[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/
Date:	Sat, 03 Dec 2016 20:56:41
Message-Id:	`1480798582.f19fd949c1e9d06252fdb59c0f1fb0142cb7d9c8.whissi@gentoo`

1

commit:     f19fd949c1e9d06252fdb59c0f1fb0142cb7d9c8

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Fri Dec  2 18:53:41 2016 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Sat Dec  3 20:56:22 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f19fd949

7

8

net-dns/djbdns: Sec rev bump to v1.05-r32 (bug #404959)

9

10

CVE-2012-1191

11

12

Closes: https://github.com/gentoo/gentoo/pull/2988

13

14

Package-Manager: portage-2.3.2

15

16

 net-dns/djbdns/djbdns-1.05-r32.ebuild              | 155 +++++++++++++++++++++

17

 .../CVE2012-1191_0001-ghost-domain-attack.patch    |  22 +++

18

 2 files changed, 177 insertions(+)

19

20

diff --git a/net-dns/djbdns/djbdns-1.05-r32.ebuild b/net-dns/djbdns/djbdns-1.05-r32.ebuild

21

new file mode 100644

22

index 00000000..8dcc0f3

23

--- /dev/null

24

+++ b/net-dns/djbdns/djbdns-1.05-r32.ebuild

25

@@ -0,0 +1,155 @@

26

+# Copyright 1999-2016 Gentoo Foundation

27

+# Distributed under the terms of the GNU General Public License v2

28

+# $Id$

29

+

30

+EAPI=6

31

+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs user

32

+

33

+DESCRIPTION="Collection of DNS client/server software"

34

+HOMEPAGE="http://cr.yp.to/djbdns.html"

35

+IPV6_PATCH="test27"

36

+

37

+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz

38

+	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz

39

+	ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.bz2 )"

40

+

41

+SLOT="0"

42

+LICENSE="public-domain"

43

+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"

44

+IUSE="ipv6 selinux"

45

+

46

+DEPEND=""

47

+RDEPEND="sys-apps/ucspi-tcp

48

+	virtual/daemontools

49

+	selinux? ( sec-policy/selinux-djbdns )"

50

+

51

+src_unpack(){

52

+	# Unpack both djbdns and its man pages to separate directories.

53

+	default

54

+

55

+	# Now move the man pages under ${S} so that user patches can be

56

+	# applied to them as well in src_prepare().

57

+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"

58

+}

59

+

60

+src_prepare() {

61

+	eapply \

62

+		"${FILESDIR}/headtail-r1.patch" \

63

+		"${FILESDIR}/dnsroots.patch" \

64

+		"${FILESDIR}/dnstracesort.patch" \

65

+		"${FILESDIR}/string_length_255.patch" \

66

+		"${FILESDIR}/srv_record_support.patch" \

67

+		"${FILESDIR}/increase-cname-recustion-depth.patch"

68

+

69

+	# Fix CVE2009-0858

70

+	eapply "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"

71

+

72

+	# Fix CVE2012-1191

73

+	eapply "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"

74

+

75

+	if use ipv6; then

76

+		elog 'At present dnstrace does NOT support IPv6. It will'\

77

+			 'be compiled without IPv6 support.'

78

+

79

+		# Create a separate copy of the source tree for dnstrace.

80

+		cp -pR "${S}" "${S}-noipv6" || die

81

+

82

+		# The big ipv6 patch.

83

+		eapply "${WORKDIR}/${P}-${IPV6_PATCH}.diff"

84

+

85

+		# Fix CVE2008-4392 (ipv6)

86

+		eapply \

87

+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test25-r1.patch" \

88

+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6.patch" \

89

+			"${FILESDIR}/makefile-parallel-test25.patch"

90

+

91

+		cd "${S}-noipv6" || die

92

+	fi

93

+

94

+	# Fix CVE2008-4392 (no ipv6)

95

+	eapply \

96

+		"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" \

97

+		"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"

98

+

99

+	# Later versions of the ipv6 patch include this, but even if

100

+	# USE=ipv6, we're in the ${S}-noipv6 directory at this point.

