Thu May 3 18:32:02 2012 UTC ()
Pullup ticket #3764 - requested by taca
net/bind97: security patch

Revisions pulled up:
- net/bind97/Makefile                                           1.13
- net/bind97/distinfo                                           1.12
- net/bind97/patches/patch-lib_dns_resolver.c                   1.1

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue May  1 02:48:58 UTC 2012

   Modified Files:
   	pkgsrc/net/bind97: Makefile distinfo
   Added Files:
   	pkgsrc/net/bind97/patches: patch-lib_dns_resolver.c

   Log Message:
   Add fix to a race condition in the resolver code that can cause a recursive
   nameserver: <https://kb.isc.org/article/AA-00664>.

   Bump PKGREVISION.


(tron)
diff -r1.12 -r1.12.2.1 pkgsrc/net/bind97/Makefile
diff -r1.11 -r1.11.2.1 pkgsrc/net/bind97/distinfo
diff -r0 -r1.1.2.2 pkgsrc/net/bind97/patches/patch-lib_dns_resolver.c
cvs diff -r1.12 -r1.12.2.1 pkgsrc/net/bind97/Attic/Makefile (switch to unified diff)

--- pkgsrc/net/bind97/Attic/Makefile 2012/04/05 00:40:09 1.12
+++ pkgsrc/net/bind97/Attic/Makefile 2012/05/03 18:32:02 1.12.2.1
@@ -1,82 +1,83 @@ @@ -1,82 +1,83 @@
1# $NetBSD: Makefile,v 1.12 2012/04/05 00:40:09 taca Exp $ 1# $NetBSD: Makefile,v 1.12.2.1 2012/05/03 18:32:02 tron Exp $
2 2
3DISTNAME= bind-${BIND_VERSION} 3DISTNAME= bind-${BIND_VERSION}
4PKGNAME= ${DISTNAME:S/-P/pl/} 4PKGNAME= ${DISTNAME:S/-P/pl/}
 5PKGREVISION= 1
5CATEGORIES= net 6CATEGORIES= net
6MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ \ 7MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ \
7 http://ftp.belnet.be/pub/mirror/ftp.isc.org/isc/bind9/${BIND_VERSION}/ 8 http://ftp.belnet.be/pub/mirror/ftp.isc.org/isc/bind9/${BIND_VERSION}/
8 9
9MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://www.isc.org/software/bind 11HOMEPAGE= http://www.isc.org/software/bind
11COMMENT= Version 9 of the Berkeley Internet Name Daemon, implementation of DNS 12COMMENT= Version 9 of the Berkeley Internet Name Daemon, implementation of DNS
12 13
13CONFLICTS+= bind<9.7.0 14CONFLICTS+= bind<9.7.0
14 15
15PKG_DESTDIR_SUPPORT= user-destdir 16PKG_DESTDIR_SUPPORT= user-destdir
16 17
17MAKE_JOBS_SAFE= no 18MAKE_JOBS_SAFE= no
18 19
19BIND_VERSION= 9.7.5 20BIND_VERSION= 9.7.5
20 21
21.include "../../mk/bsd.prefs.mk" 22.include "../../mk/bsd.prefs.mk"
22 23
23BUILD_DEFS+= BIND_DIR VARBASE 24BUILD_DEFS+= BIND_DIR VARBASE
24 25
25.include "options.mk" 26.include "options.mk"
26 27
27USE_TOOLS+= pax perl 28USE_TOOLS+= pax perl
28USE_LIBTOOL= yes 29USE_LIBTOOL= yes
29GNU_CONFIGURE= yes 30GNU_CONFIGURE= yes
30#CONFIG_SHELL= sh -x 31#CONFIG_SHELL= sh -x
31 32
32CONFIGURE_ARGS+= --with-libtool 33CONFIGURE_ARGS+= --with-libtool
33CONFIGURE_ARGS+= --sysconfdir=/etc 34CONFIGURE_ARGS+= --sysconfdir=/etc
34CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} 35CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q}
35CONFIGURE_ARGS+= --disable-openssl-version-check 36CONFIGURE_ARGS+= --disable-openssl-version-check
36CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q} 37CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
37.if ${MACHINE_PLATFORM:MNetBSD-*-mipsel} != "" 38.if ${MACHINE_PLATFORM:MNetBSD-*-mipsel} != ""
38CONFIGURE_ARGS+= --disable-atomic 39CONFIGURE_ARGS+= --disable-atomic
39.endif 40.endif
40.if ${MACHINE_PLATFORM:MNetBSD-*-powerpc} != "" 41.if ${MACHINE_PLATFORM:MNetBSD-*-powerpc} != ""
41CONFIGURE_ARGS+= --disable-threads 42CONFIGURE_ARGS+= --disable-threads
42.endif 43.endif
43.if ${OPSYS} == "DragonFly" 44.if ${OPSYS} == "DragonFly"
44CONFIGURE_ARGS+= --disable-kqueue 45CONFIGURE_ARGS+= --disable-kqueue
45.endif 46.endif
46 47
47PKG_GROUPS_VARS+= BIND_GROUP 48PKG_GROUPS_VARS+= BIND_GROUP
48PKG_USERS_VARS+= BIND_USER 49PKG_USERS_VARS+= BIND_USER
49 50
50PKG_GROUPS= ${BIND_GROUP} 51PKG_GROUPS= ${BIND_GROUP}
51PKG_USERS= ${BIND_USER}:${BIND_GROUP} 52PKG_USERS= ${BIND_USER}:${BIND_GROUP}
52 53
53PKG_GECOS.${BIND_USER}= Named pseudo-user 54PKG_GECOS.${BIND_USER}= Named pseudo-user
54PKG_HOME.${BIND_USER}= ${BIND_DIR} 55PKG_HOME.${BIND_USER}= ${BIND_DIR}
55 56
56PTHREAD_OPTS+= native 57PTHREAD_OPTS+= native
57PTHREAD_AUTO_VARS= yes 58PTHREAD_AUTO_VARS= yes
58 59
59FILES_SUBST+= BIND_GROUP=${BIND_GROUP:Q} \ 60FILES_SUBST+= BIND_GROUP=${BIND_GROUP:Q} \
60 BIND_USER=${BIND_USER:Q} PAX=${PAX:Q} 61 BIND_USER=${BIND_USER:Q} PAX=${PAX:Q}
61MESSAGE_SUBST+= BIND_DIR=${BIND_DIR} BIND_USER=${BIND_USER} 62MESSAGE_SUBST+= BIND_DIR=${BIND_DIR} BIND_USER=${BIND_USER}
62DOCDIR= ${DESTDIR}${PREFIX}/share/doc/bind9 63DOCDIR= ${DESTDIR}${PREFIX}/share/doc/bind9
63MISCDOC= dnssec ipv6 migration migration-4to9 options \ 64MISCDOC= dnssec ipv6 migration migration-4to9 options \
64 rfc-compliance roadmap sdb 65 rfc-compliance roadmap sdb
65 66
66# include/isc/ipv6.h is installed on non-ipv6 platforms 67# include/isc/ipv6.h is installed on non-ipv6 platforms
67PLIST_VARS+= inet6 68PLIST_VARS+= inet6
68.if !empty(MISSING_FEATURES:Minet6) 69.if !empty(MISSING_FEATURES:Minet6)
69PLIST.inet6= yes 70PLIST.inet6= yes
70.endif 71.endif
71 72
72RCD_SCRIPTS= lwresd named9 73RCD_SCRIPTS= lwresd named9
73 74
74INSTALLATION_DIRS= ${DOCDIR} share/doc/bind9/arm share/doc/bind9/misc 75INSTALLATION_DIRS= ${DOCDIR} share/doc/bind9/arm share/doc/bind9/misc
75 76
76post-install: 77post-install:
77 ${INSTALL_DATA} ${WRKSRC}/README ${DOCDIR} 78 ${INSTALL_DATA} ${WRKSRC}/README ${DOCDIR}
78 ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${DOCDIR}/arm 79 ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${DOCDIR}/arm
79 cd ${WRKSRC}/doc/misc && ${INSTALL_DATA} ${MISCDOC} ${DOCDIR}/misc 80 cd ${WRKSRC}/doc/misc && ${INSTALL_DATA} ${MISCDOC} ${DOCDIR}/misc
80 81
81.include "../../security/openssl/buildlink3.mk" 82.include "../../security/openssl/buildlink3.mk"
82.include "../../mk/bsd.pkg.mk" 83.include "../../mk/bsd.pkg.mk"
cvs diff -r1.11 -r1.11.2.1 pkgsrc/net/bind97/Attic/distinfo (switch to unified diff)

