From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-dns/bind-tools/files/, net-dns/bind-tools/
Date: Fri, 3 Jun 2022 07:33:06 +0000 (UTC) [thread overview]
Message-ID: <1654241580.5a92bef099e1ceccd8750bde2c16d985bdf3fafa.sam@gentoo> (raw)
commit: 5a92bef099e1ceccd8750bde2c16d985bdf3fafa
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 3 07:32:50 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Jun 3 07:33:00 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a92bef0
net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix
Closes: https://bugs.gentoo.org/847295
Signed-off-by: Sam James <sam <AT> gentoo.org>
net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild | 156 +++++++++++++++++++++
.../bind-tools-9.16.29-fortify-source-3.patch | 35 +++++
2 files changed, 191 insertions(+)
diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
new file mode 100644
index 000000000000..6ab46c310694
--- /dev/null
+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools flag-o-matic toolchain-funcs
+
+MY_PN=${PN//-tools}
+MY_PV=${PV/_p/-P}
+MY_PV=${MY_PV/_rc/rc}
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"
+HOMEPAGE="https://www.isc.org/software/bind"
+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz"
+
+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+caps doc gssapi idn ipv6 libedit readline xml"
+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687
+
+COMMON_DEPEND="
+ dev-libs/libuv:=
+ caps? ( sys-libs/libcap )
+ dev-libs/openssl:=
+ xml? ( dev-libs/libxml2 )
+ idn? ( net-dns/libidn2:= )
+ gssapi? ( virtual/krb5 )
+ libedit? ( dev-libs/libedit )
+ !libedit? (
+ readline? ( sys-libs/readline:= )
+ )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+# sphinx required for man-page and html creation
+BDEPEND="
+ doc? ( dev-python/sphinx )
+ virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+# bug 479092, requires networking
+RESTRICT="test"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-fortify-source-3.patch
+)
+
+src_prepare() {
+ default
+
+ export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)"
+
+ # Disable tests for now, bug 406399
+ sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die
+
+ # Do not disable thread local storage on Solaris, it works with our
+ # toolchain, and it breaks further configure checks
+ sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure || die
+
+ # bug #220361
+ rm aclocal.m4 || die
+ rm -rf libtool.m4/ || die
+
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --localstatedir="${EPREFIX}"/var
+ --without-python
+ --without-libjson
+ --without-zlib
+ --without-lmdb
+ --without-maxminddb
+ --disable-geoip
+ --with-openssl="${ESYSROOT}"/usr
+ $(use_with idn libidn2 "${ESYSROOT}"/usr)
+ $(use_with xml libxml2)
+ $(use_with gssapi)
+ $(use_with readline)
+ $(use_enable caps linux-caps)
+ AR="$(type -P $(tc-getAR))"
+ )
+
+ # bug 607400
+ if use libedit ; then
+ myeconfargs+=( --with-readline=-ledit )
+ elif use readline ; then
+ myeconfargs+=( --with-readline=-lreadline )
+ else
+ myeconfargs+=( --without-readline )
+ fi
+
+ # bug 344029
+ append-cflags "-DDIG_SIGCHASE"
+
+ # to expose CMSG_* macros from sys/sockets.h
+ [[ ${CHOST} == *-solaris* ]] && append-cflags "-D_XOPEN_SOURCE=600"
+
+ # localstatedir for nsupdate -l, bug 395785
+ tc-export BUILD_CC
+ econf "${myeconfargs[@]}"
+
+ # bug #151839
+ echo '#undef SO_BSDCOMPAT' >> config.h
+}
+
+src_compile() {
+ local AR=$(tc-getAR)
+
+ emake AR="${AR}" -C lib/
+ emake AR="${AR}" -C bin/delv/
+ emake AR="${AR}" -C bin/dig/
+ emake AR="${AR}" -C bin/nsupdate/
+ emake AR="${AR}" -C bin/dnssec/
+ emake -C doc/man/ man $(usev doc)
+}
+
+src_install() {
+ local man_dir="${S}/doc/man"
+ local html_dir="${man_dir}/_build/html"
+
+ dodoc README CHANGES
+
+ cd "${S}"/bin/delv || die
+ dobin delv
+ doman ${man_dir}/delv.1
+
+ cd "${S}"/bin/dig || die
+ dobin dig host nslookup
+ doman ${man_dir}/{dig,host,nslookup}.1
+
+ cd "${S}"/bin/nsupdate || die
+ dobin nsupdate
+ doman ${man_dir}/nsupdate.1
+ if use doc; then
+ docinto html
+ dodoc ${html_dir}/nsupdate.html
+ fi
+
+ cd "${S}"/bin/dnssec || die
+ for tool in dsfromkey importkey keyfromlabel keygen \
+ revoke settime signzone verify; do
+ dobin dnssec-"${tool}"
+ doman ${man_dir}/dnssec-"${tool}".8
+ if use doc; then
+ docinto html
+ dodoc ${html_dir}/dnssec-"${tool}".html
+ fi
+ done
+}
diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
new file mode 100644
index 000000000000..d084d6e62ce8
--- /dev/null
+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
@@ -0,0 +1,35 @@
+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d
+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351
+https://bugs.gentoo.org/847295
+
+From: Evan Hunt <each@isc.org>
+Date: Fri, 13 May 2022 19:59:58 -0700
+Subject: [PATCH] prevent a possible buffer overflow in configuration check
+
+corrected code that could have allowed a buffer overfow while
+parsing named.conf.
+
+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ } else if (dns_name_isula(zname)) {
+ ula = true;
+ }
+- tmp += strlen(tmp);
+ len -= strlen(tmp);
++ tmp += strlen(tmp);
+ (void)snprintf(tmp, len, "%u/%s", zclass,
+ (ztype == CFG_ZONE_INVIEW) ? target
+ : (viewname != NULL) ? viewname
+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ char *tmp = keydirbuf;
+ size_t len = sizeof(keydirbuf);
+ dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
+- tmp += strlen(tmp);
+ len -= strlen(tmp);
++ tmp += strlen(tmp);
+ (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
+ tresult = keydirexist(zconfig, (const char *)keydirbuf,
+ kaspname, keydirs, logctx, mctx);
+GitLab
next reply other threads:[~2022-06-03 7:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 7:33 Sam James [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-09-25 14:25 [gentoo-commits] repo/gentoo:master commit in: net-dns/bind-tools/files/, net-dns/bind-tools/ Lars Wendler
2017-06-09 17:39 Christian Ruppert
2017-01-12 16:00 Christian Ruppert
2015-12-27 19:39 Christian Ruppert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1654241580.5a92bef099e1ceccd8750bde2c16d985bdf3fafa.sam@gentoo \
--to=sam@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox