[gentoo-commits] repo/gentoo:master commit in: net-dns/bind-tools/files/, net-dns/bind-tools/

Fri, 03 Jun 2022 00:33:13 -0700 

commit:     5a92bef099e1ceccd8750bde2c16d985bdf3fafa
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Jun  3 07:32:50 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Jun  3 07:33:00 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a92bef0

net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix

Closes: https://bugs.gentoo.org/847295
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild    | 156 +++++++++++++++++++++
 .../bind-tools-9.16.29-fortify-source-3.patch      |  35 +++++
 2 files changed, 191 insertions(+)

diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild 
b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
new file mode 100644
index 000000000000..6ab46c310694
--- /dev/null
+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools flag-o-matic toolchain-funcs
+
+MY_PN=${PN//-tools}
+MY_PV=${PV/_p/-P}
+MY_PV=${MY_PV/_rc/rc}
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"
+HOMEPAGE="https://www.isc.org/software/bind";
+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz";
+
+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv 
~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris 
~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+caps doc gssapi idn ipv6 libedit readline xml"
+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687
+
+COMMON_DEPEND="
+       dev-libs/libuv:=
+       caps? ( sys-libs/libcap )
+       dev-libs/openssl:=
+       xml? ( dev-libs/libxml2 )
+       idn? ( net-dns/libidn2:= )
+       gssapi? ( virtual/krb5 )
+       libedit? ( dev-libs/libedit )
+       !libedit? (
+               readline? ( sys-libs/readline:= )
+       )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+# sphinx required for man-page and html creation
+BDEPEND="
+       doc? ( dev-python/sphinx )
+       virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+# bug 479092, requires networking
+RESTRICT="test"
+
+PATCHES=(
+       "${FILESDIR}"/${P}-fortify-source-3.patch
+)
+
+src_prepare() {
+       default
+
+       export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)"
+
+       # Disable tests for now, bug 406399
+       sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die
+
+       # Do not disable thread local storage on Solaris, it works with our
+       # toolchain, and it breaks further configure checks
+       sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure || die
+
+       # bug #220361
+       rm aclocal.m4 || die
+       rm -rf libtool.m4/ || die
+
+       eautoreconf
+}
+
+src_configure() {
+       local myeconfargs=(
+               --localstatedir="${EPREFIX}"/var
+               --without-python
+               --without-libjson
+               --without-zlib
+               --without-lmdb
+               --without-maxminddb
+               --disable-geoip
+               --with-openssl="${ESYSROOT}"/usr
+               $(use_with idn libidn2 "${ESYSROOT}"/usr)
+               $(use_with xml libxml2)
+               $(use_with gssapi)
+               $(use_with readline)
+               $(use_enable caps linux-caps)
+               AR="$(type -P $(tc-getAR))"
+       )
+
+       # bug 607400
+       if use libedit ; then
+               myeconfargs+=( --with-readline=-ledit )
+       elif use readline ; then
+               myeconfargs+=( --with-readline=-lreadline )
+       else
+               myeconfargs+=( --without-readline )
+       fi
+
+       # bug 344029
+       append-cflags "-DDIG_SIGCHASE"
+
+       # to expose CMSG_* macros from sys/sockets.h
+       [[ ${CHOST} == *-solaris* ]] && append-cflags "-D_XOPEN_SOURCE=600"
+
+       # localstatedir for nsupdate -l, bug 395785
+       tc-export BUILD_CC
+       econf "${myeconfargs[@]}"
+
+       # bug #151839
+       echo '#undef SO_BSDCOMPAT' >> config.h
+}
+
+src_compile() {
+       local AR=$(tc-getAR)
+
+       emake AR="${AR}" -C lib/
+       emake AR="${AR}" -C bin/delv/
+       emake AR="${AR}" -C bin/dig/
+       emake AR="${AR}" -C bin/nsupdate/
+       emake AR="${AR}" -C bin/dnssec/
+       emake -C doc/man/ man $(usev doc)
+}
+
+src_install() {
+       local man_dir="${S}/doc/man"
+       local html_dir="${man_dir}/_build/html"
+
+       dodoc README CHANGES
+
+       cd "${S}"/bin/delv || die
+       dobin delv
+       doman ${man_dir}/delv.1
+
+       cd "${S}"/bin/dig || die
+       dobin dig host nslookup
+       doman ${man_dir}/{dig,host,nslookup}.1
+
+       cd "${S}"/bin/nsupdate || die
+       dobin nsupdate
+       doman ${man_dir}/nsupdate.1
+       if use doc; then
+               docinto html
+               dodoc ${html_dir}/nsupdate.html
+       fi
+
+       cd "${S}"/bin/dnssec || die
+       for tool in dsfromkey importkey keyfromlabel keygen \
+               revoke settime signzone verify; do
+               dobin dnssec-"${tool}"
+               doman ${man_dir}/dnssec-"${tool}".8
+               if use doc; then
+                       docinto html
+                       dodoc ${html_dir}/dnssec-"${tool}".html
+               fi
+       done
+}

diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch 
b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
new file mode 100644
index 000000000000..d084d6e62ce8
--- /dev/null
+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
@@ -0,0 +1,35 @@
+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d
+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351
+https://bugs.gentoo.org/847295
+
+From: Evan Hunt <e...@isc.org>
+Date: Fri, 13 May 2022 19:59:58 -0700
+Subject: [PATCH] prevent a possible buffer overflow in configuration check
+
+corrected code that could have allowed a buffer overfow while
+parsing named.conf.
+
+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t 
*voptions,
+               } else if (dns_name_isula(zname)) {
+                       ula = true;
+               }
+-              tmp += strlen(tmp);
+               len -= strlen(tmp);
++              tmp += strlen(tmp);
+               (void)snprintf(tmp, len, "%u/%s", zclass,
+                              (ztype == CFG_ZONE_INVIEW) ? target
+                              : (viewname != NULL)       ? viewname
+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t 
*voptions,
+               char *tmp = keydirbuf;
+               size_t len = sizeof(keydirbuf);
+               dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
+-              tmp += strlen(tmp);
+               len -= strlen(tmp);
++              tmp += strlen(tmp);
+               (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
+               tresult = keydirexist(zconfig, (const char *)keydirbuf,
+                                     kaspname, keydirs, logctx, mctx);
+GitLab

Reply via email to