SHA256
1
0
forked from pool/bind
Dominique Leuenberger 2019-11-25 10:23:22 +00:00 committed by Git OBS Bridge
commit e992e4a141
17 changed files with 182 additions and 866 deletions

View File

@ -1,13 +1,12 @@
Index: bind-9.11.2/bin/named/Makefile.in
Index: bind-9.14.7/bin/named/Makefile.in
===================================================================
--- bind-9.11.2.orig/bin/named/Makefile.in 2017-07-24 07:36:50.000000000 +0200
+++ bind-9.11.2/bin/named/Makefile.in 2017-08-15 10:27:54.263889946 +0200
@@ -168,9 +168,7 @@ installdirs:
install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
--- bind-9.14.7.orig/bin/named/Makefile.in
+++ bind-9.14.7/bin/named/Makefile.in
@@ -173,8 +173,7 @@ installdirs:
install:: named@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+ for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done

View File

@ -1,18 +1,16 @@
libbind9-160
libdns169
libirs160
libisc166
libbind9-1302
libdns1311
libirs1301
libisc1310
obsoletes "bind-libs-<targettype> = <version>"
provides "bind-libs-<targettype> = <version>"
libisccc160
libisccfg160
liblwres160
libisccc1302
libisccfg1302
bind-devel
requires -bind-<targettype>
requires "libbind9-160-<targettype> = <version>"
requires "libdns169-<targettype> = <version>"
requires "libirs160-<targettype> = <version>"
requires "libisc166-<targettype> = <version>"
requires "libisccc160-<targettype> = <version>"
requires "libisccfg160-<targettype> = <version>"
requires "liblwres160-<targettype> = <version>"
requires "libbind9-1302-<targettype> = <version>"
requires "libdns1311-<targettype> = <version>"
requires "libirs1301-<targettype> = <version>"
requires "libisc1310-<targettype> = <version>"
requires "libisccc1302-<targettype> = <version>"
requires "libisccfg1302-<targettype> = <version>"

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f46ad8620f7c3b0ac375d7a5211b15677708fda84ce25d7aeb7222fe2e3c77a
size 9782180

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJZea3wAAoJEPGxG/Bc8C5Xh2oP/R1iUkk2l5Gp67xfitJLaFM6
uA5t+pezactdPzwQkP30R5DxC05h3LHV1jBwC39Y9AzAcq4TNXqg4yClQmGSFfoS
JTM5LXguCw2LLqd1VzQgSTAb6Urmk+1HToasN5ct6u/gTi1W6l7Hg8aZrqPYKtov
0bI7wmo6z+vH+vgbl0hHoHBxdZaamt8VTIhBF/JP59WkxJHalf90VrDK/Ivx+lZY
9d0QjqCJsQZpZ9tGn01WW73NQQxtitrT0RoKfPWNp218QnJUZgebXvxxzxxarC/N
4HI8+vQTDQMWq6DS64ipZ0PhJofnQKHuTWg3qX/PTGNuDkrqRGAPBsEsbPv4Flqi
ieaf50ky+68ghBcGDS8DyFFXhZjjnIGQKgE5j3xlxqEqvmE944kMx/ty5/7rUCI4
50zHJE6zfrsDaRAAOtudzw3nmI6lpetEk67k9u67rojZL36BVXrZPiUPldpToD9s
sJpep6KuEVG//Xcc5DVrmfYvxUASVa7uAPOfyvgSlW2f4xb7x2ZAS5t3H8/M5CiT
S+fiGzcGQAzckylwqOlVM/JfWkM19z56uE4kShMR8bj0oHE/zOFpfqFWpQ/jhxy6
fIGrBFLAbm1wGOOhntN7833+OkOeucVqrBRTZ+HE4sRI4P0t2sZFtStYRV89TDPu
TwWLWtNVQ8rHKTKNAdkn
=q9OM
-----END PGP SIGNATURE-----

3
bind-9.14.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e545aa75ced6695a9bf4b591606ef00260fb3c055c2865b299cfe0fe6eeea076
size 6403140

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl3KpcsACgkQdLtrmky7
PTjSAA/9EBlNlN1p8KSGdZTZj2qX3Y7zLnWCK/dQtB2CgP1CEeHc6qHyoe3/cq8z
S5TdL11CSZvdCsPTjk+G3VBodDdOze2z81oQTO9eMRdj5YIK6mtHGaHA6RpRcG4i
C68GlFtzyBeQfujMak7OkhLNlq4FSN2W+u5tqPu/ALLvxeFXN3XQ2nUZ80te3Ydm
S6MiwrVWO7EYCEEjiQhA4QL83moV3+/brohIo7wsKmh2PDCezCHykrRq8zaUaCs0
0Ti7uCSsfyjEQQHLZhrkapj9fEePgFY2QkM3W8/FJonvt5TDj3KL3r+FyLXil+He
gDT6u2kLwe8lqOu8nK5HzNDKvTr0DEe95OB+/BwK71PpWnyJsCIISA2oaESJWNXN
mvDzOJYh07dSPqMc92SlFeQ2HAKIo2RnxV3Abu+lSgH7SlMrRpFNV8mlkjbMFXKz
jJRcH3ge3mW/T5KGqA0kzs3TrYaNIkcOAmJNycS1HujdUSlElWvFocyVWY7dOWQp
FlIxWmMbG2gDlpqGQvM/+H/8Nw8HOKs9RZwSZ0BtfIQokt3a0lKcKFIewdgc/lx2
OVX3+5HWCuc5ImmuL3CPU9PeZbKiY8x3Gz5hvvSgu+JlHQl9Bzd3bpZEDF7S50pW
zUTzwe4Mr2KpX2faTm7RlkIayByzYt2BrQNaROIuc8KfjWBvPtA=
=gpSn
-----END PGP SIGNATURE-----