101

+	eapply "${FILESDIR}/${PV}-errno-r1.patch"

102

+

103

+	eapply_user

104

+}

105

+

106

+src_compile() {

107

+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die

108

+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die

109

+	echo "/usr" > conf-home || die

110

+	emake

111

+

112

+	# If djbdns is compiled with IPv6 support, it breaks dnstrace.

113

+	# Therefore we must compile dnstrace separately without IPv6

114

+	# support.

115

+	if use ipv6; then

116

+		elog 'Compiling dnstrace without ipv6 support'

117

+		cp conf-cc conf-ld conf-home "${S}-noipv6/" || die

118

+		cd "${S}-noipv6" || die

119

+		emake dnstrace

120

+	fi

121

+}

122

+

123

+src_install() {

124

+	insinto /etc

125

+	doins dnsroots.global

126

+

127

+	into /usr

128

+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \

129

+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \

130

+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort

131

+

132

+	if use ipv6; then

133

+		dobin dnsip6 dnsip6q "${S}-noipv6/dnstrace"

134

+	fi

135

+

136

+	dodoc CHANGES README

137

+

138

+	doman man/*.[158]

139

+

140

+	readme.gentoo_create_doc

141

+}

142

+

143

+pkg_preinst() {

144

+	# The nofiles group is no longer provided by baselayout.

145

+	# Share it with qmail if possible.

146

+	enewgroup nofiles 200

147

+

148

+	enewuser dnscache -1 -1 -1 nofiles

149

+	enewuser dnslog -1 -1 -1 nofiles

150

+	enewuser tinydns -1 -1 -1 nofiles

151

+}

152

+

153

+DISABLE_AUTOFORMATTING=1

154

+DOC_CONTENTS='

155

+To configure djbdns, please follow the instructions at,

156

+

157

+	http://cr.yp.to/djbdns.html

158

+

159

+Of particular interest are,

160

+

161

+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html

162

+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html

163

+	tinydns : http://cr.yp.to/djbdns/run-server.html

164

+

165

+Portage has created users for axfrdns, dnscache, and tinydns; the

166

+commands to configure these programs are,

167

+

168

+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip

169

+	2. dnscache-conf dnscache dnslog /var/dnscache $ip

170

+	3. tinydns-conf tinydns dnslog /var/tinydns $ip

171

+

172

+(replace $ip with the ip address on which the server will run).

173

+

174

+If you wish to configure rbldns or walldns, you will need to create

175

+those users yourself (although you should still use the "dnslog"

176

+user for the logs):

177

+

178

+	4. rbldns-conf $username dnslog /var/rbldns $ip $base

179

+	5. walldns-conf $username dnslog /var/walldns $ip

180

+'

181

182

diff --git a/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch

183

new file mode 100644

184

index 00000000..8d9b194

185

--- /dev/null

186

+++ b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch

187

@@ -0,0 +1,22 @@

188

+Fix ghost domain attack vulnerability (CVE-2012-1191)

189

+

190

+Author: Peter Conrad <conrad@××××××.de>

191

+Origin: http://marc.info/?l=djbdns&m=134269902121506&w=2

192

+

193

+Gentoo-Bug: https://bugs.gentoo.org/404959

194

+

195

+--- a/query.c

196

++++ b/query.c

197

+@@ -792,6 +792,12 @@ static int doit(struct query *z,int state)

198

+     }

199

+

200

+     if (!dns_domain_suffix(t1,control)) { i = j; continue; }

201

++

202

++    if (!flagforwardonly && byte_equal(type,2,DNS_T_NS) && dns_domain_equal(t1,control)) {

203

++        char dummy[256];

204

++        if (!roots(dummy,control)) { i = j; continue; }

205

++    }

206

++

207

+     if (!roots_same(t1,control)) { i = j; continue; }

208

+

209

+     if (byte_equal(type,2,DNS_T_ANY))

