1 |
commit: 5a92bef099e1ceccd8750bde2c16d985bdf3fafa |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Jun 3 07:32:50 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jun 3 07:33:00 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a92bef0 |
7 |
|
8 |
net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix |
9 |
|
10 |
Closes: https://bugs.gentoo.org/847295 |
11 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
12 |
|
13 |
net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild | 156 +++++++++++++++++++++ |
14 |
.../bind-tools-9.16.29-fortify-source-3.patch | 35 +++++ |
15 |
2 files changed, 191 insertions(+) |
16 |
|
17 |
diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild |
18 |
new file mode 100644 |
19 |
index 000000000000..6ab46c310694 |
20 |
--- /dev/null |
21 |
+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild |
22 |
@@ -0,0 +1,156 @@ |
23 |
+# Copyright 1999-2022 Gentoo Authors |
24 |
+# Distributed under the terms of the GNU General Public License v2 |
25 |
+ |
26 |
+EAPI=7 |
27 |
+ |
28 |
+inherit autotools flag-o-matic toolchain-funcs |
29 |
+ |
30 |
+MY_PN=${PN//-tools} |
31 |
+MY_PV=${PV/_p/-P} |
32 |
+MY_PV=${MY_PV/_rc/rc} |
33 |
+MY_P="${MY_PN}-${MY_PV}" |
34 |
+ |
35 |
+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen" |
36 |
+HOMEPAGE="https://www.isc.org/software/bind" |
37 |
+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz" |
38 |
+ |
39 |
+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0" |
40 |
+SLOT="0" |
41 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
42 |
+IUSE="+caps doc gssapi idn ipv6 libedit readline xml" |
43 |
+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687 |
44 |
+ |
45 |
+COMMON_DEPEND=" |
46 |
+ dev-libs/libuv:= |
47 |
+ caps? ( sys-libs/libcap ) |
48 |
+ dev-libs/openssl:= |
49 |
+ xml? ( dev-libs/libxml2 ) |
50 |
+ idn? ( net-dns/libidn2:= ) |
51 |
+ gssapi? ( virtual/krb5 ) |
52 |
+ libedit? ( dev-libs/libedit ) |
53 |
+ !libedit? ( |
54 |
+ readline? ( sys-libs/readline:= ) |
55 |
+ ) |
56 |
+" |
57 |
+DEPEND="${COMMON_DEPEND}" |
58 |
+RDEPEND="${COMMON_DEPEND}" |
59 |
+ |
60 |
+# sphinx required for man-page and html creation |
61 |
+BDEPEND=" |
62 |
+ doc? ( dev-python/sphinx ) |
63 |
+ virtual/pkgconfig |
64 |
+" |
65 |
+ |
66 |
+S="${WORKDIR}/${MY_P}" |
67 |
+ |
68 |
+# bug 479092, requires networking |
69 |
+RESTRICT="test" |
70 |
+ |
71 |
+PATCHES=( |
72 |
+ "${FILESDIR}"/${P}-fortify-source-3.patch |
73 |
+) |
74 |
+ |
75 |
+src_prepare() { |
76 |
+ default |
77 |
+ |
78 |
+ export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)" |
79 |
+ |
80 |
+ # Disable tests for now, bug 406399 |
81 |
+ sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die |
82 |
+ |
83 |
+ # Do not disable thread local storage on Solaris, it works with our |
84 |
+ # toolchain, and it breaks further configure checks |
85 |
+ sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure || die |
86 |
+ |
87 |
+ # bug #220361 |
88 |
+ rm aclocal.m4 || die |
89 |
+ rm -rf libtool.m4/ || die |
90 |
+ |
91 |
+ eautoreconf |
92 |
+} |
93 |
+ |
94 |
+src_configure() { |
95 |
+ local myeconfargs=( |
96 |
+ --localstatedir="${EPREFIX}"/var |
97 |
+ --without-python |
98 |
+ --without-libjson |
99 |
+ --without-zlib |
100 |
+ --without-lmdb |
101 |
+ --without-maxminddb |
102 |
+ --disable-geoip |
103 |
+ --with-openssl="${ESYSROOT}"/usr |
104 |
+ $(use_with idn libidn2 "${ESYSROOT}"/usr) |
105 |
+ $(use_with xml libxml2) |
106 |
+ $(use_with gssapi) |
107 |
+ $(use_with readline) |
108 |
+ $(use_enable caps linux-caps) |
109 |
+ AR="$(type -P $(tc-getAR))" |
110 |
+ ) |
111 |
+ |
112 |
+ # bug 607400 |
113 |
+ if use libedit ; then |
114 |