View File

@ -1,297 +0,0 @@
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index bd219c5..f71685b 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -38,10 +38,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCLIBS} @IDNLIBS@ @LIBS@
+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn
NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn
SUBDIRS =
@@ -59,6 +59,8 @@ HTMLPAGES = dig.html host.html nslookup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -DWITH_LIBIDN
+
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 7a7e8e4..b36047f 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1251,8 +1251,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
<command>dig</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <envar>IDN_DISABLE</envar> environment variable.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>CHARSET=ASCII</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>dig</command> runs.
</para>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 1f8bcf2..f657c30 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -33,6 +33,11 @@
#include <idn/api.h>
#endif
+#ifdef WITH_LIBIDN
+#include <stringprep.h>
+#include <idna.h>
+#endif
+
#include <dns/byaddr.h>
#ifdef DIG_SIGCHASE
#include <dns/callbacks.h>
@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg);
int idnoptions = 0;
#endif
+#ifdef WITH_LIBIDN
+static isc_result_t libidn_locale_to_utf8 (const char* from, char *to);
+static isc_result_t libidn_utf8_to_ascii (const char* from, char *to);
+static isc_result_t output_filter (isc_buffer_t *buffer,
+ unsigned int used_org,
+ isc_boolean_t absolute);
+#endif
+
isc_socket_t *keep = NULL;
isc_sockaddr_t keepaddr;
@@ -1448,8 +1461,15 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) {
#ifdef WITH_IDN
initialize_idn();
+
+#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter(output_filter);
+ check_result(result, "dns_name_settotextfilter");
+#ifdef HAVE_SETLOCALE
+ setlocale (LC_ALL, "");
+#endif
#endif
-
if (keyfile[0] != 0)
setup_file_key();
else if (keysecret[0] != 0)
@@ -2231,8 +2251,11 @@ setup_lookup(dig_lookup_t *lookup) {
idn_result_t mr;
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
#endif
+#ifdef WITH_LIBIDN
+ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME];
+#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
result = dns_name_settotextfilter(lookup->idnout ?
output_filter : NULL);
check_result(result, "dns_name_settotextfilter");
@@ -2274,6 +2297,14 @@ setup_lookup(dig_lookup_t *lookup) {
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
utf8_textname, sizeof(utf8_textname));
idn_check_result(mr, "convert textname to UTF-8");
+#elif defined (WITH_LIBIDN)
+ result = libidn_locale_to_utf8 (lookup->textname, utf8_str);
+ check_result (result, "convert textname to UTF-8");
+ len = strlen (utf8_str);
+ if (len < MXNAME)
+ (void) strcpy (utf8_name, utf8_str);
+ else
+ fatal ("Too long name");
#endif
/*
@@ -2286,15 +2317,11 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->new_search) {
#ifdef WITH_IDN
if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
- lookup->origin = NULL; /* Force abs lookup */
- lookup->done_as_is = ISC_TRUE;
- lookup->need_search = usesearch;
- } else if (lookup->origin == NULL && usesearch) {
- lookup->origin = ISC_LIST_HEAD(search_list);
- lookup->need_search = ISC_FALSE;
- }
+#elif defined (WITH_LIBIDN)
+ if ((count_dots(utf8_name) >= ndots) || !usesearch) {
#else
if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
+#endif
lookup->origin = NULL; /* Force abs lookup */
lookup->done_as_is = ISC_TRUE;
lookup->need_search = usesearch;
@@ -2302,7 +2329,6 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->origin = ISC_LIST_HEAD(search_list);
lookup->need_search = ISC_FALSE;
}
-#endif
}
#ifdef WITH_IDN
@@ -2319,6 +2345,20 @@ setup_lookup(dig_lookup_t *lookup) {
IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
idn_textname, sizeof(idn_textname));
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+#elif defined (WITH_LIBIDN)
+ if (lookup->origin != NULL) {
+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
+ check_result (result, "convert origin to UTF-8");
+ if (len > 0 && utf8_name[len - 1] != '.') {
+ utf8_name[len++] = '.';
+ if (len + strlen (utf8_str) < MXNAME)
+ (void) strcpy (utf8_name + len, utf8_str);
+ else
+ fatal ("Too long name + origin");
+ }
+ }
+
+ result = libidn_utf8_to_ascii (utf8_name, ascii_name);
#else
if (lookup->origin != NULL) {
debug("trying origin %s", lookup->origin->origin);
@@ -2389,6 +2429,13 @@ setup_lookup(dig_lookup_t *lookup) {
result = dns_name_fromtext(lookup->name, &b,
dns_rootname, 0,
&lookup->namebuf);
+#elif defined (WITH_LIBIDN)
+ len = strlen (ascii_name);
+ isc_buffer_init(&b, ascii_name, len);
+ isc_buffer_add(&b, len);
+ result = dns_name_fromtext(lookup->name, &b,
+ dns_rootname, 0,
+ &lookup->namebuf);
#else
len = (unsigned int) strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
@@ -4377,7 +4424,7 @@ destroy_libs(void) {
void * ptr;
dig_message_t *chase_msg;
#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
isc_result_t result;
#endif
@@ -4418,6 +4465,10 @@ destroy_libs(void) {
result = dns_name_settotextfilter(NULL);
check_result(result, "dns_name_settotextfilter");
#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter (NULL);
+ check_result(result, "clearing dns_name_settotextfilter");
+#endif
dns_name_destroy();
if (commctx != NULL) {
@@ -4603,6 +4654,97 @@ idn_check_result(idn_result_t r, const char *msg) {
}
}
#endif /* WITH_IDN */
+#ifdef WITH_LIBIDN
+static isc_result_t
+libidn_locale_to_utf8 (const char *from, char *to) {
+ char *utf8_str;
+
+ debug ("libidn_locale_to_utf8");
+ utf8_str = stringprep_locale_to_utf8 (from);
+ if (utf8_str != NULL) {
+ (void) strcpy (to, utf8_str);
+ free (utf8_str);
+ return ISC_R_SUCCESS;
+ }
+
+ debug ("libidn_locale_to_utf8: failure");
+ return ISC_R_FAILURE;
+}
+static isc_result_t
+libidn_utf8_to_ascii (const char *from, char *to) {
+ char *ascii;
+ int iresult;
+
+ debug ("libidn_utf8_to_ascii");
+ iresult = idna_to_ascii_8z (from, &ascii, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult));
+ return ISC_R_FAILURE;
+ }
+
+ (void) strcpy (to, ascii);
+ free (ascii);
+ return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+output_filter (isc_buffer_t *buffer, unsigned int used_org,
+ isc_boolean_t absolute) {
+
+ char tmp1[MXNAME], *tmp2;
+ size_t fromlen, tolen;
+ isc_boolean_t end_with_dot;
+ int iresult;
+
+ debug ("output_filter");
+
+ fromlen = isc_buffer_usedlength (buffer) - used_org;
+ if (fromlen >= MXNAME)
+ return ISC_R_SUCCESS;
+ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen);
+ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
+ if (absolute && !end_with_dot) {
+ fromlen++;
+ if (fromlen >= MXNAME)
+ return ISC_R_SUCCESS;
+ tmp1[fromlen - 1] = '.';
+ }
+ tmp1[fromlen] = '\0';
+
+ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("output_filter: %s", idna_strerror (iresult));
+ return ISC_R_SUCCESS;
+ }
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
+ tmp2 = stringprep_utf8_to_locale (tmp1);
+ if (tmp2 == NULL) {
+ debug ("output_filter: stringprep_utf8_to_locale failed");
+ return ISC_R_SUCCESS;
+ }
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
+ tolen = strlen (tmp1);
+ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
+ tolen--;
+
+ if (isc_buffer_length (buffer) < used_org + tolen)
+ return ISC_R_NOSPACE;
+
+ debug ("%s", tmp1);
+
+ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org);
+ memcpy (isc_buffer_used (buffer), tmp1, tolen);
+ isc_buffer_add (buffer, tolen);
+
+ return ISC_R_SUCCESS;
+}
+#endif /* WITH_LIBIDN*/
#ifdef DIG_SIGCHASE
void

View File

@ -1,138 +0,0 @@
diff --git a/CHANGES b/CHANGES
index 5aa5053..32f920d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+ --- 9.11.2-P1 released ---
+
+4858. [security] Addresses could be referenced after being freed
+ in resolver.c, causing an assertion failure.
+ (CVE-2017-3145) [RT #46839]
+
--- 9.11.2 released ---
--- 9.11.2rc2 released ---
diff --git a/lib/dns/api b/lib/dns/api
index 711bfd8..eadd740 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -9,5 +9,5 @@
# 9.11: 160-169
# 9.12: 1200-1299
LIBINTERFACE = 169
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8eb1d97..eb1ebcf 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -831,7 +831,7 @@ fctx_stoptimer(fetchctx_t *fctx) {
* cannot fail in that case.
*/
result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
- NULL, NULL, ISC_TRUE);
+ NULL, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_timer_reset(): %s",
@@ -839,7 +839,6 @@ fctx_stoptimer(fetchctx_t *fctx) {
}
}
-
static inline isc_result_t
fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
/*
@@ -1116,7 +1115,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) {
for (find = ISC_LIST_HEAD(fctx->finds);
find != NULL;
- find = next_find) {
+ find = next_find)
+ {
next_find = ISC_LIST_NEXT(find, publink);
ISC_LIST_UNLINK(fctx->finds, find, publink);
dns_adb_destroyfind(&find);
@@ -1132,7 +1132,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) {
for (find = ISC_LIST_HEAD(fctx->altfinds);
find != NULL;
- find = next_find) {
+ find = next_find)
+ {
next_find = ISC_LIST_NEXT(find, publink);
ISC_LIST_UNLINK(fctx->altfinds, find, publink);
dns_adb_destroyfind(&find);
@@ -1148,7 +1149,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) {
for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
addr != NULL;
- addr = next_addr) {
+ addr = next_addr)
+ {
next_addr = ISC_LIST_NEXT(addr, publink);
ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1163,7 +1165,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
for (addr = ISC_LIST_HEAD(fctx->altaddrs);
addr != NULL;
- addr = next_addr) {
+ addr = next_addr)
+ {
next_addr = ISC_LIST_NEXT(addr, publink);
ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1171,16 +1174,20 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
}
static inline void
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response,
- isc_boolean_t age_untried)
+fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response,
+ isc_boolean_t age_untried)
{
- FCTXTRACE("stopeverything");
+ FCTXTRACE("stopqueries");
fctx_cancelqueries(fctx, no_response, age_untried);
+ fctx_stoptimer(fctx);
+}
+
+static inline void
+fctx_cleanupall(fetchctx_t *fctx) {
fctx_cleanupfinds(fctx);
fctx_cleanupaltfinds(fctx);
fctx_cleanupforwaddrs(fctx);
fctx_cleanupaltaddrs(fctx);
- fctx_stoptimer(fctx);
}
static void
@@ -1431,7 +1438,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
age_untried = ISC_TRUE;
fctx->reason = NULL;
- fctx_stopeverything(fctx, no_response, age_untried);
+
+ fctx_stopqueries(fctx, no_response, age_untried);
LOCK(&res->buckets[fctx->bucketnum].lock);
@@ -4022,11 +4030,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
dns_resolver_cancelfetch(fctx->nsfetch);
/*
- * Shut down anything that is still running on behalf of this
- * fetch. To avoid deadlock with the ADB, we must do this
- * before we lock the bucket lock.
+ * Shut down anything still running on behalf of this
+ * fetch, and clean up finds and addresses. To avoid deadlock
+ * with the ADB, we must do this before we lock the bucket lock.
*/
- fctx_stopeverything(fctx, ISC_FALSE, ISC_FALSE);
+ fctx_stopqueries(fctx, ISC_FALSE, ISC_FALSE);
+ fctx_cleanupall(fctx);
LOCK(&res->buckets[bucketnum].lock);

View File

@ -1,22 +0,0 @@
Index: bind-9.11.2/lib/dns/opensslgost_link.c
===================================================================
--- bind-9.11.2.orig/lib/dns/opensslgost_link.c
+++ bind-9.11.2/lib/dns/opensslgost_link.c
@@ -578,9 +578,16 @@ dst__opensslgost_init(dst_func_t **funcp
/* check if the gost engine works properly */
e = ENGINE_by_id("gost");
- if (e == NULL)
+ if (e == NULL) {
+ /* In FIPS mode we cannot get the gost engine, even if
+ * openssl and bind was originally built with it. */
+#if 0
return (dst__openssl_toresult2("ENGINE_by_id",
DST_R_OPENSSLFAILURE));
+#endif
+ return (ISC_R_SUCCESS);
+ }
+
if (ENGINE_init(e) <= 0) {
ENGINE_free(e);
e = NULL;