--- pkgsrc/net/bind97/Attic/distinfo 2012/04/05 00:40:09 1.11
+++ pkgsrc/net/bind97/Attic/distinfo 2012/05/03 18:32:02 1.11.2.1
@@ -1,10 +1,11 @@ @@ -1,10 +1,11 @@
1$NetBSD: distinfo,v 1.11 2012/04/05 00:40:09 taca Exp $ 1$NetBSD: distinfo,v 1.11.2.1 2012/05/03 18:32:02 tron Exp $
2 2
3SHA1 (bind-9.7.5.tar.gz) = d66705bb898340de88653892a75e0038c3dec86e 3SHA1 (bind-9.7.5.tar.gz) = d66705bb898340de88653892a75e0038c3dec86e
4RMD160 (bind-9.7.5.tar.gz) = 0186557e4d20b06c45939988b47dbf2cf600ae9b 4RMD160 (bind-9.7.5.tar.gz) = 0186557e4d20b06c45939988b47dbf2cf600ae9b
5Size (bind-9.7.5.tar.gz) = 6848848 bytes 5Size (bind-9.7.5.tar.gz) = 6848848 bytes
6SHA1 (patch-aa) = 6cec876c8caa7082f97365863f3f88c4f168da48 6SHA1 (patch-aa) = 6cec876c8caa7082f97365863f3f88c4f168da48
7SHA1 (patch-ab) = 9585a26a376d32f80ac8266eb7967c00b433f14d 7SHA1 (patch-ab) = 9585a26a376d32f80ac8266eb7967c00b433f14d
8SHA1 (patch-ac) = ee4ca3d200b3d3f93b8ccfa2c6e51ab005b35a01 8SHA1 (patch-ac) = ee4ca3d200b3d3f93b8ccfa2c6e51ab005b35a01
9SHA1 (patch-ad) = 29fb5c24ff3558f1621e93ea16419e32dbc695b7 9SHA1 (patch-ad) = 29fb5c24ff3558f1621e93ea16419e32dbc695b7
10SHA1 (patch-ae) = 68b8155daa8f75081b6f8fd70ca23fda60506c64 10SHA1 (patch-ae) = 68b8155daa8f75081b6f8fd70ca23fda60506c64
 11SHA1 (patch-lib_dns_resolver.c) = 1c0bc26a159219f65dc59429d395f7796a5165f6
File Added: pkgsrc/net/bind97/patches/Attic/patch-lib_dns_resolver.c
$NetBSD: patch-lib_dns_resolver.c,v 1.1.2.2 2012/05/03 18:32:02 tron Exp $

Prevent segmentation fault in resolver.c: https://kb.isc.org/article/AA-00664

--- lib/dns/resolver.c.orig	2012-03-22 19:14:04.000000000 +0000
+++ lib/dns/resolver.c
@@ -2157,7 +2157,6 @@ fctx_finddone(isc_task_t *task, isc_even
 	isc_boolean_t want_try = ISC_FALSE;
 	isc_boolean_t want_done = ISC_FALSE;
 	isc_boolean_t bucket_empty = ISC_FALSE;
-	isc_boolean_t destroy = ISC_FALSE;
 	unsigned int bucketnum;
 
 	find = event->ev_sender;
@@ -2196,17 +2195,12 @@ fctx_finddone(isc_task_t *task, isc_even
 		}
 	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
 		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
-		/*
-		 * Note that we had to wait until we had the lock before
-		 * looking at fctx->references.
-		 */
+
 		if (fctx->references == 0)
-			destroy = ISC_TRUE;
+			bucket_empty = fctx_destroy(fctx);
 	}
 	UNLOCK(&res->buckets[bucketnum].lock);
 
-	if (destroy)
-		bucket_empty = fctx_destroy(fctx);
 	isc_event_free(&event);
 	dns_adb_destroyfind(&find);