+ myeconfargs+=( --with-readline=-ledit ) |
115 |
+ elif use readline ; then |
116 |
+ myeconfargs+=( --with-readline=-lreadline ) |
117 |
+ else |
118 |
+ myeconfargs+=( --without-readline ) |
119 |
+ fi |
120 |
+ |
121 |
+ # bug 344029 |
122 |
+ append-cflags "-DDIG_SIGCHASE" |
123 |
+ |
124 |
+ # to expose CMSG_* macros from sys/sockets.h |
125 |
+ [[ ${CHOST} == *-solaris* ]] && append-cflags "-D_XOPEN_SOURCE=600" |
126 |
+ |
127 |
+ # localstatedir for nsupdate -l, bug 395785 |
128 |
+ tc-export BUILD_CC |
129 |
+ econf "${myeconfargs[@]}" |
130 |
+ |
131 |
+ # bug #151839 |
132 |
+ echo '#undef SO_BSDCOMPAT' >> config.h |
133 |
+} |
134 |
+ |
135 |
+src_compile() { |
136 |
+ local AR=$(tc-getAR) |
137 |
+ |
138 |
+ emake AR="${AR}" -C lib/ |
139 |
+ emake AR="${AR}" -C bin/delv/ |
140 |
+ emake AR="${AR}" -C bin/dig/ |
141 |
+ emake AR="${AR}" -C bin/nsupdate/ |
142 |
+ emake AR="${AR}" -C bin/dnssec/ |
143 |
+ emake -C doc/man/ man $(usev doc) |
144 |
+} |
145 |
+ |
146 |
+src_install() { |
147 |
+ local man_dir="${S}/doc/man" |
148 |
+ local html_dir="${man_dir}/_build/html" |
149 |
+ |
150 |
+ dodoc README CHANGES |
151 |
+ |
152 |
+ cd "${S}"/bin/delv || die |
153 |
+ dobin delv |
154 |
+ doman ${man_dir}/delv.1 |
155 |
+ |
156 |
+ cd "${S}"/bin/dig || die |
157 |
+ dobin dig host nslookup |
158 |
+ doman ${man_dir}/{dig,host,nslookup}.1 |
159 |
+ |
160 |
+ cd "${S}"/bin/nsupdate || die |
161 |
+ dobin nsupdate |
162 |
+ doman ${man_dir}/nsupdate.1 |
163 |
+ if use doc; then |
164 |
+ docinto html |
165 |
+ dodoc ${html_dir}/nsupdate.html |
166 |
+ fi |
167 |
+ |
168 |
+ cd "${S}"/bin/dnssec || die |
169 |
+ for tool in dsfromkey importkey keyfromlabel keygen \ |
170 |
+ revoke settime signzone verify; do |
171 |
+ dobin dnssec-"${tool}" |
172 |
+ doman ${man_dir}/dnssec-"${tool}".8 |
173 |
+ if use doc; then |
174 |
+ docinto html |
175 |
+ dodoc ${html_dir}/dnssec-"${tool}".html |
176 |
+ fi |
177 |
+ done |
178 |
+} |
179 |
|
180 |
diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch |
181 |
new file mode 100644 |
182 |
index 000000000000..d084d6e62ce8 |
183 |
--- /dev/null |
184 |
+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch |
185 |
@@ -0,0 +1,35 @@ |
186 |
+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d |
187 |
+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351 |
188 |
+https://bugs.gentoo.org/847295 |
189 |
+ |
190 |
+From: Evan Hunt <each@×××.org> |
191 |
+Date: Fri, 13 May 2022 19:59:58 -0700 |
192 |
+Subject: [PATCH] prevent a possible buffer overflow in configuration check |
193 |
+ |
194 |
+corrected code that could have allowed a buffer overfow while |
195 |
+parsing named.conf. |
196 |
+ |
197 |
+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472) |
198 |
+--- a/lib/bind9/check.c |
199 |
++++ b/lib/bind9/check.c |
200 |
+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, |
201 |
+ } else if (dns_name_isula(zname)) { |
202 |
+ ula = true; |
203 |
+ } |
204 |
+- tmp += strlen(tmp); |
205 |
+ len -= strlen(tmp); |
206 |
++ tmp += strlen(tmp); |
207 |
+ (void)snprintf(tmp, len, "%u/%s", zclass, |
208 |
+ (ztype == CFG_ZONE_INVIEW) ? target |
209 |
+ : (viewname != NULL) ? viewname |
210 |
+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, |
211 |
+ char *tmp = keydirbuf; |
212 |
+ size_t len = sizeof(keydirbuf); |
213 |
+ dns_name_format(zname, keydirbuf, sizeof(keydirbuf)); |
214 |
+- tmp += strlen(tmp); |
215 |
+ len -= strlen(tmp); |
216 |
++ tmp += strlen(tmp); |
217 |
+ (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir); |
218 |
+ tresult = keydirexist(zconfig, (const char *)keydirbuf, |
219 |
+ kaspname, keydirs, logctx, mctx); |
220 |
+GitLab |