mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 17:19:20 +00:00
Code Issues Projects Releases Wiki Activity

bind: 9.10.3-P3 -> 9.10.5-P3

Browse Source 
Upgrade bind from 9.10.3-P3 to 9.10.5-P3

* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory

(From OE-Core rev: 9ee6a0a6599d081767b63382a576e67aed12cf4d)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Kai Kang
2017-07-12 09:25:05 +08:00
committed by Richard Purdie
parent e6c05f57a5
commit 39f74e11fd
13 changed files with 61 additions and 2443 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
+7 -3
View File
@@ -6,16 +6,20 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
Update context for version 9.10.3-P2.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Update context for version 9.10.5-P3.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
configure.in | 23 +++--------------------
1 file changed, 3 insertions(+), 20 deletions(-)
diff --git a/configure.in b/configure.in
index 0db826d..75819eb 100644
index 4da73a4..6f2a754 100644
--- a/configure.in
+++ b/configure.in
@@ -2107,26 +2107,9 @@ case "$use_libxml2" in
@@ -2282,26 +2282,9 @@ case "$use_libxml2" in
DST_LIBXML2_INC=""
;;
auto|yes)
@@ -25,7 +29,7 @@ index 0db826d..75819eb 100644
- libxml2_cflags=`xml2-config --cflags`
- ;;
- *)
- if test "$use_libxml2" = "yes" ; then
- if test "yes" = "$use_libxml2" ; then
- AC_MSG_RESULT(no)
- AC_MSG_ERROR(required libxml2 version not available)
- else
meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
-154
View File
@@ -1,154 +0,0 @@
From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 18 Feb 2016 12:11:27 +1100
Subject: [PATCH] 4318. [security] Malformed control messages can
trigger assertions in named and rndc. (CVE-2016-1285)
[RT #41666]
(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
CVE: CVE-2016-1285
Upstream-Status: Backport
[Removed doc/arm/notes.xml changes from upstream patch]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
CHANGES | 3 +++
bin/named/control.c | 2 +-
bin/named/controlconf.c | 2 +-
bin/rndc/rndc.c | 8 ++++----
doc/arm/notes.xml | 11 +++++++++++
lib/isccc/cc.c | 14 +++++++-------
6 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/CHANGES b/CHANGES
index b9bd9ef..2c727d5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4318. [security] Malformed control messages can trigger assertions
+ in named and rndc. (CVE-2016-1285) [RT #41666]
+
--- 9.10.3-P3 released ---
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
diff --git a/bin/named/control.c b/bin/named/control.c
index 8554335..81340ca 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
#endif
data = isccc_alist_lookup(message, "_data");
- if (data == NULL) {
+ if (!isccc_alist_alistp(data)) {
/*
* No data section.
*/
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 765afdd..a39ab8b 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Limit exposure to replay attacks.
*/
_ctrl = isccc_alist_lookup(request, "_ctrl");
- if (_ctrl == NULL) {
+ if (!isccc_alist_alistp(_ctrl)) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index cb17050..b6e05c8 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
data = isccc_alist_lookup(response, "_data");
- if (data == NULL)
- fatal("no data section in response");
+ if (!isccc_alist_alistp(data))
+ fatal("bad or missing data section in response");
result = isccc_cc_lookupstring(data, "err", &errormsg);
if (result == ISC_R_SUCCESS) {
failed = ISC_TRUE;
@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
_ctrl = isccc_alist_lookup(response, "_ctrl");
- if (_ctrl == NULL)
- fatal("_ctrl section missing");
+ if (!isccc_alist_alistp(_ctrl))
+ fatal("bad or missing ctrl section in response");
nonce = 0;
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
nonce = 0;
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 47a3b74..2bb961e 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
* Extract digest.
*/
_auth = isccc_alist_lookup(alist, "_auth");
- if (_auth == NULL)
+ if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
if (algorithm == ISCCC_ALG_HMACMD5)
hmac = isccc_alist_lookup(_auth, "hmd5");
else
hmac = isccc_alist_lookup(_auth, "hsha");
- if (hmac == NULL)
+ if (!isccc_sexpr_binaryp(hmac))
return (ISC_R_FAILURE);
/*
* Compute digest.
@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
REQUIRE(ackp != NULL && *ackp == NULL);
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
_ctrl = isccc_alist_lookup(message, "_ctrl");
_data = isccc_alist_lookup(message, "_data");
- if (_ctrl == NULL || _data == NULL ||
+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
--
1.9.1
meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
-79
View File
@@ -1,79 +0,0 @@
From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 22 Feb 2016 12:22:43 +0530
Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
(CVE-2016-1286) (#41753)
(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
CVE: CVE-2016-1286
Upstream-Status: Backport
[Removed doc/arm/notes.xml changes from upstream patch.]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/CHANGES b/CHANGES
--- a/CHANGES 2016-04-13 07:28:44.940873629 +0200
+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200
@@ -1,3 +1,7 @@
+4319. [security] Fix resolver assertion failure due to improper
+ DNAME handling when parsing fetch reply messages.
+ (CVE-2016-1286) [RT #41753]
+
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
--- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200
+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200
@@ -6967,21 +6967,26 @@
isc_boolean_t found_dname = ISC_FALSE;
dns_name_t *dname_name;
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */
+ if (rdataset->type != dns_rdatatype_dname &&
+ (rdataset->type != dns_rdatatype_rrsig ||
+ rdataset->covers != dns_rdatatype_dname))
+ continue;
+
+ /*
+ * If we're not chaining, then the DNAME and
+ * its signature should not be external.
+ */
+ if (!chaining && external) {
+ log_formerr(fctx, "external DNAME");
+ return (DNS_R_FORMERR);
+ }
+
found = ISC_FALSE;
aflag = 0;
if (rdataset->type == dns_rdatatype_dname) {
- /*
- * We're looking for something else,
- * but we found a DNAME.
- *
- * If we're not chaining, then the
- * DNAME should not be external.
- */
- if (!chaining && external) {
- log_formerr(fctx,
- "external DNAME");
- return (DNS_R_FORMERR);
- }
found = ISC_TRUE;
want_chaining = ISC_TRUE;
POST(want_chaining);
@@ -7010,9 +7015,7 @@
&fctx->domain)) {
return (DNS_R_SERVFAIL);
}
- } else if (rdataset->type == dns_rdatatype_rrsig
- && rdataset->covers ==
- dns_rdatatype_dname) {
+ } else {
/*
* We've found a signature that
* covers the DNAME.
meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
-317
View File
@@ -1,317 +0,0 @@
From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 29 Feb 2016 07:16:48 +1100
Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion
failure due to improper DNAME handling when parsing
fetch reply messages. (CVE-2016-1286) [RT #41753]
CVE: CVE-2016-1286
Upstream-Status: Backport
(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
1 file changed, 93 insertions(+), 99 deletions(-)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 70aba87..41e9df4 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
}
static inline isc_result_t
-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
- dns_name_t *oname, dns_fixedname_t *fixeddname)
+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
+ unsigned int nlabels, dns_fixedname_t *fixeddname)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned int nlabels;
- int order;
- dns_namereln_t namereln;
dns_rdata_dname_t dname;
dns_fixedname_t prefix;
@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
if (result != ISC_R_SUCCESS)
return (result);
- /*
- * Get the prefix of qname.
- */
- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
- if (namereln != dns_namereln_subdomain) {
- char qbuf[DNS_NAME_FORMATSIZE];
- char obuf[DNS_NAME_FORMATSIZE];
-
- dns_rdata_freestruct(&dname);
- dns_name_format(qname, qbuf, sizeof(qbuf));
- dns_name_format(oname, obuf, sizeof(obuf));
- log_formerr(fctx, "unrelated DNAME in answer: "
- "%s is not in %s", qbuf, obuf);
- return (DNS_R_FORMERR);
- }
dns_fixedname_init(&prefix);
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
dns_fixedname_init(fixeddname);
@@ -6736,13 +6718,13 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *qname, tname, *ns_name;
+ dns_name_t *name, *dname, *qname, tname, *ns_name;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t dname, fqname;
+ dns_fixedname_t fdname, fqname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) {
view = fctx->res->view;
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
+ dns_namereln_t namereln;
+ int order;
+ unsigned int nlabels;
+
name = NULL;
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
- if (dns_name_equal(name, qname)) {
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) {
*/
INSIST(!external);
if (aflag ==
- DNS_RDATASETATTR_ANSWER)
+ DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
rdataset->attributes |= aflag;
if (aa)
rdataset->trust =
@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) {
if (wanted_chaining)
chaining = ISC_TRUE;
} else {
+ dns_rdataset_t *dnameset = NULL;
+
/*
* Look for a DNAME (or its SIG). Anything else is
* ignored.