View File

@ -1,45 +0,0 @@
Index: bin/named/Makefile.in
===================================================================
--- bin/named/Makefile.in.orig 2014-01-23 18:42:24.479609343 +0100
+++ bin/named/Makefile.in 2014-01-24 10:11:54.234471728 +0100
@@ -34,9 +34,9 @@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
-DBDRIVER_INCLUDES =
+DBDRIVER_OBJS = ldapdb.@O@
+DBDRIVER_SRCS = ldapdb.c
+DBDRIVER_INCLUDES = -DLDAP_DEPRECATED
DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
Index: bin/named/main.c
===================================================================
--- bin/named/main.c.orig 2013-12-20 01:28:28.000000000 +0100
+++ bin/named/main.c 2014-01-23 18:45:19.059680008 +0100
@@ -91,6 +91,7 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include <ldapdb.h>
#ifdef CONTRIB_DLZ
/*
@@ -1064,6 +1065,7 @@
* Add calls to register sdb drivers here.
*/
/* xxdb_init(); */
+ ldapdb_init();
#ifdef ISC_DLZ_DLOPEN
/*
@@ -1104,6 +1106,7 @@
* Add calls to unregister sdb drivers here.
*/
/* xxdb_clear(); */
+ ldapdb_clear();
#ifdef CONTRIB_DLZ
/*

View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Tue Nov 19 10:09:35 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
- Upgrade to version 9.14.8:
* Set a limit on the number of concurrently served pipelined TCP
queries.
* Some other bug fixing, see CHANGES file.
[CVE-2019-6477, bsc#1157051]
-------------------------------------------------------------------
Fri Nov 8 12:50:00 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
- Upgrade to version 9.14.7
* removed dnsperf, idn, nslint, perftcpdns, query-loc-0.4.0,
queryperf, sdb, zkt from contrib as they are not supported
any more
* Added support for the GeoIP2 API from MaxMind
* See CHANGES file in the source RPM.
[bsc#1111722, bsc#1156205, CVE-2019-6476, CVE-2019-6475,
CVE-2019-6471, CVE-2018-5743, CVE-2019-6467, CVE-2019-6465,
CVE-2018-5745, CVE-2018-5744, CVE-2018-5740, CVE-2018-5738,
CVE-2018-5737, CVE-2018-5736, CVE-2017-3145,
configure.in.diff, bind-99-libidn.patch, perl-path.diff,
bind-sdb-ldap.patch, bind-CVE-2017-3145.patch,
bug-4697-Restore-workaround-for-Microsoft-Windows-T.patch,
bind-fix-fips.patch]
-------------------------------------------------------------------
Fri Jul 12 08:43:29 UTC 2019 - matthias.gerstner@suse.com

