/interfaces
			echo -e ""; rc-service unbound stop; apk del unbound
		else
			print_green "\nSecondary Loopback for DNS Caching configured @ 127.0.0.2\n"
			IP=127.0.0.2
		fi
# modify ip / ports
if [ $installsrv ] || [ "$(echo $removecache | tr '[A-Z]' '[a-z]')" = "y" ]; then
	modify_config
elif grep -q 127.0.0.2 /etc/network/interfaces && ! which unbound 1> /dev/null; then
	rm_loopback
	kill $(cat /var/run/unbound/unbound.pid)
	modify_config
else
	print_question "\nModify dnscrypt-proxy ip / port ?" "[ Y / N: default ]"; read updateip
	if [ "$(echo $updateip | tr '[A-Z]' '[a-z]')" = "y" ]; then
		modify_config
	fi
fi

print_question "\nModify dnscrypt-proxy ip / port ?" "[ Y / N ]"; read updateip

# choose dnscrypt ip address port
if [ "$updateip" = "Y" ] || [ "$updateip" = "y" ]; then
		choose_ip; choose_port

		# update dnscrypt listening ip & port
		LINE=$(sed -n '/DNSCRYPT_LOCALIP=/=' $config)
		sed "$LINE c DNSCRYPT_LOCALIP=$IP_CLEAN:$DNSPORT_CLEAN" $config -i

		# update dhclient.conf
		if [ -f $dhcpconfig ]; then
			if grep 'supersede domain-name-servers' $dhcpconfig 1>/dev/null; then
			LINE=$(sed -n '/supersede domain-name-servers/=' $dhcpconfig)
			sed "$LINE c supersede domain-name-servers $IP" $dhcpconfig -i
			else
				echo "supersede domain-name-servers $IP" >> $dhcpconfig
			fi
		fi

		# update resolv.conf & unbound
		LINE=$(sed -n '/nameserver/=' /etc/resolv.conf)
		sed "$LINE c nameserver 127.0.0.1" /etc/resolv.conf -i
		if [ "$removecache" != "Y" ] && [ "$removecache" != "y" ]; then
			update_unbound
		fi
		restart_interface

		print_strong "\n/etc/conf.d/dnscrypt-proxy Listening Address updated to:"
		print_green "--------------------------------------------------------"
		print_table "DNSCRYPT_LOCALIP=$IP_CLEAN:$DNSPORT_CLEAN"
		print_green "--------------------------------------------------------\n"
if [ "$RESTART_CLEAN" != "" ]; then
	ifdown $RESTART_CLEAN && ifup $RESTART_CLEAN
	print_green "Interface $RESTART_CLEAN restarted"
fi

# add / restart services - dnscrypt must be restarted first
for srv in "dnscrypt-proxy" "unbound"; do
	if which $srv 1> /dev/null; then
		rc-status default | grep $srv 1> /dev/null
        	if [ "$?" != "0" ]; then
        		print_green "Adding $srv to Default Run Level"
                	rc-update add $srv default
        	fi
        	rc-service $srv restart
	fi
done
restart_services

ifdown $RESTART_CLEAN && ifup $RESTART_CLEAN
print_green "\nInterface $RESTART_CLEAN restarted\n"
exit 0


-- 
1.9.1



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20140519163156.3a7eb9a2@ncopa-desktop.alpinelinux.org>
In-Reply-To
<1400236238-26292-1-git-send-email-developer@it-offshore.co.uk> (view parent)
Sender timestamp
1400509916
DKIM signature
missing
Download raw message
9 years ago 
On Fri, 16 May 2014 10:30:38 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:

> * Version 1.4.0:
>  - Security: versions 0.11 to 1.3.3 were vulnerable to a denial of
> service when running out of output buffer space.
> 
> /sbin/setup-dnscrypt now also sets the correct loopback address if
> unbound is removed outside of the script.
> ---
>  testing/dnscrypt-proxy/APKBUILD             |  16 +--
>  testing/dnscrypt-proxy/dnscrypt-proxy.setup | 182 +++++++++++++++-------------
>  2 files changed, 105 insertions(+), 93 deletions(-)
> 

applied. thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)