[gentoo-commits] repo/gentoo:master commit in: net-dns/bind-tools/files/, net-dns/bind-tools/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-dns/bind-tools/files/, net-dns/bind-tools/
Date:	Fri, 03 Jun 2022 07:33:10
Message-Id:	`1654241580.5a92bef099e1ceccd8750bde2c16d985bdf3fafa.sam@gentoo`

1

commit:     5a92bef099e1ceccd8750bde2c16d985bdf3fafa

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Fri Jun  3 07:32:50 2022 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Fri Jun  3 07:33:00 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a92bef0

7

8

net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix

9

10

Closes: https://bugs.gentoo.org/847295

11

Signed-off-by: Sam James <sam <AT> gentoo.org>

12

13

 net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild    | 156 +++++++++++++++++++++

14

 .../bind-tools-9.16.29-fortify-source-3.patch      |  35 +++++

15

 2 files changed, 191 insertions(+)

16

17

diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild

18

new file mode 100644

19

index 000000000000..6ab46c310694

20

--- /dev/null

21

+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild

22

@@ -0,0 +1,156 @@

23

+# Copyright 1999-2022 Gentoo Authors

24

+# Distributed under the terms of the GNU General Public License v2

25

+

26

+EAPI=7

27

+

28

+inherit autotools flag-o-matic toolchain-funcs

29

+

30

+MY_PN=${PN//-tools}

31

+MY_PV=${PV/_p/-P}

32

+MY_PV=${MY_PV/_rc/rc}

33

+MY_P="${MY_PN}-${MY_PV}"

34

+

35

+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"

36

+HOMEPAGE="https://www.isc.org/software/bind"

37

+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz"

38

+

39

+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0"

40

+SLOT="0"

41

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

42

+IUSE="+caps doc gssapi idn ipv6 libedit readline xml"

43

+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687

44

+

45

+COMMON_DEPEND="

46

+	dev-libs/libuv:=

47

+	caps? ( sys-libs/libcap )

48

+	dev-libs/openssl:=

49

+	xml? ( dev-libs/libxml2 )

50

+	idn? ( net-dns/libidn2:= )

51

+	gssapi? ( virtual/krb5 )

52

+	libedit? ( dev-libs/libedit )

53

+	!libedit? (

54

+		readline? ( sys-libs/readline:= )

55

+	)

56

+"

57

+DEPEND="${COMMON_DEPEND}"

58

+RDEPEND="${COMMON_DEPEND}"

59

+

60

+# sphinx required for man-page and html creation

61

+BDEPEND="

62

+	doc? ( dev-python/sphinx )

63

+	virtual/pkgconfig

64

+"

65

+

66

+S="${WORKDIR}/${MY_P}"

67

+

68

+# bug 479092, requires networking

69

+RESTRICT="test"

70

+

71

+PATCHES=(

72

+	"${FILESDIR}"/${P}-fortify-source-3.patch

73

+)

74

+

75

+src_prepare() {

76

+	default

77

+

78

+	export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)"

79

+

80

+	# Disable tests for now, bug 406399

81

+	sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die

82

+

83

+	# Do not disable thread local storage on Solaris, it works with our

84

+	# toolchain, and it breaks further configure checks

85

+	sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure || die

86

+

87

+	# bug #220361

88

+	rm aclocal.m4 || die

89

+	rm -rf libtool.m4/ || die

90

+

91

+	eautoreconf

92

+}

93

+

94

+src_configure() {

95

+	local myeconfargs=(

96

+		--localstatedir="${EPREFIX}"/var

97

+		--without-python

98

+		--without-libjson

99

+		--without-zlib

100

+		--without-lmdb

101

+		--without-maxminddb

102

+		--disable-geoip

103

+		--with-openssl="${ESYSROOT}"/usr

104

+		$(use_with idn libidn2 "${ESYSROOT}"/usr)

105

+		$(use_with xml libxml2)

106

+		$(use_with gssapi)

107

+		$(use_with readline)

108

+		$(use_enable caps linux-caps)

109

+		AR="$(type -P $(tc-getAR))"

110

+	)

