From 0cd11bc174a2e3a7d385746687ca12bbe8a72e215343453e3488037217490722 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 8 Sep 2021 14:10:21 +0000 Subject: [PATCH 1/3] - 5c995d5.patch: augment input validation on hostnames to allow _ as part of DNS response (bsc#1190225) OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/c-ares?expand=0&rev=41 --- 5c995d5.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ c-ares.changes | 6 ++++++ c-ares.spec | 1 + 3 files changed, 58 insertions(+) create mode 100644 5c995d5.patch diff --git a/5c995d5.patch b/5c995d5.patch new file mode 100644 index 0000000..32fc2bb --- /dev/null +++ b/5c995d5.patch @@ -0,0 +1,51 @@ +From 5c995d50b05a2c374ae021012afa6f8f4cf2957e Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Wed, 8 Sep 2021 07:38:44 -0400 +Subject: [PATCH] ares_expand_name should allow underscores (_) as SRV records + legitimately use them + +c-ares 1.17.2 introduced response validation to prevent a security issue, however +it did not have (_) listed as a valid character for domain name responses which +caused issues when a CNAME referenced a SRV record which contained underscores. + +While RFC2181 section 11 does explicitly state not to do validation, that applies +to servers not clients. + +Fixes: #424 +Fix By: Brad House (@bradh352) +--- + src/lib/ares_expand_name.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c +index a62c982e..db262ab4 100644 +--- a/src/lib/ares_expand_name.c ++++ b/src/lib/ares_expand_name.c +@@ -59,10 +59,16 @@ static int ares__isprint(int ch) + return 0; + } + +-/* Character set allowed by hostnames */ ++/* Character set allowed by hostnames. This is to include the normal ++ * domain name character set plus underscores which are used in SRV ++ * records. While RFC 2181 section 11 does state not to do validation, ++ * that applies to servers, not clients. Vulnerabilities have been ++ * reported when this validation is not performed. Security is more ++ * important than edge-case compatibility (which is probably invalid ++ * anyhow). */ + static int is_hostnamech(int ch) + { +- /* [A-Za-z0-9-.] ++ /* [A-Za-z0-9-._] + * Don't use isalnum() as it is locale-specific + */ + if (ch >= 'A' && ch <= 'Z') +@@ -71,7 +77,7 @@ static int is_hostnamech(int ch) + return 1; + if (ch >= '0' && ch <= '9') + return 1; +- if (ch == '-' || ch == '.') ++ if (ch == '-' || ch == '.' || ch == '_') + return 1; + + return 0; diff --git a/c-ares.changes b/c-ares.changes index 2cd86bf..061c038 100644 --- a/c-ares.changes +++ b/c-ares.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 8 14:07:34 UTC 2021 - Adam Majer + +- 5c995d5.patch: augment input validation on hostnames to allow _ + as part of DNS response (bsc#1190225) + ------------------------------------------------------------------- Thu Aug 12 13:59:07 UTC 2021 - Adam Majer diff --git a/c-ares.spec b/c-ares.spec index 0ad16f1..9811887 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -56,6 +56,7 @@ Source6: c-ares-config.cmake.in Source7: ares_dns.h Patch0: 0001-Use-RPM-compiler-options.patch Patch1: disable-live-tests.patch +Patch2: https://github.com/c-ares/c-ares/commit/5c995d5.patch BuildRequires: cmake BuildRequires: gcc-c++ %if %{with tests} From 07383052073bbc161b7125cfa8474753ebe0ecc94c73179f83580a535d851501 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Thu, 9 Sep 2021 12:29:23 +0000 Subject: [PATCH 2/3] - new upstream website - drop multibuild - tests do not require static library anymore - spec file cleanup - drop sources that were re-added to upstream distibution (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake) OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/c-ares?expand=0&rev=42 --- _multibuild | 4 -- ares_dns.h | 112 ----------------------------------------- c-ares-config.cmake.in | 21 -------- c-ares.changes | 9 ++++ c-ares.spec | 52 +++---------------- libcares.pc.cmake | 20 -------- 6 files changed, 15 insertions(+), 203 deletions(-) delete mode 100644 _multibuild delete mode 100644 ares_dns.h delete mode 100644 c-ares-config.cmake.in delete mode 100644 libcares.pc.cmake diff --git a/_multibuild b/_multibuild deleted file mode 100644 index d342409..0000000 --- a/_multibuild +++ /dev/null @@ -1,4 +0,0 @@ - - main - tests - diff --git a/ares_dns.h b/ares_dns.h deleted file mode 100644 index e3b5dae..0000000 --- a/ares_dns.h +++ /dev/null @@ -1,112 +0,0 @@ -#ifndef HEADER_CARES_DNS_H -#define HEADER_CARES_DNS_H - -/* Copyright 1998, 2011 by the Massachusetts Institute of Technology. - * - * Permission to use, copy, modify, and distribute this - * software and its documentation for any purpose and without - * fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright - * notice and this permission notice appear in supporting - * documentation, and that the name of M.I.T. not be used in - * advertising or publicity pertaining to distribution of the - * software without specific, written prior permission. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" - * without express or implied warranty. - */ - -/* - * NOTE TO INTEGRATORS: - * - * This header is made public due to legacy projects relying on it. - * Please do not use the macros within this header, or include this - * header in your project as it may be removed in the future. - */ - - -/* - * Macro DNS__16BIT reads a network short (16 bit) given in network - * byte order, and returns its value as an unsigned short. - */ -#define DNS__16BIT(p) ((unsigned short)((unsigned int) 0xffff & \ - (((unsigned int)((unsigned char)(p)[0]) << 8U) | \ - ((unsigned int)((unsigned char)(p)[1]))))) - -/* - * Macro DNS__32BIT reads a network long (32 bit) given in network - * byte order, and returns its value as an unsigned int. - */ -#define DNS__32BIT(p) ((unsigned int) \ - (((unsigned int)((unsigned char)(p)[0]) << 24U) | \ - ((unsigned int)((unsigned char)(p)[1]) << 16U) | \ - ((unsigned int)((unsigned char)(p)[2]) << 8U) | \ - ((unsigned int)((unsigned char)(p)[3])))) - -#define DNS__SET16BIT(p, v) (((p)[0] = (unsigned char)(((v) >> 8) & 0xff)), \ - ((p)[1] = (unsigned char)((v) & 0xff))) -#define DNS__SET32BIT(p, v) (((p)[0] = (unsigned char)(((v) >> 24) & 0xff)), \ - ((p)[1] = (unsigned char)(((v) >> 16) & 0xff)), \ - ((p)[2] = (unsigned char)(((v) >> 8) & 0xff)), \ - ((p)[3] = (unsigned char)((v) & 0xff))) - -#if 0 -/* we cannot use this approach on systems where we can't access 16/32 bit - data on un-aligned addresses */ -#define DNS__16BIT(p) ntohs(*(unsigned short*)(p)) -#define DNS__32BIT(p) ntohl(*(unsigned long*)(p)) -#define DNS__SET16BIT(p, v) *(unsigned short*)(p) = htons(v) -#define DNS__SET32BIT(p, v) *(unsigned long*)(p) = htonl(v) -#endif - -/* Macros for parsing a DNS header */ -#define DNS_HEADER_QID(h) DNS__16BIT(h) -#define DNS_HEADER_QR(h) (((h)[2] >> 7) & 0x1) -#define DNS_HEADER_OPCODE(h) (((h)[2] >> 3) & 0xf) -#define DNS_HEADER_AA(h) (((h)[2] >> 2) & 0x1) -#define DNS_HEADER_TC(h) (((h)[2] >> 1) & 0x1) -#define DNS_HEADER_RD(h) ((h)[2] & 0x1) -#define DNS_HEADER_RA(h) (((h)[3] >> 7) & 0x1) -#define DNS_HEADER_Z(h) (((h)[3] >> 4) & 0x7) -#define DNS_HEADER_RCODE(h) ((h)[3] & 0xf) -#define DNS_HEADER_QDCOUNT(h) DNS__16BIT((h) + 4) -#define DNS_HEADER_ANCOUNT(h) DNS__16BIT((h) + 6) -#define DNS_HEADER_NSCOUNT(h) DNS__16BIT((h) + 8) -#define DNS_HEADER_ARCOUNT(h) DNS__16BIT((h) + 10) - -/* Macros