@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link)) {
- isc_boolean_t found_dname = ISC_FALSE;
- dns_name_t *dname_name;
-
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
/*
* Only pass DNAME or RRSIG(DNAME).
*/
@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) {
* its signature should not be external.
*/
if (!chaining && external) {
- log_formerr(fctx, "external DNAME");
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(name, qbuf,
+ sizeof(qbuf));
+ dns_name_format(&fctx->domain, obuf,
+ sizeof(obuf));
+ log_formerr(fctx, "external DNAME or "
+ "RRSIG covering DNAME "
+ "in answer: %s is "
+ "not in %s", qbuf, obuf);
+ return (DNS_R_FORMERR);
+ }
+
+ if (namereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(qname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+ log_formerr(fctx, "unrelated DNAME "
+ "in answer: %s is "
+ "not in %s", qbuf, obuf);
return (DNS_R_FORMERR);
}
- found = ISC_FALSE;
aflag = 0;
if (rdataset->type == dns_rdatatype_dname) {
- found = ISC_TRUE;
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(fctx, rdataset,
- qname, name,
- &dname);
+ result = dname_target(rdataset, qname,
+ nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
* We can't construct the
@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) {
} else if (result != ISC_R_SUCCESS)
return (result);
else
- found_dname = ISC_TRUE;
+ dnameset = rdataset;
- dname_name = dns_fixedname_name(&dname);
+ dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname,
- rdataset->type,
- dname_name,
- &fctx->domain)) {
+ qname, rdataset->type,
+ dname, &fctx->domain)) {
return (DNS_R_SERVFAIL);
}
} else {
@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) {
* We've found a signature that
* covers the DNAME.
*/
- found = ISC_TRUE;
aflag = DNS_RDATASETATTR_ANSWERSIG;
}
- if (found) {
+ /*
+ * We've found an answer to our
+ * question.
+ */
+ name->attributes |= DNS_NAMEATTR_CACHE;
+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ rdataset->trust = dns_trust_answer;
+ if (!chaining) {
/*
- * We've found an answer to our
- * question.
+ * This data is "the" answer to
+ * our question only if we're
+ * not chaining.
*/
- name->attributes |=
- DNS_NAMEATTR_CACHE;
- rdataset->attributes |=
- DNS_RDATASETATTR_CACHE;
- rdataset->trust = dns_trust_answer;
- if (!chaining) {
- /*
- * This data is "the" answer
- * to our question only if
- * we're not chaining.
- */
- INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER)
- have_answer = ISC_TRUE;
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
name->attributes |=
DNS_NAMEATTR_ANSWER;
- rdataset->attributes |= aflag;
- if (aa)
- rdataset->trust =
- dns_trust_authanswer;
- } else if (external) {
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
- }
-
- /*
- * DNAME chaining.
- */
- if (found_dname) {
- /*
- * Copy the dname into the
- * qname fixed name.
- *
- * Although we check for
- * failure of the copy
- * operation, in practice it
- * should never fail since
- * we already know that the
- * result fits in a fixedname.
- */
- dns_fixedname_init(&fqname);
- result = dns_name_copy(
- dns_fixedname_name(&dname),
- dns_fixedname_name(&fqname),
- NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- wanted_chaining = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_CHAINING;
- rdataset->attributes |=
- DNS_RDATASETATTR_CHAINING;
- qname = dns_fixedname_name(
- &fqname);
}
+ rdataset->attributes |= aflag;
+ if (aa)
+ rdataset->trust =
+ dns_trust_authanswer;
+ } else if (external) {
+ rdataset->attributes |=
+ DNS_RDATASETATTR_EXTERNAL;
}
}
+
+ /*
+ * DNAME chaining.
+ */
+ if (dnameset != NULL) {
+ /*
+ * Copy the dname into the qname fixed name.
+ *
+ * Although we check for failure of the copy
+ * operation, in practice it should never fail
+ * since we already know that the result fits
+ * in a fixedname.
+ */
+ dns_fixedname_init(&fqname);
+ qname = dns_fixedname_name(&fqname);
+ result = dns_name_copy(dname, qname, NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ wanted_chaining = ISC_TRUE;
+ name->attributes |= DNS_NAMEATTR_CHAINING;
+ dnameset->attributes |=
+ DNS_RDATASETATTR_CHAINING;
+ }
if (wanted_chaining)
chaining = ISC_TRUE;
}
--
1.9.1
meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
-247
View File
@@ -1,247 +0,0 @@
CVE-2016-2088
Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
v9_10_3_patch branch.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
https://kb.isc.org/article/AA-01351
CVE: CVE-2016-2088
Upstream-Status: Backport
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Original commit message from Mark Andrews <marka@isc.org> below:
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
---
CHANGES | 4 ++++
bin/dig/dighost.c | 9 +++++++++
bin/named/client.c | 33 +++++++++++++++++++++++----------
doc/arm/notes.xml | 7 +++++++
lib/dns/resolver.c | 14 +++++++++++++-
5 files changed, 56 insertions(+), 11 deletions(-)
diff --git a/CHANGES b/CHANGES
index c5b5d2b..d2e3360 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4322. [security] Duplicate EDNS COOKIE options in a response could
+ trigger an assertion failure. (CVE-2016-2088)
+ [RT #41809]
+
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index ca82f8e..340904f 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
isc_buffer_t optbuf;
isc_uint16_t optcode, optlen;
dns_rdataset_t *opt = msg->opt;
+ isc_boolean_t seen_cookie = ISC_FALSE;
result = dns_rdataset_first(opt);
if (result == ISC_R_SUCCESS) {
@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
optlen = isc_buffer_getuint16(&optbuf);
switch (optcode) {
case DNS_OPT_COOKIE:
+ /*
+ * Only process the first cookie option.
+ */
+ if (seen_cookie) {
+ isc_buffer_forward(&optbuf, optlen);
+ break;
+ }
process_sit(l, msg, &optbuf, optlen);
+ seen_cookie = ISC_TRUE;
break;
default:
isc_buffer_forward(&optbuf, optlen);
diff --git a/bin/named/client.c b/bin/named/client.c
index 683305c..0d7331a 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -120,7 +120,10 @@
*/
#endif
-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
+
+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
/*% nameserver client manager structure */
struct ns_clientmgr {
@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
{
char nsid[BUFSIZ], *nsidp;
#ifdef ISC_PLATFORM_USESIT
- unsigned char sit[SIT_SIZE];
+ unsigned char sit[COOKIE_SIZE];
#endif
isc_result_t result;
dns_view_t *view;
@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
/* Set EDNS options if applicable */
- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
+ if (WANTNSID(client) &&
(ns_g_server->server_id != NULL ||
ns_g_server->server_usehostname)) {
if (ns_g_server->server_usehostname) {
@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
INSIST(count < DNS_EDNSOPTIONS);
ednsopts[count].code = DNS_OPT_COOKIE;
- ednsopts[count].length = SIT_SIZE;
+ ednsopts[count].length = COOKIE_SIZE;
ednsopts[count].value = sit;
count++;
}
@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
static void
process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
- unsigned char dbuf[SIT_SIZE];
+ unsigned char dbuf[COOKIE_SIZE];
unsigned char *old;
isc_stdtime_t now;
isc_uint32_t when;
isc_uint32_t nonce;
isc_buffer_t db;
+ /*
+ * If we have already seen a ECS option skip this ECS option.
+ */
+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
+ isc_buffer_forward(buf, optlen);
+ return;
+ }
client->attributes |= NS_CLIENTATTR_WANTSIT;
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_sitopt);
- if (optlen != SIT_SIZE) {
+ if (optlen != COOKIE_SIZE) {
/*
* Not our token.