111

+

112

+	# bug 607400

113

+	if use libedit ; then

114

+		myeconfargs+=( --with-readline=-ledit )

115

+	elif use readline ; then

116

+		myeconfargs+=( --with-readline=-lreadline )

117

+	else

118

+		myeconfargs+=( --without-readline )

119

+	fi

120

+

121

+	# bug 344029

122

+	append-cflags "-DDIG_SIGCHASE"

123

+

124

+	# to expose CMSG_* macros from sys/sockets.h

125

+	[[ ${CHOST} == *-solaris* ]] && append-cflags "-D_XOPEN_SOURCE=600"

126

+

127

+	# localstatedir for nsupdate -l, bug 395785

128

+	tc-export BUILD_CC

129

+	econf "${myeconfargs[@]}"

130

+

131

+	# bug #151839

132

+	echo '#undef SO_BSDCOMPAT' >> config.h

133

+}

134

+

135

+src_compile() {

136

+	local AR=$(tc-getAR)

137

+

138

+	emake AR="${AR}" -C lib/

139

+	emake AR="${AR}" -C bin/delv/

140

+	emake AR="${AR}" -C bin/dig/

141

+	emake AR="${AR}" -C bin/nsupdate/

142

+	emake AR="${AR}" -C bin/dnssec/

143

+	emake -C doc/man/ man $(usev doc)

144

+}

145

+

146

+src_install() {

147

+	local man_dir="${S}/doc/man"

148

+	local html_dir="${man_dir}/_build/html"

149

+

150

+	dodoc README CHANGES

151

+

152

+	cd "${S}"/bin/delv || die

153

+	dobin delv

154

+	doman ${man_dir}/delv.1

155

+

156

+	cd "${S}"/bin/dig || die

157

+	dobin dig host nslookup

158

+	doman ${man_dir}/{dig,host,nslookup}.1

159

+

160

+	cd "${S}"/bin/nsupdate || die

161

+	dobin nsupdate

162

+	doman ${man_dir}/nsupdate.1

163

+	if use doc; then

164

+		docinto html

165

+		dodoc ${html_dir}/nsupdate.html

166

+	fi

167

+

168

+	cd "${S}"/bin/dnssec || die

169

+	for tool in dsfromkey importkey keyfromlabel keygen \

170

+		revoke settime signzone verify; do

171

+		dobin dnssec-"${tool}"

172

+		doman ${man_dir}/dnssec-"${tool}".8

173

+		if use doc; then

174

+			docinto html

175

+			dodoc ${html_dir}/dnssec-"${tool}".html

176

+		fi

177

+	done

178

+}

179

180

diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch

181

new file mode 100644

182

index 000000000000..d084d6e62ce8

183

--- /dev/null

184

+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch

185

@@ -0,0 +1,35 @@

186

+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d

187

+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351

188

+https://bugs.gentoo.org/847295

189

+

190

+From: Evan Hunt <each@×××.org>

191

+Date: Fri, 13 May 2022 19:59:58 -0700

192

+Subject: [PATCH] prevent a possible buffer overflow in configuration check

193

+

194

+corrected code that could have allowed a buffer overfow while

195

+parsing named.conf.

196

+

197

+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)

198

+--- a/lib/bind9/check.c

199

++++ b/lib/bind9/check.c

200

+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,

201

+ 		} else if (dns_name_isula(zname)) {

202

+ 			ula = true;

203

+ 		}

204

+-		tmp += strlen(tmp);

205

+ 		len -= strlen(tmp);

206

++		tmp += strlen(tmp);

207

+ 		(void)snprintf(tmp, len, "%u/%s", zclass,

208

+ 			       (ztype == CFG_ZONE_INVIEW) ? target

209

+ 			       : (viewname != NULL)	  ? viewname

210

+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,

211

+ 		char *tmp = keydirbuf;

212

+ 		size_t len = sizeof(keydirbuf);

213

+ 		dns_name_format(zname, keydirbuf, sizeof(keydirbuf));

214

+-		tmp += strlen(tmp);

215

+ 		len -= strlen(tmp);

216

++		tmp += strlen(tmp);