1	commit: f19fd949c1e9d06252fdb59c0f1fb0142cb7d9c8
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Fri Dec 2 18:53:41 2016 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Sat Dec 3 20:56:22 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f19fd949
7
8	net-dns/djbdns: Sec rev bump to v1.05-r32 (bug #404959)
9
10	CVE-2012-1191
11
12	Closes: https://github.com/gentoo/gentoo/pull/2988
13
14	Package-Manager: portage-2.3.2
15
16	net-dns/djbdns/djbdns-1.05-r32.ebuild \| 155 +++++++++++++++++++++
17	.../CVE2012-1191_0001-ghost-domain-attack.patch \| 22 +++
18	2 files changed, 177 insertions(+)
19
20	diff --git a/net-dns/djbdns/djbdns-1.05-r32.ebuild b/net-dns/djbdns/djbdns-1.05-r32.ebuild
21	new file mode 100644
22	index 00000000..8dcc0f3
23	--- /dev/null
24	+++ b/net-dns/djbdns/djbdns-1.05-r32.ebuild
25	@@ -0,0 +1,155 @@
26	+# Copyright 1999-2016 Gentoo Foundation
27	+# Distributed under the terms of the GNU General Public License v2
28	+# $Id$
29	+
30	+EAPI=6
31	+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs user
32	+
33	+DESCRIPTION="Collection of DNS client/server software"
34	+HOMEPAGE="http://cr.yp.to/djbdns.html"
35	+IPV6_PATCH="test27"
36	+
37	+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
38	+ http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
39	+ ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.bz2 )"
40	+
41	+SLOT="0"
42	+LICENSE="public-domain"
43	+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
44	+IUSE="ipv6 selinux"
45	+
46	+DEPEND=""
47	+RDEPEND="sys-apps/ucspi-tcp
48	+ virtual/daemontools
49	+ selinux? ( sec-policy/selinux-djbdns )"
50	+
51	+src_unpack(){
52	+ # Unpack both djbdns and its man pages to separate directories.
53	+ default
54	+
55	+ # Now move the man pages under ${S} so that user patches can be
56	+ # applied to them as well in src_prepare().
57	+ mv "${PN}-man" "${P}/man" \|\| die "failed to transplant man pages"
58	+}
59	+
60	+src_prepare() {
61	+ eapply \
62	+ "${FILESDIR}/headtail-r1.patch" \
63	+ "${FILESDIR}/dnsroots.patch" \
64	+ "${FILESDIR}/dnstracesort.patch" \
65	+ "${FILESDIR}/string_length_255.patch" \
66	+ "${FILESDIR}/srv_record_support.patch" \
67	+ "${FILESDIR}/increase-cname-recustion-depth.patch"
68	+
69	+ # Fix CVE2009-0858
70	+ eapply "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
71	+
72	+ # Fix CVE2012-1191
73	+ eapply "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
74	+
75	+ if use ipv6; then
76	+ elog 'At present dnstrace does NOT support IPv6. It will'\
77	+ 'be compiled without IPv6 support.'
78	+
79	+ # Create a separate copy of the source tree for dnstrace.
80	+ cp -pR "${S}" "${S}-noipv6" \|\| die
81	+
82	+ # The big ipv6 patch.
83	+ eapply "${WORKDIR}/${P}-${IPV6_PATCH}.diff"
84	+
85	+ # Fix CVE2008-4392 (ipv6)
86	+ eapply \
87	+ "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test25-r1.patch" \
88	+ "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6.patch" \
89	+ "${FILESDIR}/makefile-parallel-test25.patch"
90	+
91	+ cd "${S}-noipv6" \|\| die
92	+ fi
93	+
94	+ # Fix CVE2008-4392 (no ipv6)
95	+ eapply \
96	+ "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" \
97	+ "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
98	+
99	+ # Later versions of the ipv6 patch include this, but even if
100	+ # USE=ipv6, we're in the ${S}-noipv6 directory at this point.
101	+ eapply "${FILESDIR}/${PV}-errno-r1.patch"