*/
@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
isc_buffer_init(&db, dbuf, sizeof(dbuf));
compute_sit(client, when, nonce, &db);
- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_sitnomatch);
return;
}
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_sitmatch);
-
client->attributes |= NS_CLIENTATTR_HAVESIT;
}
#endif
@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
optlen = isc_buffer_getuint16(&optbuf);
switch (optcode) {
case DNS_OPT_NSID:
- isc_stats_increment(ns_g_server->nsstats,
+ if (!WANTNSID(client))
+ isc_stats_increment(
+ ns_g_server->nsstats,
dns_nsstatscounter_nsidopt);
client->attributes |= NS_CLIENTATTR_WANTNSID;
isc_buffer_forward(&optbuf, optlen);
@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
break;
#endif
case DNS_OPT_EXPIRE:
- isc_stats_increment(ns_g_server->nsstats,
+ if (!WANTEXPIRE(client))
+ isc_stats_increment(
+ ns_g_server->nsstats,
dns_nsstatscounter_expireopt);
client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
isc_buffer_forward(&optbuf, optlen);
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index ebf4f55..095eb5b 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -51,6 +51,13 @@
<title>Security Fixes</title>
<itemizedlist>
<listitem>
+ <para>
+ Duplicate EDNS COOKIE options in a response could trigger
+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
+ [RT #41809]
+ </para>
+ </listitem>
+ <listitem>
<para>
Specific APL data could trigger an INSIST. This flaw
was discovered by Brian Mitchell and is disclosed in
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a797e3f..ba1ae23 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
unsigned char *sit;
dns_adbaddrinfo_t *addrinfo;
unsigned char cookie[8];
+ isc_boolean_t seen_cookie = ISC_FALSE;
#endif
+ isc_boolean_t seen_nsid = ISC_FALSE;
result = dns_rdataset_first(opt);
if (result == ISC_R_SUCCESS) {
@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
switch (optcode) {
case DNS_OPT_NSID:
- if (query->options & DNS_FETCHOPT_WANTNSID)
+ if (!seen_nsid &&
+ query->options & DNS_FETCHOPT_WANTNSID)
log_nsid(&optbuf, optlen, query,
ISC_LOG_DEBUG(3),
query->fctx->res->mctx);
isc_buffer_forward(&optbuf, optlen);
+ seen_nsid = ISC_TRUE;
break;
#ifdef ISC_PLATFORM_USESIT
case DNS_OPT_COOKIE:
+ /*
+ * Only process the first cookie option.
+ */
+ if (seen_cookie) {
+ isc_buffer_forward(&optbuf, optlen);
+ break;
+ }
sit = isc_buffer_current(&optbuf);
compute_cc(query, cookie, sizeof(cookie));
INSIST(query->fctx->rmessage->sitbad == 0 &&
@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
isc_buffer_forward(&optbuf, optlen);
inc_stats(query->fctx->res,
dns_resstatscounter_sitin);
+ seen_cookie = ISC_TRUE;
break;
#endif
default:
--
2.1.4
meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
-90
View File
@@ -1,90 +0,0 @@
From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 12 Oct 2016 19:52:59 +0900
Subject: [PATCH]
4406. [security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]
Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
v9.11.0_patch branch.
CVE: CVE-2016-2775
Upstream-Status: Backport
Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
---
CHANGES | 6 ++++++
bin/named/lwdgrbn.c | 16 ++++++++++------
bin/tests/system/lwresd/lwtest.c | 9 ++++++++-
3 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/CHANGES b/CHANGES
index d2e3360..d0a9d12 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4406. [security] getrrsetbyname with a non absolute name could
+ trigger an infinite recursion bug in lwresd
+ and named with lwres configured if when combined
+ with a search list entry the resulting name is
+ too long. (CVE-2016-2775) [RT #42694]
+
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index 3e7b15b..e1e9adc 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
INSIST(client->lookup == NULL);
dns_fixedname_init(&absname);
- result = ns_lwsearchctx_current(&client->searchctx,
- dns_fixedname_name(&absname));
+
/*
- * This will return failure if relative name + suffix is too long.
- * In this case, just go on to the next entry in the search path.
+ * Perform search across all search domains until success
+ * is returned. Return in case of failure.
*/
- if (result != ISC_R_SUCCESS)
- start_lookup(client);
+ while (ns_lwsearchctx_current(&client->searchctx,
+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+ return;
+ }
+ }
result = dns_lookup_create(cm->mctx,
dns_fixedname_name(&absname),
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
index ad9b551..3eb4a66 100644
--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
@@ -768,7 +768,14 @@ main(void) {
test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0);
-
+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789", 1, 1, 0, 0, 0);
+
if (fails == 0)
printf("I:ok\n");
return (fails);
--
2.7.4
meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
-123
View File
@@ -1,123 +0,0 @@
From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 12 Oct 2016 20:36:52 +0900
Subject: [PATCH]
4467. [security] It was possible to trigger an assertion when
rendering a message. (CVE-2016-2776) [RT #43139]
Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
v9.11.0_patch branch.
CVE: CVE-2016-2776
Upstream-Status: Backport
Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
---
CHANGES | 3 +++
lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
2 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/CHANGES b/CHANGES
index d0a9d12..5c8c61a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4467. [security] It was possible to trigger an assertion when
+ rendering a message. (CVE-2016-2776) [RT #43139]
+
4406. [security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 6b5b4bb..b74dc81 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_NOSPACE);
- if (r.length < msg->reserved)
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
return (ISC_R_NOSPACE);
/*
@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
return (ISC_TRUE);
}
-
#endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+ dns_compress_t *cctx, isc_buffer_t *target,
+ unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+ isc_result_t result;
+
+ /*
+ * Shrink the space in the buffer by the reserved amount.
+ */
+ if (target->length - target->used < reserved)
+ return (ISC_R_NOSPACE);
+
+ target->length -= reserved;
+ result = dns_rdataset_towire(rdataset, owner_name,
+ cctx, target, options, countp);
+ target->length += reserved;
+
+ return (result);
+}
+
isc_result_t
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
unsigned int options)
@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
/*
* Shrink the space in the buffer by the reserved amount.
*/
+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
+ return (ISC_R_NOSPACE);
msg->buffer->length -= msg->reserved;
total = 0;
@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
* Render.
*/
count = 0;
- result = dns_rdataset_towire(msg->opt, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->opt, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
if (result != ISC_R_SUCCESS)
return (result);
count = 0;
- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
* the owner name of a SIG(0) is irrelevant, and will not
* be set in a message being rendered.
*/
- result = dns_rdataset_towire(msg->sig0, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
--
2.7.4
meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
-1090
View File
File diff suppressed because it is too large Load Diff
meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
-219
View File
@@ -1,219 +0,0 @@
From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 21 Oct 2016 14:55:10 +1100
Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
processing a response. (CVE-2016-8864) [RT #43465]
(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
Upstream-Status: Backport
[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
CVE: CVE-2016-8864
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
CHANGES | 3 +++
lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
2 files changed, 50 insertions(+), 22 deletions(-)
diff --git a/CHANGES b/CHANGES
index 5c8c61a..41cfce5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4489. [security] It was possible to trigger assertions when processing
+ a response. (CVE-2016-8864) [RT #43465]
+
4467. [security] It was possible to trigger an assertion when
rendering a message. (CVE-2016-2776) [RT #43139]
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ba1ae23..13c8b44 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
valarg->addrinfo = addrinfo;
if (!ISC_LIST_EMPTY(fctx->validators))
- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+ valoptions |= DNS_VALIDATOR_DEFER;
+ else
+ valoptions &= ~DNS_VALIDATOR_DEFER;
result = dns_validator_create(fctx->res->view, name, type, rdataset,
sigrdataset, fctx->rmessage,
@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset,
sigrdataset,
valoptions, task);
- /*
- * Defer any further validations.
- * This prevents multiple validators
- * from manipulating fctx->rmessage
- * simultaneously.