for constructing a DNS header */ -#define DNS_HEADER_SET_QID(h, v) DNS__SET16BIT(h, v) -#define DNS_HEADER_SET_QR(h, v) ((h)[2] |= (unsigned char)(((v) & 0x1) << 7)) -#define DNS_HEADER_SET_OPCODE(h, v) ((h)[2] |= (unsigned char)(((v) & 0xf) << 3)) -#define DNS_HEADER_SET_AA(h, v) ((h)[2] |= (unsigned char)(((v) & 0x1) << 2)) -#define DNS_HEADER_SET_TC(h, v) ((h)[2] |= (unsigned char)(((v) & 0x1) << 1)) -#define DNS_HEADER_SET_RD(h, v) ((h)[2] |= (unsigned char)((v) & 0x1)) -#define DNS_HEADER_SET_RA(h, v) ((h)[3] |= (unsigned char)(((v) & 0x1) << 7)) -#define DNS_HEADER_SET_Z(h, v) ((h)[3] |= (unsigned char)(((v) & 0x7) << 4)) -#define DNS_HEADER_SET_RCODE(h, v) ((h)[3] |= (unsigned char)((v) & 0xf)) -#define DNS_HEADER_SET_QDCOUNT(h, v) DNS__SET16BIT((h) + 4, v) -#define DNS_HEADER_SET_ANCOUNT(h, v) DNS__SET16BIT((h) + 6, v) -#define DNS_HEADER_SET_NSCOUNT(h, v) DNS__SET16BIT((h) + 8, v) -#define DNS_HEADER_SET_ARCOUNT(h, v) DNS__SET16BIT((h) + 10, v) - -/* Macros for parsing the fixed part of a DNS question */ -#define DNS_QUESTION_TYPE(q) DNS__16BIT(q) -#define DNS_QUESTION_CLASS(q) DNS__16BIT((q) + 2) - -/* Macros for constructing the fixed part of a DNS question */ -#define DNS_QUESTION_SET_TYPE(q, v) DNS__SET16BIT(q, v) -#define DNS_QUESTION_SET_CLASS(q, v) DNS__SET16BIT((q) + 2, v) - -/* Macros for parsing the fixed part of a DNS resource record */ -#define DNS_RR_TYPE(r) DNS__16BIT(r) -#define DNS_RR_CLASS(r) DNS__16BIT((r) + 2) -#define DNS_RR_TTL(r) DNS__32BIT((r) + 4) -#define DNS_RR_LEN(r) DNS__16BIT((r) + 8) - -/* Macros for constructing the fixed part of a DNS resource record */ -#define DNS_RR_SET_TYPE(r, v) DNS__SET16BIT(r, v) -#define DNS_RR_SET_CLASS(r, v) DNS__SET16BIT((r) + 2, v) -#define DNS_RR_SET_TTL(r, v) DNS__SET32BIT((r) + 4, v) -#define DNS_RR_SET_LEN(r, v) DNS__SET16BIT((r) + 8, v) - -#endif /* HEADER_CARES_DNS_H */ diff --git a/c-ares-config.cmake.in b/c-ares-config.cmake.in deleted file mode 100644 index b22dc3f..0000000 --- a/c-ares-config.cmake.in +++ /dev/null @@ -1,21 +0,0 @@ -@PACKAGE_INIT@ - -set_and_check(c-ares_INCLUDE_DIR "@PACKAGE_CMAKE_INSTALL_INCLUDEDIR@") - -include("${CMAKE_CURRENT_LIST_DIR}/c-ares-config-version.cmake") -include("${CMAKE_CURRENT_LIST_DIR}/c-ares-targets.cmake") - -set(c-ares_LIBRARY c-ares::cares) - -if(@CARES_SHARED@) - add_library(c-ares::cares_shared INTERFACE IMPORTED) - set_target_properties(c-ares::cares_shared PROPERTIES INTERFACE_LINK_LIBRARIES "c-ares::cares") - set(c-ares_SHARED_LIBRARY c-ares::cares_shared) -elseif(@CARES_STATIC@) - add_library(c-ares::cares_static INTERFACE IMPORTED) - set_target_properties(c-ares::cares_static PROPERTIES INTERFACE_LINK_LIBRARIES "c-ares::cares") -endif() - -if(@CARES_STATIC@) - set(c-ares_STATIC_LIBRARY c-ares::cares_static) -endif() diff --git a/c-ares.changes b/c-ares.changes index 061c038..ae083ea 100644 --- a/c-ares.changes +++ b/c-ares.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Sep 9 12:15:01 UTC 2021 - Adam Majer + +- new upstream website +- drop multibuild - tests do not require static library anymore +- spec file cleanup +- drop sources that were re-added to upstream distibution + (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake) + ------------------------------------------------------------------- Wed Sep 8 14:07:34 UTC 2021 - Adam Majer diff --git a/c-ares.spec b/c-ares.spec index 9811887..008c2e8 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -16,23 +16,6 @@ # -%global flavor @BUILD_FLAVOR@%{nil} - -%if "%{flavor}" == "%{nil}" -ExclusiveArch: do_not_build -%define pname c-ares -%endif - -%if "%{flavor}" == "tests" -%define pname c-ares-tests -%bcond_without tests -%endif - -%if "%{flavor}" == "main" -%define pname c-ares -%bcond_with tests -%endif - %define sonum 2 %define libname libcares%{sonum} @@ -40,30 +23,24 @@ ExclusiveArch: do_not_build %define cmake_build make -O VERBOSE=1 %{?