217

+ 		(void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);

218

+ 		tresult = keydirexist(zconfig, (const char *)keydirbuf,

219

+ 				      kaspname, keydirs, logctx, mctx);

220

+GitLab

1	commit: 5a92bef099e1ceccd8750bde2c16d985bdf3fafa
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Fri Jun 3 07:32:50 2022 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Fri Jun 3 07:33:00 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a92bef0
7
8	net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix
9
10	Closes: https://bugs.gentoo.org/847295
11	Signed-off-by: Sam James <sam <AT> gentoo.org>
12
13	net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild \| 156 +++++++++++++++++++++
14	.../bind-tools-9.16.29-fortify-source-3.patch \| 35 +++++
15	2 files changed, 191 insertions(+)
16
17	diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
18	new file mode 100644
19	index 000000000000..6ab46c310694
20	--- /dev/null
21	+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
22	@@ -0,0 +1,156 @@
23	+# Copyright 1999-2022 Gentoo Authors
24	+# Distributed under the terms of the GNU General Public License v2
25	+
26	+EAPI=7
27	+
28	+inherit autotools flag-o-matic toolchain-funcs
29	+
30	+MY_PN=${PN//-tools}
31	+MY_PV=${PV/_p/-P}
32	+MY_PV=${MY_PV/_rc/rc}
33	+MY_P="${MY_PN}-${MY_PV}"
34	+
35	+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"
36	+HOMEPAGE="https://www.isc.org/software/bind"
37	+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz"
38	+
39	+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0"
40	+SLOT="0"
41	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
42	+IUSE="+caps doc gssapi idn ipv6 libedit readline xml"
43	+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687
44	+
45	+COMMON_DEPEND="
46	+ dev-libs/libuv:=
47	+ caps? ( sys-libs/libcap )
48	+ dev-libs/openssl:=
49	+ xml? ( dev-libs/libxml2 )
50	+ idn? ( net-dns/libidn2:= )
51	+ gssapi? ( virtual/krb5 )
52	+ libedit? ( dev-libs/libedit )
53	+ !libedit? (
54	+ readline? ( sys-libs/readline:= )
55	+ )
56	+"
57	+DEPEND="${COMMON_DEPEND}"
58	+RDEPEND="${COMMON_DEPEND}"
59	+
60	+# sphinx required for man-page and html creation
61	+BDEPEND="
62	+ doc? ( dev-python/sphinx )
63	+ virtual/pkgconfig
64	+"
65	+
66	+S="${WORKDIR}/${MY_P}"
67	+
68	+# bug 479092, requires networking
69	+RESTRICT="test"
70	+
71	+PATCHES=(
72	+ "${FILESDIR}"/${P}-fortify-source-3.patch
73	+)
74	+
75	+src_prepare() {
76	+ default
77	+
78	+ export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)"
79	+
80	+ # Disable tests for now, bug 406399
81	+ sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in \|\| die
82	+
83	+ # Do not disable thread local storage on Solaris, it works with our
84	+ # toolchain, and it breaks further configure checks
85	+ sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure \|\| die
86	+
87	+ # bug #220361
88	+ rm aclocal.m4 \|\| die
89	+ rm -rf libtool.m4/ \|\| die
90	+
91	+ eautoreconf
92	+}
93	+
94	+src_configure() {
95	+ local myeconfargs=(
96	+ --localstatedir="${EPREFIX}"/var
97	+ --without-python
98	+ --without-libjson
99	+ --without-zlib
100	+ --without-lmdb
101	+ --without-maxminddb
102	+ --disable-geoip
103	+ --with-openssl="${ESYSROOT}"/usr
104	+ $(use_with idn libidn2 "${ESYSROOT}"/usr)
105	+ $(use_with xml libxml2)
106	+ $(use_with gssapi)
107	+ $(use_with readline)
108	+ $(use_enable caps linux-caps)
109	+ AR="$(type -P $(tc-getAR))"
110	+ )
111	+
112	+ # bug 607400
113	+ if use libedit ; then
114	+ myeconfargs+=( --with-readline=-ledit )
115	+ elif use readline ; then
116	+ myeconfargs+=( --with-readline=-lreadline )
117	+ else
118	+ myeconfargs+=( --without-readline )
119	+ fi
120	+
121	+ # bug 344029
122	+ append-cflags "-DDIG_SIGCHASE"
123	+
124	+ # to expose CMSG_* macros from sys/sockets.h
125	+ [[ ${CHOST} == -solaris ]] && append-cflags "-D_XOPEN_SOURCE=600"
126	+
127	+ # localstatedir for nsupdate -l, bug 395785
128	+ tc-export BUILD_CC
129	+ econf "${myeconfargs[@]}"
130	+
131	+ # bug #151839
132	+ echo '#undef SO_BSDCOMPAT' >> config.h
133	+}
134	+
135	+src_compile() {
136	+ local AR=$(tc-getAR)
137	+
138	+ emake AR="${AR}" -C lib/
139	+ emake AR="${AR}" -C bin/delv/
140	+ emake AR="${AR}" -C bin/dig/
141	+ emake AR="${AR}" -C bin/nsupdate/
142	+ emake AR="${AR}" -C bin/dnssec/
143	+ emake -C doc/man/ man $(usev doc)
144	+}
145	+
146	+src_install() {
147	+ local man_dir="${S}/doc/man"
148	+ local html_dir="${man_dir}/_build/html"
149	+
150	+ dodoc README CHANGES
151	+
152	+ cd "${S}"/bin/delv \|\| die
153	+ dobin delv
154	+ doman ${man_dir}/delv.1
155	+
156	+ cd "${S}"/bin/dig \|\| die
157	+ dobin dig host nslookup
158	+ doman ${man_dir}/{dig,host,nslookup}.1
159	+
160	+ cd "${S}"/bin/nsupdate \|\| die
161	+ dobin nsupdate
162	+ doman ${man_dir}/nsupdate.1
163	+ if use doc; then
164	+ docinto html
165	+ dodoc ${html_dir}/nsupdate.html
166	+ fi
167	+
168	+ cd "${S}"/bin/dnssec \|\| die
169	+ for tool in dsfromkey importkey keyfromlabel keygen \
170	+ revoke settime signzone verify; do
171	+ dobin dnssec-"${tool}"
172	+ doman ${man_dir}/dnssec-"${tool}".8
173	+ if use doc; then
174	+ docinto html
175	+ dodoc ${html_dir}/dnssec-"${tool}".html
176	+ fi
177	+ done
178	+}
179
180	diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
181	new file mode 100644
182	index 000000000000..d084d6e62ce8
183	--- /dev/null
184	+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
185	@@ -0,0 +1,35 @@
186	+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d
187	+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351
188	+https://bugs.gentoo.org/847295
189	+
190	+From: Evan Hunt <each@×××.org>
191	+Date: Fri, 13 May 2022 19:59:58 -0700
192	+Subject: [PATCH] prevent a possible buffer overflow in configuration check
193	+
194	+corrected code that could have allowed a buffer overfow while
195	+parsing named.conf.
196	+
197	+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)
198	+--- a/lib/bind9/check.c
199	++++ b/lib/bind9/check.c
200	+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t zconfig, const cfg_obj_t voptions,
201	+ } else if (dns_name_isula(zname)) {
202	+ ula = true;
203	+ }
204	+- tmp += strlen(tmp);
205	+ len -= strlen(tmp);
206	++ tmp += strlen(tmp);
207	+ (void)snprintf(tmp, len, "%u/%s", zclass,
208	+ (ztype == CFG_ZONE_INVIEW) ? target
209	+ : (viewname != NULL) ? viewname
210	+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t zconfig, const cfg_obj_t voptions,
211	+ char *tmp = keydirbuf;
212	+ size_t len = sizeof(keydirbuf);
213	+ dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
214	+- tmp += strlen(tmp);
215	+ len -= strlen(tmp);
216	++ tmp += strlen(tmp);
217	+ (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
218	+ tresult = keydirexist(zconfig, (const char *)keydirbuf,
219	+ kaspname, keydirs, logctx, mctx);
220	+GitLab

Gentoo Archives: gentoo-commits