- */
- valoptions |= DNS_VALIDATOR_DEFER;
}
} else if (CHAINING(rdataset)) {
if (rdataset->type == dns_rdatatype_cname)
@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
eresult == DNS_R_NCACHENXRRSET);
}
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (event != NULL) {
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -6718,13 +6723,15 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *dname, *qname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+ dns_name_t *cname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
+ isc_boolean_t wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname;
+ dns_fixedname_t fdname, fqname, fqdname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
done = ISC_FALSE;
found_cname = ISC_FALSE;
+ found_dname = ISC_FALSE;
found_type = ISC_FALSE;
chaining = ISC_FALSE;
have_answer = ISC_FALSE;
@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
aa = ISC_TRUE;
else
aa = ISC_FALSE;
- qname = &fctx->name;
+ dqname = qname = &fctx->name;
type = fctx->type;
view = fctx->res->view;
+ dns_fixedname_init(&fqdname);
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
+ dns_namereln_t namereln, dnamereln;
int order;
unsigned int nlabels;
@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ dnamereln = dns_name_fullcompare(dqname, name, &order,
+ &nlabels);
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
}
} else if (rdataset->type == dns_rdatatype_rrsig
&& rdataset->covers ==
- dns_rdatatype_cname
+ dns_rdatatype_cname
&& !found_type) {
/*
* We're looking for something else,
@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
* a CNAME or DNAME).
*/
INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER) {
+ if ((rdataset->type !=
+ dns_rdatatype_cname) ||
+ !found_dname ||
+ (aflag ==
+ DNS_RDATASETATTR_ANSWER))
+ {
have_answer = ISC_TRUE;
+ if (rdataset->type ==
+ dns_rdatatype_cname)
+ cname = name;
name->attributes |=
- DNS_NAMEATTR_ANSWER;
+ DNS_NAMEATTR_ANSWER;
}
rdataset->attributes |= aflag;
if (aa)
@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
return (DNS_R_FORMERR);
}
- if (namereln != dns_namereln_subdomain) {
+ if (dnamereln != dns_namereln_subdomain) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
- dns_name_format(qname, qbuf,
+ dns_name_format(dqname, qbuf,
sizeof(qbuf));
dns_name_format(name, obuf,
sizeof(obuf));
@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
+ result = dname_target(rdataset, dqname,
nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname, rdataset->type,
- dname, &fctx->domain)) {
+ dqname, rdataset->type,
+ dname, &fctx->domain))
+ {
return (DNS_R_SERVFAIL);
}
+ dqname = dns_fixedname_name(&fqdname);
+ dns_name_copy(dname, dqname, NULL);
} else {
/*
* We've found a signature that
@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
+ found_dname = ISC_TRUE;
+ if (cname != NULL)
+ cname->attributes &=
+ ~DNS_NAMEATTR_ANSWER;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
--
2.7.4
meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
+7 -3
View File
@@ -17,24 +17,28 @@ problem.
Upstream-Status: Pending
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Update context(trailing whitespace) for version 9.10.5-P3.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
bin/confgen/Makefile.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 8b3e5aa..4868a24 100644
index dca272f..02becce 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
-104
View File
@@ -1,104 +0,0 @@
bind: port a patch to fix a build failure
mips1 does not support ll and sc instructions, and lead to below error, now
we port a patch from debian to fix it
[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
| {standard input}: Assembler messages:
| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
Upstream-Status: Pending
Signed-off-by: Roy Li <rongqing.li@windriver.com>
--- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
@@ -31,18 +31,20 @@
isc_atomic_xadd(isc_int32_t *p, int val) {
isc_int32_t orig;
- /* add is a cheat, since MIPS has no mov instruction */
- __asm__ volatile (
- "1:"
- "ll $3, %1\n"
- "add %0, $0, $3\n"
- "add $3, $3, %2\n"
- "sc $3, %1\n"
- "beq $3, 0, 1b"
- : "=&r"(orig)
- : "m"(*p), "r"(val)
- : "memory", "$3"
- );
+ __asm__ __volatile__ (
+ " .set push \n"
+ " .set mips2 \n"
+ " .set noreorder \n"
+ " .set noat \n"
+ "1: ll $1, %1 \n"
+ " addu %0, $1, %2 \n"
+ " sc %0, %1 \n"
+ " beqz %0, 1b \n"
+ " move %0, $1 \n"
+ " .set pop \n"
+ : "=&r" (orig), "+R" (*p)
+ : "r" (val)
+ : "memory");
return (orig);
}
@@ -52,16 +54,7 @@
*/
static inline void
isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
- __asm__ volatile (
- "1:"
- "ll $3, %0\n"
- "add $3, $0, %1\n"
- "sc $3, %0\n"
- "beq $3, 0, 1b"
- :
- : "m"(*p), "r"(val)
- : "memory", "$3"
- );
+ *p = val;
}
/*
@@ -72,20 +65,23 @@
static inline isc_int32_t
isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
isc_int32_t orig;
+ isc_int32_t tmp;
- __asm__ volatile(
- "1:"
- "ll $3, %1\n"
- "add %0, $0, $3\n"
- "bne $3, %2, 2f\n"
- "add $3, $0, %3\n"
- "sc $3, %1\n"
- "beq $3, 0, 1b\n"
- "2:"
- : "=&r"(orig)
- : "m"(*p), "r"(cmpval), "r"(val)
- : "memory", "$3"
- );
+ __asm__ __volatile__ (
+ " .set push \n"
+ " .set mips2 \n"
+ " .set noreorder \n"
+ " .set noat \n"
+ "1: ll $1, %1 \n"
+ " bne $1, %3, 2f \n"
+ " move %2, %4 \n"
+ " sc %2, %1 \n"
+ " beqz %2, 1b \n"
+ "2: move %0, $1 \n"
+ " .set pop \n"
+ : "=&r"(orig), "+R" (*p), "=r" (tmp)
+ : "r"(cmpval), "r"(val)
+ : "memory");
return (orig);
}
meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
+36
View File
@@ -0,0 +1,36 @@
Use python3 rather default python which maybe links to python2 for oe. And add
option for setup.py to install files to right directory.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index a43a3c1..2e727f2 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -55,9 +55,9 @@ install:: ${TARGETS} installdirs
${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
if test -n "${PYTHON}" ; then \
if test -n "${DESTDIR}" ; then \
- ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} ; \
+ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
else \
- ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} ; \
+ ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
fi \
fi
diff --git a/configure.in b/configure.in
index 314bb90..867923e 100644
--- a/configure.in
+++ b/configure.in
@@ -227,7 +227,7 @@ AC_ARG_WITH(python,
[ --with-python=PATH specify path to python interpreter],
use_python="$withval", use_python="unspec")
-python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
+python="python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
testargparse='try: import argparse
except: exit(1)'
meta/recipes-connectivity/bind/bind_9.10.3-P3.bb → meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
+11 -14
View File
@@ -3,14 +3,13 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
SECTION = "console/network"
LICENSE = "ISC & BSD"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43"
DEPENDS = "openssl libcap"
SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://conf.patch \
file://make-etc-initd-bind-stop-work.patch \
file://mips1-not-support-opcode.diff \
file://dont-test-on-host.patch \
file://generate-rndc-key.sh \
file://named.service \
@@ -21,21 +20,14 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
file://0001-lib-dns-gen.c-fix-too-long-error.patch \
file://CVE-2016-1285.patch \
file://CVE-2016-1286_1.patch \
file://CVE-2016-1286_2.patch \
file://CVE-2016-2088.patch \
file://CVE-2016-2775.patch \
file://CVE-2016-2776.patch \
file://CVE-2016-8864.patch \
file://CVE-2016-6170.patch \
file://use-python3-and-fix-install-lib-path.patch \
"
UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83"
SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a"
ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
@@ -44,7 +36,10 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
--sysconfdir=${sysconfdir}/bind \
--with-openssl=${STAGING_LIBDIR}/.. \
"
inherit autotools update-rc.d systemd useradd pkgconfig
inherit autotools update-rc.d systemd useradd pkgconfig python3-dir
export PYTHON_SITEPACKAGES_DIR
# PACKAGECONFIGs readline and libedit should NOT be set at same time
PACKAGECONFIG ?= "readline"
@@ -70,7 +65,7 @@ RDEPENDS_${PN}-dev = ""
PACKAGE_BEFORE_PN += "${PN}-utils"
FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
FILES_${PN}-dev += "${bindir}/isc-config.h"
FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
FILES_${PN} += "${sbindir}/generate-rndc-key.sh ${PYTHON_SITEPACKAGES_DIR}"
do_install_prepend() {
# clean host path in isc-config.sh before the hardlink created
@@ -107,6 +102,8 @@ do_install_append() {
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
fi
rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/isc/*.pyc
}
CONFFILES_${PN} = " \