Received: by mail.netbsd.org (Postfix, from userid 605) id 7932B84D6E; Fri, 28 Sep 2018 20:36:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8091E84D1F for ; Fri, 28 Sep 2018 20:36:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id gtCGW2DXOJl1 for ; Fri, 28 Sep 2018 20:36:24 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id C6AD084C81 for ; Fri, 28 Sep 2018 20:36:24 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id B6546FBEE; Fri, 28 Sep 2018 20:36:24 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1538166984108580" MIME-Version: 1.0 Date: Fri, 28 Sep 2018 20:36:24 +0000 From: "Amitai Schleier" Subject: CVS commit: pkgsrc/net/djbdns To: pkgsrc-changes@NetBSD.org Reply-To: schmonz@netbsd.org X-Mailer: log_accum Message-Id: <20180928203624.B6546FBEE@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1538166984108580 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: schmonz Date: Fri Sep 28 20:36:24 UTC 2018 Modified Files: pkgsrc/net/djbdns: Makefile distinfo options.mk pkgsrc/net/djbdns/patches: patch-response.c Added Files: pkgsrc/net/djbdns/files: patch-mergequeries patch-mergequeries-boundscheck Removed Files: pkgsrc/net/djbdns/files: patch-qmerge2 Log Message: Rename 'djbdns-qmerge2' option to 'djbdns-mergequeries', still enabled by default. Deprecate 'djbdns-qmerge1'. When applying the 'djbdns-mergequeries' patch, also apply a missing bounds check. Patch from Tim Stewart on dns@list.cr.yp.to. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.67 pkgsrc/net/djbdns/Makefile cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/djbdns/distinfo cvs rdiff -u -r1.19 -r1.20 pkgsrc/net/djbdns/options.mk cvs rdiff -u -r0 -r1.1 pkgsrc/net/djbdns/files/patch-mergequeries \ pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck cvs rdiff -u -r1.2 -r0 pkgsrc/net/djbdns/files/patch-qmerge2 cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/djbdns/patches/patch-response.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1538166984108580 Content-Disposition: inline Content-Length: 14257 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/net/djbdns/Makefile diff -u pkgsrc/net/djbdns/Makefile:1.66 pkgsrc/net/djbdns/Makefile:1.67 --- pkgsrc/net/djbdns/Makefile:1.66 Mon Jun 18 10:44:38 2018 +++ pkgsrc/net/djbdns/Makefile Fri Sep 28 20:36:24 2018 @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.66 2018/06/18 10:44:38 schmonz Exp $ +# $NetBSD: Makefile,v 1.67 2018/09/28 20:36:24 schmonz Exp $ DISTNAME= djbdns-1.05 -PKGREVISION= 13 +PKGREVISION= 14 CATEGORIES= net MASTER_SITES= http://cr.yp.to/djbdns/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${MANPAGES} Index: pkgsrc/net/djbdns/distinfo diff -u pkgsrc/net/djbdns/distinfo:1.26 pkgsrc/net/djbdns/distinfo:1.27 --- pkgsrc/net/djbdns/distinfo:1.26 Mon Jun 18 10:44:38 2018 +++ pkgsrc/net/djbdns/distinfo Fri Sep 28 20:36:24 2018 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.26 2018/06/18 10:44:38 schmonz Exp $ +$NetBSD: distinfo,v 1.27 2018/09/28 20:36:24 schmonz Exp $ SHA1 (djbdns-1.05.tar.gz) = 2efdb3a039d0c548f40936aa9cb30829e0ce8c3d RMD160 (djbdns-1.05.tar.gz) = a832cbfd93e4ccec6a565492a4ee0b3c1b4b68ed @@ -20,16 +20,8 @@ SHA1 (djbdns-cachestats.patch) = ab0b283 RMD160 (djbdns-cachestats.patch) = e09994d84573e781ce18b59f909f8bd013de5d8e SHA512 (djbdns-cachestats.patch) = e78b6a8fc43f94e5bc5971d85f952ef9cac4fa827b00036994fa51dcebb9c9755c36488ac24a9ec7b92097a38938191147faf8cce84a9e636072684db28a2e62 Size (djbdns-cachestats.patch) = 2341 bytes -SHA1 (0001-dnscache-merge-similar-outgoing-queries.patch) = 8dd3ce7758d3a97cafbe6a60ea83f48e916f496d -RMD160 (0001-dnscache-merge-similar-outgoing-queries.patch) = c416dd6575819cfd40ef0d306ccb14d34a5afc90 -SHA512 (0001-dnscache-merge-similar-outgoing-queries.patch) = cbec128b021a341c68906289ca02d3a7fe088c8b3835f2ae3dbb581ad6520712eb344d66e11bb82368dbca2e93e46facd4e10d121fc091099b3a7bfd5e6d081e -Size (0001-dnscache-merge-similar-outgoing-queries.patch) = 9914 bytes -SHA1 (0002-dnscache-cache-soa-records.patch) = ac9b6a62c62588205cc4dc71da4e0ad6630f9635 -RMD160 (0002-dnscache-cache-soa-records.patch) = 0b58e57bc11b36113c5fef73a64c869895f83889 -SHA512 (0002-dnscache-cache-soa-records.patch) = f65ca7dfc8e85f469f22d72a1c79126c35243dc077abf4b688eb7d057f19456dc8a3665f558a8a3c1908f96fa1838792aa1bc317d2e89f4953020828c05926e6 -Size (0002-dnscache-cache-soa-records.patch) = 2944 bytes SHA1 (patch-Makefile) = 0dffb59090ccb4977c65885f062eb37255ccd0d9 SHA1 (patch-dnscache-conf.c) = 873897ad6b97baff363874a6a79c8da44383c283 SHA1 (patch-dnsroots.global) = 183964d516e08c46773847fe542f5a502ec2edcf SHA1 (patch-hier.c) = 874af27489ad4597e213cfe05a7f2f919081db20 -SHA1 (patch-response.c) = 4f089b63664b7e4685b77fc55b287860c8c68229 +SHA1 (patch-response.c) = 24c8f3bc4b629dd04a0b83285eff4579750d92ff Index: pkgsrc/net/djbdns/options.mk diff -u pkgsrc/net/djbdns/options.mk:1.19 pkgsrc/net/djbdns/options.mk:1.20 --- pkgsrc/net/djbdns/options.mk:1.19 Mon Jun 18 10:44:38 2018 +++ pkgsrc/net/djbdns/options.mk Fri Sep 28 20:36:24 2018 @@ -1,12 +1,14 @@ -# $NetBSD: options.mk,v 1.19 2018/06/18 10:44:38 schmonz Exp $ +# $NetBSD: options.mk,v 1.20 2018/09/28 20:36:24 schmonz Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.djbdns PKG_SUPPORTED_OPTIONS+= # inet6 PKG_SUPPORTED_OPTIONS+= djbdns-cachestats djbdns-ignoreip2 -PKG_SUPPORTED_OPTIONS+= djbdns-tinydns64 -PKG_OPTIONS_OPTIONAL_GROUPS= qmerge -PKG_OPTIONS_GROUP.qmerge= djbdns-qmerge1 djbdns-qmerge2 -PKG_SUGGESTED_OPTIONS+= djbdns-qmerge2 djbdns-tinydns64 +PKG_SUPPORTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64 +PKG_SUGGESTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64 + +# For users migrating from 2018Q2; remove compatibility after 2018Q3 is branched +PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge1:djbdns-mergequeries +PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge2:djbdns-mergequeries .include "../../mk/bsd.options.mk" @@ -35,22 +37,13 @@ PATCHFILES+= ${IGNOREIP2_PATCH} SITES.${IGNOREIP2_PATCH}= http://www.tinydns.org/ .endif -.if !empty(PKG_OPTIONS:Mdjbdns-qmerge1) -DNSCACHE_MERGE_PATCH= 0001-dnscache-merge-similar-outgoing-queries.patch -DNSCACHE_SOA_PATCH= 0002-dnscache-cache-soa-records.patch -PATCHFILES+= ${DNSCACHE_MERGE_PATCH} ${DNSCACHE_SOA_PATCH} -PATCH_DIST_STRIP.${DNSCACHE_MERGE_PATCH}= -p1 -PATCH_DIST_STRIP.${DNSCACHE_SOA_PATCH}= -p1 -SITES.${DNSCACHE_MERGE_PATCH}= http://www.your.org/dnscache/ -SITES.${DNSCACHE_SOA_PATCH}= http://www.your.org/dnscache/ -.endif - -.if !empty(PKG_OPTIONS:Mdjbdns-qmerge2) +.if !empty(PKG_OPTIONS:Mdjbdns-mergequeries) USE_TOOLS+= patch -post-patch: patch-qmerge2 -.PHONY: patch-qmerge2 -patch-qmerge2: - cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-qmerge2 +post-patch: patch-mergequeries +.PHONY: patch-mergequeries +patch-mergequeries: + cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries + cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries-boundscheck .endif .if !empty(PKG_OPTIONS:Mdjbdns-tinydns64) Index: pkgsrc/net/djbdns/patches/patch-response.c diff -u pkgsrc/net/djbdns/patches/patch-response.c:1.1 pkgsrc/net/djbdns/patches/patch-response.c:1.2 --- pkgsrc/net/djbdns/patches/patch-response.c:1.1 Fri May 26 15:16:45 2017 +++ pkgsrc/net/djbdns/patches/patch-response.c Fri Sep 28 20:36:24 2018 @@ -1,6 +1,7 @@ -$NetBSD: patch-response.c,v 1.1 2017/05/26 15:16:45 schmonz Exp $ +$NetBSD: patch-response.c,v 1.2 2018/09/28 20:36:24 schmonz Exp $ Fix the security hole found by Matthew Dempsky. +From DJB in --- response.c.orig 2001-02-11 16:11:45.000000000 -0500 +++ response.c Added files: Index: pkgsrc/net/djbdns/files/patch-mergequeries diff -u /dev/null pkgsrc/net/djbdns/files/patch-mergequeries:1.1 --- /dev/null Fri Sep 28 20:36:24 2018 +++ pkgsrc/net/djbdns/files/patch-mergequeries Fri Sep 28 20:36:24 2018 @@ -0,0 +1,259 @@ +$NetBSD: patch-mergequeries,v 1.1 2018/09/28 20:36:24 schmonz Exp $ + +Address the dnscache poisoning weaknesses described in CVE-2008-4392. +From Jeff King in + +--- clients.h.orig 2009-04-21 23:43:02.000000000 -0400 ++++ clients.h +@@ -0,0 +1,7 @@ ++#ifndef CLIENTS_H ++#define CLIENTS_H ++ ++#define MAXUDP 200 ++#define MAXTCP 20 ++ ++#endif /* CLIENTS_H */ +--- dns.h.orig 2001-02-11 16:11:45.000000000 -0500 ++++ dns.h +@@ -4,6 +4,7 @@ + #include "stralloc.h" + #include "iopause.h" + #include "taia.h" ++#include "clients.h" + + #define DNS_C_IN "\0\1" + #define DNS_C_ANY "\0\377" +@@ -37,8 +38,14 @@ struct dns_transmit { + const char *servers; + char localip[4]; + char qtype[2]; ++ struct dns_transmit *master; ++ struct dns_transmit *slaves[MAXUDP]; ++ int nslaves; + } ; + ++extern void dns_enable_merge(void (*logger)(const char *, const char *, ++ const char *)); ++ + extern void dns_random_init(const char *); + extern unsigned int dns_random(unsigned int); + +--- dns_transmit.c.orig 2001-02-11 16:11:45.000000000 -0500 ++++ dns_transmit.c +@@ -7,6 +7,61 @@ + #include "byte.h" + #include "uint16.h" + #include "dns.h" ++#include "strerr.h" ++ ++static int merge_enable; ++static void (*merge_logger)(const char *, const char *, const char *); ++void dns_enable_merge(void (*f)(const char *, const char *, const char *)) ++{ ++ merge_enable = 1; ++ merge_logger = f; ++} ++ ++static int merge_equal(struct dns_transmit *a, struct dns_transmit *b) ++{ ++ const char *ip1 = a->servers + 4 * a->curserver; ++ const char *ip2 = b->servers + 4 * b->curserver; ++ return ++ byte_equal(ip1, 4, ip2) && ++ byte_equal(a->qtype, 2, b->qtype) && ++ dns_domain_equal(a->query + 14, b->query + 14); ++} ++ ++struct dns_transmit *inprogress[MAXUDP]; ++ ++static int try_merge(struct dns_transmit *d) ++{ ++ int i; ++ for (i = 0; i < MAXUDP; i++) { ++ if (!inprogress[i]) continue; ++ if (!merge_equal(d, inprogress[i])) continue; ++ d->master = inprogress[i]; ++ inprogress[i]->slaves[inprogress[i]->nslaves++] = d; ++ return 1; ++ } ++ return 0; ++} ++ ++static void register_inprogress(struct dns_transmit *d) ++{ ++ int i; ++ for (i = 0; i < MAXUDP; i++) { ++ if (!inprogress[i]) { ++ inprogress[i] = d; ++ return; ++ } ++ } ++ strerr_die1x(100, "BUG: out of inprogress slots"); ++} ++ ++static void unregister_inprogress(struct dns_transmit *d) ++{ ++ int i; ++ for (i = 0; i < MAXUDP; i++) { ++ if (inprogress[i] == d) ++ inprogress[i] = 0; ++ } ++} + + static int serverwantstcp(const char *buf,unsigned int len) + { +@@ -59,8 +114,28 @@ static void packetfree(struct dns_transm + d->packet = 0; + } + ++static void mergefree(struct dns_transmit *d) ++{ ++ int i; ++ if (merge_enable) ++ unregister_inprogress(d); ++ /* unregister us from our master */ ++ if (d->master) { ++ for (i = 0; i < d->master->nslaves; i++) ++ if (d->master->slaves[i] == d) ++ d->master->slaves[i] = 0; ++ } ++ /* and unregister all of our slaves from us */ ++ for (i = 0; i < d->nslaves; i++) { ++ if (d->slaves[i]) ++ d->slaves[i]->master = NULL; ++ } ++ d->nslaves = 0; ++} ++ + static void queryfree(struct dns_transmit *d) + { ++ mergefree(d); + if (!d->query) return; + alloc_free(d->query); + d->query = 0; +@@ -99,11 +174,18 @@ static int thisudp(struct dns_transmit * + const char *ip; + + socketfree(d); ++ mergefree(d); + + while (d->udploop < 4) { + for (;d->curserver < 16;++d->curserver) { + ip = d->servers + 4 * d->curserver; + if (byte_diff(ip,4,"\0\0\0\0")) { ++ if (merge_enable && try_merge(d)) { ++ if (merge_logger) ++ merge_logger(ip, d->qtype, d->query + 14); ++ return 0; ++ } ++ + d->query[2] = dns_random(256); + d->query[3] = dns_random(256); + +@@ -118,6 +200,8 @@ static int thisudp(struct dns_transmit * + taia_uint(&d->deadline,timeouts[d->udploop]); + taia_add(&d->deadline,&d->deadline,&now); + d->tcpstate = 0; ++ if (merge_enable) ++ register_inprogress(d); + return 0; + } + +@@ -226,8 +310,12 @@ void dns_transmit_io(struct dns_transmit + x->fd = d->s1 - 1; + + switch(d->tcpstate) { +- case 0: case 3: case 4: case 5: +- x->events = IOPAUSE_READ; ++ case 0: ++ if (d->master) return; ++ if (d->packet) { taia_now(deadline); return; } ++ /* otherwise, fall through */ ++ case 3: case 4: case 5: ++ x->events = IOPAUSE_READ; + break; + case 1: case 2: + x->events = IOPAUSE_WRITE; +@@ -244,10 +332,14 @@ int dns_transmit_get(struct dns_transmit + unsigned char ch; + int r; + int fd; ++ int i; + + errno = error_io; + fd = d->s1 - 1; + ++ if (d->tcpstate == 0 && d->master) return 0; ++ if (d->tcpstate == 0 && d->packet) return 1; ++ + if (!x->revents) { + if (taia_less(when,&d->deadline)) return 0; + errno = error_timeout; +@@ -279,6 +371,15 @@ have sent query to curserver on UDP sock + d->packet = alloc(d->packetlen); + if (!d->packet) { dns_transmit_free(d); return -1; } + byte_copy(d->packet,d->packetlen,udpbuf); ++ ++ for (i = 0; i < d->nslaves; i++) { ++ if (!d->slaves[i]) continue; ++ d->slaves[i]->packetlen = d->packetlen; ++ d->slaves[i]->packet = alloc(d->packetlen); ++ if (!d->slaves[i]->packet) { dns_transmit_free(d->slaves[i]); continue; } ++ byte_copy(d->slaves[i]->packet,d->packetlen,udpbuf); ++ } ++ + queryfree(d); + return 1; + } +--- dnscache.c.orig 2001-02-11 16:11:45.000000000 -0500 ++++ dnscache.c +@@ -54,7 +54,6 @@ uint64 numqueries = 0; + + static int udp53; + +-#define MAXUDP 200 + static struct udpclient { + struct query q; + struct taia start; +@@ -131,7 +130,6 @@ void u_new(void) + + static int tcp53; + +-#define MAXTCP 20 + struct tcpclient { + struct query q; + struct taia start; +@@ -435,6 +433,8 @@ int main() + response_hidettl(); + if (env_get("FORWARDONLY")) + query_forwardonly(); ++ if (env_get("MERGEQUERIES")) ++ dns_enable_merge(log_merge); + + if (!roots_init()) + strerr_die2sys(111,FATAL,"unable to read servers: "); +--- log.c.orig 2001-02-11 16:11:45.000000000 -0500 ++++ log.c +@@ -150,6 +150,12 @@ void log_tx(const char *q,const char qty + line(); + } + ++void log_merge(const char *addr, const char qtype[2], const char *q) ++{ ++ string("merge "); ip(addr); space(); logtype(qtype); space(); name(q); ++ line(); ++} ++ + void log_cachedanswer(const char *q,const char type[2]) + { + string("cached "); logtype(type); space(); +--- log.h.orig 2001-02-11 16:11:45.000000000 -0500 ++++ log.h +@@ -18,6 +18,7 @@ extern void log_cachednxdomain(const cha + extern void log_cachedns(const char *,const char *); + + extern void log_tx(const char *,const char *,const char *,const char *,unsigned int); ++extern void log_merge(const char *, const char *, const char *); + + extern void log_nxdomain(const char *,const char *,unsigned int); + extern void log_nodata(const char *,const char *,const char *,unsigned int); Index: pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck diff -u /dev/null pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck:1.1 --- /dev/null Fri Sep 28 20:36:24 2018 +++ pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck Fri Sep 28 20:36:24 2018 @@ -0,0 +1,27 @@ +$NetBSD: patch-mergequeries-boundscheck,v 1.1 2018/09/28 20:36:24 schmonz Exp $ + +Add a missing bounds check to the MERGEQUERIES patch's try_merge(). +From Tim Stewart in + +--- dns_transmit.c.orig 2018-09-28 20:25:42.000000000 +0000 ++++ dns_transmit.c +@@ -35,6 +35,7 @@ static int try_merge(struct dns_transmit + for (i = 0; i < MAXUDP; i++) { + if (!inprogress[i]) continue; + if (!merge_equal(d, inprogress[i])) continue; ++ if (inprogress[i]->nslaves == MAXUDP) continue; + d->master = inprogress[i]; + inprogress[i]->slaves[inprogress[i]->nslaves++] = d; + return 1; +@@ -127,8 +128,10 @@ static void mergefree(struct dns_transmi + } + /* and unregister all of our slaves from us */ + for (i = 0; i < d->nslaves; i++) { +- if (d->slaves[i]) ++ if (d->slaves[i]) { + d->slaves[i]->master = NULL; ++ d->slaves[i] = 0; ++ } + } + d->nslaves = 0; + } --_----------=_1538166984108580--