192
bind.spec
View File

@ -12,25 +12,26 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# Don't forget to update the package names also in baselibs.conf
%define bind9_sonum 160
# Note that the sonums are LIBINTERFACE - LIBAGE
%define bind9_sonum 1302
%define libbind9 libbind9-%{bind9_sonum}
%define dns_sonum 169
%define dns_sonum 1311
%define libdns libdns%{dns_sonum}
%define irs_sonum 160
%define irs_sonum 1301
%define libirs libirs%{irs_sonum}
%define isc_sonum 166
%define isc_sonum 1310
%define libisc libisc%{isc_sonum}
%define isccc_sonum 160
%define isccc_sonum 1302
%define libisccc libisccc%{isccc_sonum}
%define isccfg_sonum 160
%define isccfg_sonum 1302
%define libisccfg libisccfg%{isccfg_sonum}
%define lwres_sonum 160
%define liblwres liblwres%{lwres_sonum}
%define libns_sonum 1307
%define VENDOR SUSE
# Defines for user and group add
%define NAMED_UID 44
@ -45,8 +46,10 @@
%define USERMOD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/usermod -s %{NAMED_SHELL} -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME}
%if 0%{?suse_version} >= 1500
%define with_systemd 1
%define with_geoip 0
%else
%define with_systemd 0
%define with_geoip 1
%endif
%if 0%{?suse_version} < 1315
%define with_sfw2 1
@ -59,7 +62,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
Version: 9.11.2
Version: 9.14.8
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@ -68,27 +71,19 @@ Url: http://isc.org/sw/bind/
Source: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source3: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz.asc
Source3: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz.sha512.asc
# from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
Source4: %{name}.keyring
Source9: ftp://ftp.internic.net/domain/named.root
# url http://www.venaas.no/ldap/bind-sdb/dnszone-schema.txt no longer exists...
Source40: dnszone-schema.txt
Source60: dlz-schema.txt
# configuation files for systemd-tmpfiles
Source70: bind.conf
Source71: bind-chrootenv.conf
Patch0: configure.in.diff
Patch1: Makefile.in.diff
Patch2: bind-99-libidn.patch
Patch4: perl-path.diff
Patch51: pie_compile.diff
Patch52: named-bootconf.diff
Patch53: bind-sdb-ldap.patch
Patch54: bind-CVE-2017-3145.patch
Patch55: bug-4697-Restore-workaround-for-Microsoft-Windows-T.patch
Patch56: bind-ldapdump-use-valid-host.patch
Patch57: bind-fix-fips.patch
BuildRequires: libcap-devel
BuildRequires: libmysqlclient-devel
BuildRequires: libopenssl-devel
@ -99,10 +94,14 @@ BuildRequires: pkgconfig
BuildRequires: python3
BuildRequires: python3-ply
BuildRequires: update-desktop-files
BuildRequires: pkgconfig(geoip)
BuildRequires: pkgconfig(json)
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libidn)
%if %{with_geoip}
BuildRequires: pkgconfig(geoip)
%else
BuildRequires: pkgconfig(libmaxminddb)
%endif
BuildRequires: pkgconfig(libxml-2.0)
Requires: %{name}-chrootenv
Requires: %{name}-utils
@ -110,8 +109,8 @@ Requires(post): %fillup_prereq
Requires(post): bind-utils
Requires(post): coreutils
Requires(pre): shadow
Provides: bind8
Provides: bind9
Provides: bind8 = %{version}
Provides: bind9 = %{version}
Provides: dns_daemon
Obsoletes: bind8 < %{version}
Obsoletes: bind9 < %{version}
@ -156,7 +155,7 @@ internal database function for both nominated and all zones. SDB
allows a user-written driver to supply zone data either from
alternate data sources (for instance, a relational database) or using
specialized algorithms (for instance, for load-balancing).
[Book links for SDB: "Pro DNS and BIND 10", R. Aitchison, Apress]
[Book links for SDB: "Pro DNS and BIND 10", R. Aitchison, Apress]
%package -n %{libirs}
Summary: The BIND Information Retrieval System library
@ -208,28 +207,14 @@ Group: System/Libraries
%description -n %{libisccfg}
This BIND library contains the configuration file parser.
%package -n %{liblwres}
Summary: Lightweight Resolver API library
Group: System/Libraries
%description -n %{liblwres}
The BIND 9 lightweight resolver library is a name service independent
stub resolver library. It provides hostname-to-address and
address-to-hostname lookup services to applications by transmitting
lookup requests to a resolver daemon, lwresd, running on the local
host. The resover daemon performs the lookup using the DNS or
possibly other name service protocols, and returns the results to the
application through the library. The library and resolver daemon
communicate using a UDP-based protocol.
%package chrootenv
Summary: Chroot environment for BIND named and lwresd
Summary: Chroot environment for BIND named
Group: Productivity/Networking/DNS/Servers
Requires(pre): shadow
%description chrootenv
This package contains all directories and files which are common to the
chroot environment of BIND named and lwresd. Most is part of the
chroot environment of BIND named. Most is part of the
structure below %{_localstatedir}/lib/named.
%package devel
@ -241,7 +226,6 @@ Requires: %{libirs} = %{version}
Requires: %{libisccc} = %{version}
Requires: %{libisccfg} = %{version}
Requires: %{libisc} = %{version}
Requires: %{liblwres} = %{version}
Provides: bind8-devel
Provides: bind9-devel
Obsoletes: bind8-devel < %{version}
@ -263,26 +247,6 @@ Documentation of the Berkeley Internet Name Domain (BIND) Domain Name
System implementation of the Domain Name System (DNS) protocols. This
includes also the BIND Administrator Reference Manual (ARM).
%package lwresd
Summary: Lightweight Resolver Daemon
Group: Productivity/Networking/DNS/Utilities
Requires: %{name}-chrootenv
Requires(pre): shadow
Requires(pre): sysvinit(network)
Requires(pre): sysvinit(syslog)
Provides: dns_daemon
%if !%{with_systemd}
Requires(post): %insserv_prereq
%endif
%description lwresd
Bind-lwresd provides resolution services to local clients using a
combination of the lightweight resolver library liblwres and the
resolver daemon process lwresd running on the local host. These
communicate using a simple UDP-based protocol, the "lightweight
resolver protocol" that is distinct from and simpler than the full DNS
protocol.
%package utils
Summary: Utilities to query and test DNS
# Needed for dnssec parts
@ -311,17 +275,10 @@ This package provides a module which allows commands to be sent to rndc directly
%prep
%setup -q -a1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch4
%patch51
%patch52
%patch53
%patch54 -p1
%patch55 -p1
%patch51 -p1
%patch52 -p1
%patch56 -p1
%patch57 -p1
# use the year from source gzip header instead of current one to make reproducible rpms
year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})
@ -338,16 +295,14 @@ function replaceStrings()
-i "${file}"
}
pushd vendor-files
for file in docu/README tools/createNamedConfInclude config/{README,named.conf} init/{named,lwresd} system/{named.init,lwresd.init} sysconfig/{named-common,named-named,syslog-named}; do
for file in docu/README tools/createNamedConfInclude config/{README,named.conf} init/named system/named.init sysconfig/{named-common,named-named,syslog-named}; do
replaceStrings ${file}