_smp_mflags} %endif -Name: %{pname} +Name: c-ares Version: 1.17.2 Release: 0 Summary: Library for asynchronous name resolves License: MIT -URL: https://c-ares.haxx.se/ -Source0: http://c-ares.haxx.se/download/c-ares-%{version}.tar.gz -Source1: http://c-ares.haxx.se/download/c-ares-%{version}.tar.gz.asc +URL: https://c-ares.org/ +Source0: https://c-ares.org/download/c-ares-%{version}.tar.gz +Source1: https://c-ares.org/download/c-ares-%{version}.tar.gz Source3: c-ares.keyring Source4: baselibs.conf -### REMOVE when upstream fixes https://github.com/c-ares/c-ares/issues/373 -Source5: libcares.pc.cmake -Source6: c-ares-config.cmake.in -Source7: ares_dns.h Patch0: 0001-Use-RPM-compiler-options.patch Patch1: disable-live-tests.patch Patch2: https://github.com/c-ares/c-ares/commit/5c995d5.patch BuildRequires: cmake BuildRequires: gcc-c++ -%if %{with tests} +BuildRequires: pkg-config # Needed for getservbyport_r function to work properly. BuildRequires: netcfg -%endif -BuildRequires: pkg-config %description c-ares is a C library that performs DNS requests and name resolves @@ -107,35 +84,20 @@ by Greg Hudson at MIT. This package provides the development libraries and headers needed to build packages that depend on c-ares. - %prep %autosetup -p1 -n c-ares-%{version} -cp %{S:5} %{S:6} . -cp %{S:7} include - %build - -%cmake \ -%if %{with tests} - -DCARES_BUILD_TESTS:BOOL=ON \ -%endif - %{nil} +%cmake -DCARES_BUILD_TESTS:BOOL=ON %cmake_build %install -%if !%{with tests} %cmake_install -%endif -%if %{with tests} %check pushd build %cmake_build -C test LD_LIBRARY_PATH=.%_libdir:./%_lib ./bin/arestest -%endif - -%if !%{with tests} %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig @@ -161,6 +123,4 @@ LD_LIBRARY_PATH=.%_libdir:./%_lib ./bin/arestest %{_libdir}/pkgconfig/libcares.pc %{_libdir}/cmake/c-ares/ -%endif - %changelog diff --git a/libcares.pc.cmake b/libcares.pc.cmake deleted file mode 100644 index 0ca28a8..0000000 --- a/libcares.pc.cmake +++ /dev/null @@ -1,20 +0,0 @@ -#*************************************************************************** -# Project ___ __ _ _ __ ___ ___ -# / __|____ / _` | '__/ _ \/ __| -# | (_|_____| (_| | | | __/\__ \ -# \___| \__,_|_| \___||___/ -# -prefix=@CMAKE_INSTALL_PREFIX@ -exec_prefix=${prefix}/@CMAKE_INSTALL_BINDIR@ -libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@ -includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@ - -Name: c-ares -URL: https://c-ares.haxx.se/ -Description: asynchronous DNS lookup library -Version: @CARES_VERSION@ -Requires: -Requires.private: -Cflags: -I${includedir} @CPPFLAG_CARES_STATICLIB@ -Libs: -L${libdir} -lcares -Libs.private: @CARES_PRIVATE_LIBS@ From 3dd76e76c563d3b36f2dad5a5b28bf14a2f28e9f75d59951c588c40c467cd83a Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Thu, 9 Sep 2021 12:41:31 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/c-ares?expand=0&rev=43 --- c-ares.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c-ares.spec b/c-ares.spec index 008c2e8..6604941 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -30,7 +30,7 @@ Summary: Library for asynchronous name resolves License: MIT URL: https://c-ares.org/ Source0: https://c-ares.org/download/c-ares-%{version}.tar.gz -Source1: https://c-ares.org/download/c-ares-%{version}.tar.gz +Source1: https://c-ares.org/download/c-ares-%{version}.tar.gz.asc Source3: c-ares.keyring Source4: baselibs.conf Patch0: 0001-Use-RPM-compiler-options.patch