Björn Ketelaars writes:
> On Thu 30/01/2020 19:21, Nam Nguyen wrote:
>> This is a security fix release that I propose adding to -stable. It
>> affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
>> is used. It was fixed in Go 1.13.7 (now available in ports) and in the
>> version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
>>
>> From issue:
>> "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
>> parsing functions of golang.org/x/crypto/cryptobyte can lead to a
>> panic."
>>
>> From Go commit:
>> "When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
>> overflow could occur, causing a panic, due to malformed ASN.1 being
>> passed to any of the ASN1 methods of String."
>>
>> From changelog:
>> "- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
>> 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
>> issue present in previous versions of the compiler"
>>
>> Sources:
>> CVE-2020-7919
>> https://github.com/golang/go/issues/36837
>> https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
>> https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1
>>
>> Changelog:
>> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog
>>
>> This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
>> 2020. I tested on amd64 and unit tests pass.
>
> 2.0.39 has been released a couple of hours ago, which fixes the firefox
> local DOH service: https://github.com/DNSCrypt/dnscrypt-proxy/releases
Thank you for catching the new release. Here is a diff for
dnscrypt-proxy 2.0.39, released January 31, 2020.
Changelog:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.39/ChangeLog
I tested the firefox local DOH service, and it works as
described. https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH
I tested on amd64 and the unit tests pass.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile 22 Dec 2019 14:12:47 -0000 1.50
+++ Makefile 31 Jan 2020 23:11:41 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
GH_ACCOUNT = jedisct1
GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.36
+GH_TAGNAME = 2.0.39
CATEGORIES = net
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- distinfo 22 Dec 2019 14:12:47 -0000 1.26
+++ distinfo 31 Jan 2020 23:11:41 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.36.tar.gz) =
3ckiW4a/NZXO7a7WRwdk5hlCQc4mz+qG+f389r06dXU=
-SIZE (dnscrypt-proxy-2.0.36.tar.gz) = 2814470
+SHA256 (dnscrypt-proxy-2.0.39.tar.gz) =
yUPHTAiUu1EzZSnnM8o4Ed/9uRSlm5cHxjoyfyyP+DU=
+SIZE (dnscrypt-proxy-2.0.39.tar.gz) = 2814424
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file:
/cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.11
diff -u -p -r1.11 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 22 Dec 2019
14:12:47 -0000 1.11
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 31 Jan 2020
23:11:41 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
## Require servers (from static + remote sources) to satisfy specific
properties
-@@ -584,7 +584,7 @@ cache_neg_max_ttl = 600
+@@ -586,7 +586,7 @@ cache_neg_max_ttl = 600
[sources.'public-resolvers']
urls =
['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md',
'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
-@@ -592,7 +592,7 @@ cache_neg_max_ttl = 600
+@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600
[sources.'relays']
urls =
['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md',
'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