102	+
103	+ eapply_user
104	+}
105	+
106	+src_compile() {
107	+ echo "$(tc-getCC) ${CFLAGS}" > conf-cc \|\| die
108	+ echo "$(tc-getCC) ${LDFLAGS}" > conf-ld \|\| die
109	+ echo "/usr" > conf-home \|\| die
110	+ emake
111	+
112	+ # If djbdns is compiled with IPv6 support, it breaks dnstrace.
113	+ # Therefore we must compile dnstrace separately without IPv6
114	+ # support.
115	+ if use ipv6; then
116	+ elog 'Compiling dnstrace without ipv6 support'
117	+ cp conf-cc conf-ld conf-home "${S}-noipv6/" \|\| die
118	+ cd "${S}-noipv6" \|\| die
119	+ emake dnstrace
120	+ fi
121	+}
122	+
123	+src_install() {
124	+ insinto /etc
125	+ doins dnsroots.global
126	+
127	+ into /usr
128	+ dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
129	+ -get -data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
130	+ dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
131	+
132	+ if use ipv6; then
133	+ dobin dnsip6 dnsip6q "${S}-noipv6/dnstrace"
134	+ fi
135	+
136	+ dodoc CHANGES README
137	+
138	+ doman man/*.[158]
139	+
140	+ readme.gentoo_create_doc
141	+}
142	+
143	+pkg_preinst() {
144	+ # The nofiles group is no longer provided by baselayout.
145	+ # Share it with qmail if possible.
146	+ enewgroup nofiles 200
147	+
148	+ enewuser dnscache -1 -1 -1 nofiles
149	+ enewuser dnslog -1 -1 -1 nofiles
150	+ enewuser tinydns -1 -1 -1 nofiles
151	+}
152	+
153	+DISABLE_AUTOFORMATTING=1
154	+DOC_CONTENTS='
155	+To configure djbdns, please follow the instructions at,
156	+
157	+ http://cr.yp.to/djbdns.html
158	+
159	+Of particular interest are,
160	+
161	+ axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
162	+ dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
163	+ tinydns : http://cr.yp.to/djbdns/run-server.html
164	+
165	+Portage has created users for axfrdns, dnscache, and tinydns; the
166	+commands to configure these programs are,
167	+
168	+ 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
169	+ 2. dnscache-conf dnscache dnslog /var/dnscache $ip
170	+ 3. tinydns-conf tinydns dnslog /var/tinydns $ip
171	+
172	+(replace $ip with the ip address on which the server will run).
173	+
174	+If you wish to configure rbldns or walldns, you will need to create
175	+those users yourself (although you should still use the "dnslog"
176	+user for the logs):
177	+
178	+ 4. rbldns-conf $username dnslog /var/rbldns $ip $base
179	+ 5. walldns-conf $username dnslog /var/walldns $ip
180	+'
181
182	diff --git a/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
183	new file mode 100644
184	index 00000000..8d9b194
185	--- /dev/null
186	+++ b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
187	@@ -0,0 +1,22 @@
188	+Fix ghost domain attack vulnerability (CVE-2012-1191)
189	+
190	+Author: Peter Conrad <conrad@××××××.de>
191	+Origin: http://marc.info/?l=djbdns&m=134269902121506&w=2
192	+
193	+Gentoo-Bug: https://bugs.gentoo.org/404959
194	+
195	+--- a/query.c
196	++++ b/query.c
197	+@@ -792,6 +792,12 @@ static int doit(struct query *z,int state)
198	+ }
199	+
200	+ if (!dns_domain_suffix(t1,control)) { i = j; continue; }
201	++
202	++ if (!flagforwardonly && byte_equal(type,2,DNS_T_NS) && dns_domain_equal(t1,control)) {
203	++ char dummy[256];
204	++ if (!roots(dummy,control)) { i = j; continue; }
205	++ }
206	++
207	+ if (!roots_same(t1,control)) { i = j; continue; }
208	+
209	+ if (byte_equal(type,2,DNS_T_ANY))

Gentoo Archives: gentoo-commits