done
popd
cp contrib/sdb/ldap/ldapdb.c bin/named/
cp contrib/sdb/ldap/ldapdb.h bin/named/include/
%build
autoreconf -fvi
export CFLAGS="%{optflags}"
export CFLAGS="%{optflags} -DNO_VERSION_DATE"
%configure \
--with-python=%{_bindir}/python3 \
--includedir=%{_includedir}/bind \
@ -364,7 +319,12 @@ export CFLAGS="%{optflags}"
--with-pic \
--disable-openssl-version-check \
--with-tuning=large \
%if %{with_geoip}
--with-geoip \
%else
--without-geoip \
--with-geoip2 \
%endif
--with-dlopen \
--with-gssapi=yes \
--disable-isc-spnego \
@ -391,7 +351,7 @@ mkdir -p \
%{buildroot}/%{_datadir}/bind \
%{buildroot}/%{_datadir}/susehelp/meta/Administration/System \
%{buildroot}/%{_defaultdocdir}/bind \
%{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/{lwresd,named}}} \
%{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/named}} \
%{buildroot}%{_mandir}/{man1,man3,man5,man8} \
%{buildroot}%{_fillupdir} \
%{buildroot}/%{_rundir} \
@ -410,12 +370,12 @@ rm -f %{buildroot}/%{_libdir}/lib*.{la,a}
mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d
mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
for file in lwresd.conf named.conf.include; do
for file in named.conf.include; do
touch %{buildroot}/%{_sysconfdir}/${file}
done
%if %{with_systemd}
for file in lwresd named; do
for file in named; do
install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
install -m 0755 vendor-files/system/${file}.init %{buildroot}/usr/sbin/${file}.init
ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
@ -426,7 +386,7 @@ done
install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key
%else
for file in lwresd named; do
for file in named; do
install -m 0754 vendor-files/init/${file} %{buildroot}%{_initddir}/${file}
ln -sf %{_initddir}/${file} %{buildroot}%{_sbindir}/rc${file}
done
@ -444,7 +404,6 @@ touch %{buildroot}%{_localstatedir}/lib/named%{_sysconfdir}/{localtime,named.con
touch %{buildroot}%{_localstatedir}/lib/named/dev/log
ln -s ../.. %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}/lib/named
ln -s ../log %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}
ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/lwresd %{buildroot}/run
ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/named %{buildroot}/run
for file in named-common named-named syslog-named; do
install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file}
@ -457,10 +416,9 @@ rm doc/misc/Makefile*
find doc/arm -type f ! -name '*.html' -print0 | xargs -0 rm -f
# Create doc as we want it in bind and not bind-doc
cp -a vendor-files/docu/README %{buildroot}/%{_defaultdocdir}/bind/README.%{VENDOR}
cp -a vendor-files/docu/dnszonehowto.html contrib/sdb/ldap/
mkdir -p vendor-files/config/ISC-examples
cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
for file in CHANGES COPYRIGHT README version contrib doc/{arm,misc} vendor-files/config contrib/sdb/ldap/INSTALL.ldap; do
for file in CHANGES COPYRIGHT README version contrib doc/{arm,misc} vendor-files/config; do
basename=$( basename ${file})
cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}
echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc
@ -520,8 +478,6 @@ fi
%postun -n %{libisccc} -p /sbin/ldconfig
%post -n %{libisccfg} -p /sbin/ldconfig
%postun -n %{libisccfg} -p /sbin/ldconfig
%post -n %{liblwres} -p /sbin/ldconfig
%postun -n %{liblwres} -p /sbin/ldconfig
%pre chrootenv
%{GROUPADD_NAMED}
%{USERADD_NAMED}
@ -533,49 +489,13 @@ fi
%tmpfiles_create bind-chrootenv.conf
%endif
%pre lwresd
%{GROUPADD_NAMED}
%{USERADD_NAMED}
%if %{with_systemd}
%service_add_pre lwresd.service
%endif
%post lwresd
# delete an emtpy lwresd.conf file
if [ ! -s etc/lwresd.conf ]; then
rm -f etc/lwresd.conf
fi
%if %{with_systemd}
%service_add_post lwresd.service
%else
if [ $1 -le 1 ]; then
%{fillup_and_insserv -fy lwresd}
fi
%endif
%preun lwresd
%stop_on_removal lwresd
%if %{with_systemd}
%service_del_preun lwresd.service
%else
%stop_on_removal lwresd
%endif
%postun lwresd
%if %{with_systemd}
%service_del_postun lwresd.service
%else
%restart_on_update lwresd
%insserv_cleanup
%endif
%post utils
%files
%license LICENSE
%attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/named.conf
%dir %{_sysconfdir}/slp.reg.d
%attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/bind.reg
%attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg
%attr(0644,root,named) %ghost /%{_sysconfdir}/named.conf.include
%if %{with_systemd}
%config %{_unitdir}/named.service
@ -595,6 +515,8 @@ fi
%{_sbindir}/named-checkconf
%{_sbindir}/named-checkzone
%{_sbindir}/named-compilezone
%dir %{_libdir}/named
%{_libdir}/named/filter-aaaa.so
%{_mandir}/man1/bind9-config.1%{ext_man}
%{_mandir}/man1/named-rrchecker.1%{ext_man}
%{_mandir}/man5/named.conf.5%{ext_man}
@ -602,6 +524,7 @@ fi
%{_mandir}/man8/named-checkzone.8%{ext_man}
%{_mandir}/man8/named.8%{ext_man}
%{_mandir}/man8/named-compilezone.8%{ext_man}
%{_mandir}/man8/filter-aaaa.8%{ext_man}
%dir %{_datadir}/bind
%{_datadir}/bind/createNamedConfInclude
%{_datadir}/bind/ldapdump
@ -630,6 +553,7 @@ fi
%files -n %{libisc}
%{_libdir}/libisc.so.%{isc_sonum}*
%{_libdir}/libns.so.%{libns_sonum}*
%files -n %{libisccc}
%{_libdir}/libisccc.so.%{isccc_sonum}*
@ -637,9 +561,6 @@ fi
%files -n %{libisccfg}
%{_libdir}/libisccfg.so.%{isccfg_sonum}*
%files -n %{liblwres}
%{_libdir}/liblwres.so.%{lwres_sonum}*
%files chrootenv
%if %{with_systemd}
%{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf
@ -672,28 +593,13 @@ fi
%{_libdir}/libbind9.so
%{_libdir}/libdns.so
%{_libdir}/libisc*.so
%{_libdir}/liblwres.so
%{_libdir}/libns.so
%{_includedir}/bind
%{_mandir}/man3/lwres*.3*
%files doc -f filelist-bind-doc
%dir %doc %{_defaultdocdir}/bind
%doc %{_datadir}/susehelp
%files lwresd
%ghost %attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/lwresd.conf
%if %{with_systemd}
%config %{_unitdir}/lwresd.service
%{_sbindir}/lwresd.init
%else
%config %{_initddir}/lwresd
%endif
%{_sbindir}/rclwresd
%{_sbindir}/lwresd
%{_mandir}/man8/lwresd.8%{ext_man}
%ghost %{_rundir}/lwresd
%attr(-,named,named) %dir %{_var}/lib/named%{_localstatedir}/run/lwresd
%files utils
%dir %{_sysconfdir}/named.d
%config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf
@ -722,8 +628,9 @@ fi
%{_sbindir}/dnssec-checkds
%{_sbindir}/dnssec-coverage
%{_sbindir}/dnssec-keymgr
%{_sbindir}/genrandom
%{_sbindir}/isc-hmac-fixup
%{_sbindir}/dnssec-cds
# %%{_sbindir}/genrandom
# %%{_sbindir}/isc-hmac-fixup
%{_sbindir}/named-journalprint
%{_sbindir}/nsec3hash
%{_sbindir}/rndc
@ -752,8 +659,9 @@ fi
%{_mandir}/man8/dnssec-checkds.8%{ext_man}
%{_mandir}/man8/dnssec-coverage.8%{ext_man}
%{_mandir}/man8/dnssec-keymgr.8%{ext_man}
%{_mandir}/man8/genrandom.8%{ext_man}
%{_mandir}/man8/isc-hmac-fixup.8%{ext_man}
%{_mandir}/man8/dnssec-cds.8%{ext_man}
# %%{_mandir}/man8/genrandom.8%%{ext_man}
# %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man}
%{_mandir}/man8/named-journalprint.8%{ext_man}
%{_mandir}/man8/nsec3hash.8%{ext_man}
%{_mandir}/man8/rndc.8%{ext_man}

View File

@ -1,41 +0,0 @@
From 4985b5001d4f2f64bbee7e9d6ee32058caf67252 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 1 Sep 2017 11:17:59 +1000
Subject: [PATCH] 4697. [bug] Restore workaround for Microsoft
Windows TSIG hash computation bug. [RT #45854]
(cherry picked from commit a8a20462b516b0cc39e9b1fb1a8dd514eb1aed29)
(cherry picked from commit b301c4293c082fcce4ec26218e6fad346976eb9e)
---
CHANGES | 3 +++
lib/dns/rdataset.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/CHANGES b/CHANGES
index 5aa505345c..13b60473b5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4697. [bug] Restore workaround for Microsoft Windows TSIG hash
+ computation bug. [RT #45854]
+
--- 9.11.2-P1 released ---
4858. [security] Addresses could be referenced after being freed
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index a8e75d6caf..7eb394c8c4 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -467,6 +467,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
dns_name_copy(owner_name, name, NULL);
dns_rdataset_getownercase(rdataset, name);
+ if ((owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS) != 0)
+ name->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
do {
/*
* Copy out the name, type, class, ttl.
--
2.16.3

View File

@ -1,13 +0,0 @@
Index: bind-9.9.4-P2/configure.in
===================================================================
--- bind-9.9.4-P2.orig/configure.in 2013-12-20 01:28:28.000000000 +0100
+++ bind-9.9.4-P2/configure.in 2014-01-21 17:55:51.063395215 +0100
@@ -3914,7 +3914,7 @@ AC_SUBST(DOXYGEN)
# empty). The variable VARIABLE will be substituted into output files.
#
-AC_DEFUN(NOM_PATH_FILE, [
+AC_DEFUN([NOM_PATH_FILE], [
$1=""
AC_MSG_CHECKING(for $2)
for d in $3

View File

@ -1,18 +1,18 @@
Index: contrib/scripts/named-bootconf.sh
Index: bind-9.14.7/contrib/scripts/named-bootconf.sh
===================================================================
--- contrib/scripts/named-bootconf.sh.orig 2017-08-15 13:08:41.636256254 +0200
+++ contrib/scripts/named-bootconf.sh 2017-08-15 13:08:42.516270950 +0200
@@ -38,7 +38,8 @@
--- bind-9.14.7.orig/contrib/scripts/named-bootconf.sh
+++ bind-9.14.7/contrib/scripts/named-bootconf.sh
@@ -39,7 +39,8 @@
# POSSIBILITY OF SUCH DAMAGE.
if [ ${OPTIONFILE-X} = X ]; then
- WORKDIR=/tmp/`date +%s`.$$
+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1
+ WORKDIR=$TMPDIR/`date +%s`.$$
+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1
+ WORKDIR=$TMPDIR/`date +%s`.$$
( umask 077 ; mkdir $WORKDIR ) || {
echo "unable to create work directory '$WORKDIR'" >&2
exit 1
@@ -292,7 +293,7 @@ if [ $DUMP -eq 1 ]; then
@@ -293,7 +294,7 @@ if [ $DUMP -eq 1 ]; then
cat $ZONEFILE $COMMENTFILE
rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE

View File

@ -1,30 +0,0 @@
Index: bin/tests/t_api.pl
===================================================================
--- bin/tests/t_api.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ bin/tests/t_api.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
#
# Copyright (C) 1999-2001, 2004, 2007, 2012, 2016 Internet Systems Consortium, Inc. ("ISC")
#
Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w
# $Id: generate_nameprep_data.pl,v 1.1 2003/06/04 00:27:54 marka Exp $
#
# Copyright (c) 2001 Japan Network Information Center. All rights reserved.
Index: contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w
# $Id: generate_normalize_data.pl,v 1.1 2003/06/04 00:27:55 marka Exp $
#
# Copyright (c) 2000,2001 Japan Network Information Center.

View File

@ -1,8 +1,21 @@
Index: bin/check/Makefile.in
Index: bind-9.14.7/bin/Makefile.in
===================================================================
--- bin/check/Makefile.in.orig
+++ bin/check/Makefile.in
@@ -48,8 +48,12 @@ HTMLPAGES = named-checkconf.html named-c
--- bind-9.14.7.orig/bin/Makefile.in
+++ bind-9.14.7/bin/Makefile.in
@@ -15,4 +15,8 @@ SUBDIRS = named rndc dig delv dnssec too
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bind-9.14.7/bin/check/Makefile.in
===================================================================
--- bind-9.14.7.orig/bin/check/Makefile.in
+++ bind-9.14.7/bin/check/Makefile.in
@@ -51,8 +51,12 @@ HTMLPAGES = named-checkconf.html named-c
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -15,11 +28,11 @@ Index: bin/check/Makefile.in
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/confgen/Makefile.in
Index: bind-9.14.7/bin/confgen/Makefile.in
===================================================================
--- bin/confgen/Makefile.in.orig
+++ bin/confgen/Makefile.in
@@ -56,8 +56,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
--- bind-9.14.7.orig/bin/confgen/Makefile.in
+++ bind-9.14.7/bin/confgen/Makefile.in
@@ -61,8 +61,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@ -32,11 +45,11 @@ Index: bin/confgen/Makefile.in
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
Index: bin/confgen/unix/Makefile.in
Index: bind-9.14.7/bin/confgen/unix/Makefile.in
===================================================================
--- bin/confgen/unix/Makefile.in.orig
+++ bin/confgen/unix/Makefile.in
@@ -24,4 +24,8 @@ SRCS = os.c
--- bind-9.14.7.orig/bin/confgen/unix/Makefile.in
+++ bind-9.14.7/bin/confgen/unix/Makefile.in
@@ -25,4 +25,8 @@ SRCS = os.c
TARGETS = ${OBJS}
@ -45,28 +58,30 @@ Index: bin/confgen/unix/Makefile.in
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bin/dig/Makefile.in
Index: bind-9.14.7/bin/dig/Makefile.in
===================================================================
--- bin/dig/Makefile.in.orig
+++ bin/dig/Makefile.in
@@ -61,8 +61,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
--- bind-9.14.7.orig/bin/dig/Makefile.in
+++ bind-9.14.7/bin/dig/Makefile.in
@@ -62,10 +62,14 @@ HTMLPAGES = dig.html host.html nslookup.
EXT_CFLAGS = -DWITH_LIBIDN
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
LDFLAGS = @LDFLAGS@ @LIBIDN2_LDFLAGS@
+LDFLAGS += -pie
+
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS}"; \
Index: bin/dnssec/Makefile.in
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
Index: bind-9.14.7/bin/dnssec/Makefile.in
===================================================================
--- bin/dnssec/Makefile.in.orig
+++ bin/dnssec/Makefile.in
@@ -56,8 +56,12 @@ HTMLPAGES = dnssec-dsfromkey.html dnssec
--- bind-9.14.7.orig/bin/dnssec/Makefile.in
+++ bind-9.14.7/bin/dnssec/Makefile.in
@@ -59,8 +59,12 @@ HTMLPAGES = dnssec-cds.html dnssec-dsfro
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -76,27 +91,14 @@ Index: bin/dnssec/Makefile.in
+LDFLAGS += -pie
+
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
Index: bin/Makefile.in
Index: bind-9.14.7/bin/named/Makefile.in
===================================================================
--- bin/Makefile.in.orig
+++ bin/Makefile.in
@@ -14,4 +14,8 @@ SUBDIRS = named rndc dig delv dnssec too
check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bin/named/Makefile.in
===================================================================
--- bin/named/Makefile.in.orig
+++ bin/named/Makefile.in
@@ -108,8 +108,12 @@ HTMLPAGES = named.html lwresd.html named
--- bind-9.14.7.orig/bin/named/Makefile.in
+++ bind-9.14.7/bin/named/Makefile.in
@@ -117,8 +117,12 @@ HTMLPAGES = named.html named.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -109,22 +111,24 @@ Index: bin/named/Makefile.in
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/named/unix/Makefile.in
Index: bind-9.14.7/bin/named/unix/Makefile.in
===================================================================
--- bin/named/unix/Makefile.in.orig
+++ bin/named/unix/Makefile.in
@@ -25,4 +25,6 @@ SRCS = os.c dlz_dlopen_driver.c
--- bind-9.14.7.orig/bin/named/unix/Makefile.in
+++ bind-9.14.7/bin/named/unix/Makefile.in
@@ -26,4 +26,8 @@ SRCS = os.c dlz_dlopen_driver.c
TARGETS = ${OBJS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
Index: bin/nsupdate/Makefile.in
+
+LDFLAGS += -pie
Index: bind-9.14.7/bin/nsupdate/Makefile.in
===================================================================
--- bin/nsupdate/Makefile.in.orig
+++ bin/nsupdate/Makefile.in
@@ -60,8 +60,12 @@ HTMLPAGES = nsupdate.html
--- bind-9.14.7.orig/bin/nsupdate/Makefile.in
+++ bind-9.14.7/bin/nsupdate/Makefile.in
@@ -64,8 +64,12 @@ HTMLPAGES = nsupdate.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -137,11 +141,11 @@ Index: bin/nsupdate/Makefile.in
nsupdate.@O@: nsupdate.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
Index: bin/rndc/Makefile.in
Index: bind-9.14.7/bin/rndc/Makefile.in
===================================================================
--- bin/rndc/Makefile.in.orig
+++ bin/rndc/Makefile.in
@@ -50,8 +50,12 @@ HTMLPAGES = rndc.html rndc.conf.html
--- bind-9.14.7.orig/bin/rndc/Makefile.in
+++ bind-9.14.7/bin/rndc/Makefile.in
@@ -51,8 +51,12 @@ HTMLPAGES = rndc.html rndc.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -154,11 +158,11 @@ Index: bin/rndc/Makefile.in
rndc.@O@: rndc.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/tools/Makefile.in
Index: bind-9.14.7/bin/tools/Makefile.in
===================================================================
--- bin/tools/Makefile.in.orig
+++ bin/tools/Makefile.in
@@ -60,8 +60,12 @@ HTMLPAGES = arpaname.html dnstap-read.ht
--- bind-9.14.7.orig/bin/tools/Makefile.in
+++ bind-9.14.7/bin/tools/Makefile.in
@@ -61,8 +61,12 @@ HTMLPAGES = arpaname.html dnstap-read.ht
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -171,36 +175,3 @@ Index: bin/tools/Makefile.in
arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
===================================================================
--- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig
+++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
@@ -68,8 +68,8 @@ IDNLIB = ../../lib/libidnkit.la
INCS = -I$(srcdir) -I$(srcdir)/../../include -I../../include $(ICONVINC)
DEFS =
-CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@
-LDFLAGS = @LDFLAGS@
+CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@ -fPIE
+LDFLAGS = @LDFLAGS@ -pie
SRCS = idnconv.c util.c selectiveencode.c
OBJS = idnconv.o util.o selectiveencode.o
Index: contrib/zkt-1.1.3/Makefile.in
===================================================================
--- contrib/zkt-1.1.3/Makefile.in.orig
+++ contrib/zkt-1.1.3/Makefile.in
@@ -13,11 +13,11 @@ PROFILE = # -pg
OPTIM = # -O3 -DNDEBUG
#CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@
-CFLAGS += -g @DEFS@ -I@top_srcdir@
+CFLAGS += -g @DEFS@ -I@top_srcdir@ -fPIE
CFLAGS += -Wall #-DDBG
CFLAGS += -Wmissing-prototypes
CFLAGS += $(PROFILE) $(OPTIM)
-LDFLAGS += $(PROFILE)
+LDFLAGS += $(PROFILE) -fPIE -pie
LIBS = @LIBS@
PROJECT = @PACKAGE_TARNAME@