Commit 9308e5b9 authored by Natanael Copa's avatar Natanael Copa

main/bind: security upgrade to 9.12.4_p1 (CVE-2018-5743,CVE-2019-6467)

This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.

There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.

Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html

fixes #10369
parent 3ed9f1c2
......@@ -3,7 +3,7 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bind
pkgver=9.12.3_p4
pkgver=9.12.4_p1
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
......@@ -19,10 +19,14 @@ options="!check"
license="MPL-2.0"
pkgusers="named"
pkggroups="named"
makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev json-c-dev"
_py3deps="python3 py3-ply"
makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev
json-c-dev $_py3deps"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-tools"
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-tools
py3-$pkgname:_py3 $pkgname-dnssec-tools:_dnssec_tools"
source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
Replace-atomic-operations.patch
bind.so_bsdcompat.patch
named.initd
named.confd
......@@ -35,6 +39,9 @@ source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
builddir="$srcdir/$pkgname-$_ver"
# secfixes:
# 9.12.4_p1-r0:
# - CVE-2018-5743
# - CVE-2019-6467
# 9.12.3_p4-r0:
# - CVE-2019-6465
# - CVE-2018-5745
......@@ -129,6 +136,21 @@ package() {
ln -s named.ca root.cache
}
_py3() {
pkgdesc="A module allowing rndc commands to be sent from Python programs"
depends="$_py3deps"
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/python3* "$subpkgdir"/usr/lib/
}
_dnssec_tools() {
pkgdesc="Utilities for DNSSEC keys and DNS zone files management"
depends="py3-$pkgname=$pkgver-r$pkgrel"
mkdir -p "$subpkgdir"/usr/sbin
mv "$pkgdir"/usr/sbin/dnssec* \
"$subpkgdir"/usr/sbin/
}
tools() {
pkgdesc="The ISC DNS tools"
install=""
......@@ -140,12 +162,26 @@ tools() {
done
mkdir -p "$subpkgdir"/usr/sbin
for i in "$pkgdir"/usr/sbin/dnssec-*; do
mv "$i" "$subpkgdir"/usr/sbin
# keep those in -tools subpackage for for backwards compatibility
# in stable branches
for i in \
dnssec-cds \
dnssec-dsfromkey \
dnssec-importkey \
dnssec-keyfromlabel \
dnssec-keygen \
dnssec-revoke \
dnssec-settime \
dnssec-signzone \
dnssec-verify \
; do
mv "$pkgdir"/usr/sbin/$i "$subpkgdir"/usr/sbin
done
}
sha512sums="42c41f47a0282dc08ee875fe098ce84b26384dba5efbaf99b557d34c4271e0d6aac70126f280a3ee157e8604cce16901c8cd51fab791dec82f4a3d00c054f363 bind-9.12.3-P4.tar.gz
sha512sums="1c07f6e10cb9fd499c4231e8290da94da1f5f4294c664635eac82bdb10be9a01119208fe2c15f5d28f50e3c2cdec7b553851b7676b65792f3f21de071587297d bind-9.12.4-P1.tar.gz
d3b0329f48bd296988d8854ec4c7738c611d96e13c0439326a9cf801bc41a9504b1e0673f06fd66c5e36949192c6968d512d53a91d5d5fa96783c8b2c6ec88e3 Replace-atomic-operations.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015 named.initd
127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd
......
From d72f436b7d7c697b262968c48c2d7643069ab17f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 17 Apr 2019 15:22:27 +0200
Subject: [PATCH] Replace atomic operations in bin/named/client.c with
isc_refcount reference counting
(cherry picked from commit ef49780d30d3ddc5735cfc32561b678a634fa72f)
---
lib/ns/client.c | 18 +++++++-----------
lib/ns/include/ns/interfacemgr.h | 5 +++--
lib/ns/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/lib/ns/client.c b/lib/ns/client.c
index d8ab3ce9c6..24f4f830d9 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -428,12 +428,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, bool active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -580,7 +578,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
(client->sctx->options & NS_SERVER_CLIENTTEST) == 0 &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = false;
@@ -3306,7 +3304,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->interface->mgr);
- uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3326,8 +3323,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3457,8 +3453,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3516,7 +3512,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
index 24552ed353..6bbb0e67f3 100644
--- a/lib/ns/include/ns/interfacemgr.h
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -45,6 +45,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/geoip.h>
#include <dns/result.h>
@@ -76,11 +77,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index 5f9cd8c0b9..e4e9b5e10d 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -429,8 +429,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -663,6 +663,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}
--
2.18.1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment