pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/net/djbdns
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Sep 28 20:36:24 UTC 2018
Modified Files:
pkgsrc/net/djbdns: Makefile distinfo options.mk
pkgsrc/net/djbdns/patches: patch-response.c
Added Files:
pkgsrc/net/djbdns/files: patch-mergequeries
patch-mergequeries-boundscheck
Removed Files:
pkgsrc/net/djbdns/files: patch-qmerge2
Log Message:
Rename 'djbdns-qmerge2' option to 'djbdns-mergequeries', still enabled
by default. Deprecate 'djbdns-qmerge1'.
When applying the 'djbdns-mergequeries' patch, also apply a missing
bounds check. Patch from Tim Stewart on dns%list.cr.yp.to@localhost.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 pkgsrc/net/djbdns/Makefile
cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/djbdns/distinfo
cvs rdiff -u -r1.19 -r1.20 pkgsrc/net/djbdns/options.mk
cvs rdiff -u -r0 -r1.1 pkgsrc/net/djbdns/files/patch-mergequeries \
pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck
cvs rdiff -u -r1.2 -r0 pkgsrc/net/djbdns/files/patch-qmerge2
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/djbdns/patches/patch-response.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/djbdns/Makefile
diff -u pkgsrc/net/djbdns/Makefile:1.66 pkgsrc/net/djbdns/Makefile:1.67
--- pkgsrc/net/djbdns/Makefile:1.66 Mon Jun 18 10:44:38 2018
+++ pkgsrc/net/djbdns/Makefile Fri Sep 28 20:36:24 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.66 2018/06/18 10:44:38 schmonz Exp $
+# $NetBSD: Makefile,v 1.67 2018/09/28 20:36:24 schmonz Exp $
DISTNAME= djbdns-1.05
-PKGREVISION= 13
+PKGREVISION= 14
CATEGORIES= net
MASTER_SITES= http://cr.yp.to/djbdns/
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${MANPAGES}
Index: pkgsrc/net/djbdns/distinfo
diff -u pkgsrc/net/djbdns/distinfo:1.26 pkgsrc/net/djbdns/distinfo:1.27
--- pkgsrc/net/djbdns/distinfo:1.26 Mon Jun 18 10:44:38 2018
+++ pkgsrc/net/djbdns/distinfo Fri Sep 28 20:36:24 2018
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.26 2018/06/18 10:44:38 schmonz Exp $
+$NetBSD: distinfo,v 1.27 2018/09/28 20:36:24 schmonz Exp $
SHA1 (djbdns-1.05.tar.gz) = 2efdb3a039d0c548f40936aa9cb30829e0ce8c3d
RMD160 (djbdns-1.05.tar.gz) = a832cbfd93e4ccec6a565492a4ee0b3c1b4b68ed
@@ -20,16 +20,8 @@ SHA1 (djbdns-cachestats.patch) = ab0b283
RMD160 (djbdns-cachestats.patch) = e09994d84573e781ce18b59f909f8bd013de5d8e
SHA512 (djbdns-cachestats.patch) = e78b6a8fc43f94e5bc5971d85f952ef9cac4fa827b00036994fa51dcebb9c9755c36488ac24a9ec7b92097a38938191147faf8cce84a9e636072684db28a2e62
Size (djbdns-cachestats.patch) = 2341 bytes
-SHA1 (0001-dnscache-merge-similar-outgoing-queries.patch) = 8dd3ce7758d3a97cafbe6a60ea83f48e916f496d
-RMD160 (0001-dnscache-merge-similar-outgoing-queries.patch) = c416dd6575819cfd40ef0d306ccb14d34a5afc90
-SHA512 (0001-dnscache-merge-similar-outgoing-queries.patch) = cbec128b021a341c68906289ca02d3a7fe088c8b3835f2ae3dbb581ad6520712eb344d66e11bb82368dbca2e93e46facd4e10d121fc091099b3a7bfd5e6d081e
-Size (0001-dnscache-merge-similar-outgoing-queries.patch) = 9914 bytes
-SHA1 (0002-dnscache-cache-soa-records.patch) = ac9b6a62c62588205cc4dc71da4e0ad6630f9635
-RMD160 (0002-dnscache-cache-soa-records.patch) = 0b58e57bc11b36113c5fef73a64c869895f83889
-SHA512 (0002-dnscache-cache-soa-records.patch) = f65ca7dfc8e85f469f22d72a1c79126c35243dc077abf4b688eb7d057f19456dc8a3665f558a8a3c1908f96fa1838792aa1bc317d2e89f4953020828c05926e6
-Size (0002-dnscache-cache-soa-records.patch) = 2944 bytes
SHA1 (patch-Makefile) = 0dffb59090ccb4977c65885f062eb37255ccd0d9
SHA1 (patch-dnscache-conf.c) = 873897ad6b97baff363874a6a79c8da44383c283
SHA1 (patch-dnsroots.global) = 183964d516e08c46773847fe542f5a502ec2edcf
SHA1 (patch-hier.c) = 874af27489ad4597e213cfe05a7f2f919081db20
-SHA1 (patch-response.c) = 4f089b63664b7e4685b77fc55b287860c8c68229
+SHA1 (patch-response.c) = 24c8f3bc4b629dd04a0b83285eff4579750d92ff
Index: pkgsrc/net/djbdns/options.mk
diff -u pkgsrc/net/djbdns/options.mk:1.19 pkgsrc/net/djbdns/options.mk:1.20
--- pkgsrc/net/djbdns/options.mk:1.19 Mon Jun 18 10:44:38 2018
+++ pkgsrc/net/djbdns/options.mk Fri Sep 28 20:36:24 2018
@@ -1,12 +1,14 @@
-# $NetBSD: options.mk,v 1.19 2018/06/18 10:44:38 schmonz Exp $
+# $NetBSD: options.mk,v 1.20 2018/09/28 20:36:24 schmonz Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.djbdns
PKG_SUPPORTED_OPTIONS+= # inet6
PKG_SUPPORTED_OPTIONS+= djbdns-cachestats djbdns-ignoreip2
-PKG_SUPPORTED_OPTIONS+= djbdns-tinydns64
-PKG_OPTIONS_OPTIONAL_GROUPS= qmerge
-PKG_OPTIONS_GROUP.qmerge= djbdns-qmerge1 djbdns-qmerge2
-PKG_SUGGESTED_OPTIONS+= djbdns-qmerge2 djbdns-tinydns64
+PKG_SUPPORTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64
+PKG_SUGGESTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64
+
+# For users migrating from 2018Q2; remove compatibility after 2018Q3 is branched
+PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge1:djbdns-mergequeries
+PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge2:djbdns-mergequeries
.include "../../mk/bsd.options.mk"
@@ -35,22 +37,13 @@ PATCHFILES+= ${IGNOREIP2_PATCH}
SITES.${IGNOREIP2_PATCH}= http://www.tinydns.org/
.endif
-.if !empty(PKG_OPTIONS:Mdjbdns-qmerge1)
-DNSCACHE_MERGE_PATCH= 0001-dnscache-merge-similar-outgoing-queries.patch
-DNSCACHE_SOA_PATCH= 0002-dnscache-cache-soa-records.patch
-PATCHFILES+= ${DNSCACHE_MERGE_PATCH} ${DNSCACHE_SOA_PATCH}
-PATCH_DIST_STRIP.${DNSCACHE_MERGE_PATCH}= -p1
-PATCH_DIST_STRIP.${DNSCACHE_SOA_PATCH}= -p1
-SITES.${DNSCACHE_MERGE_PATCH}= http://www.your.org/dnscache/
-SITES.${DNSCACHE_SOA_PATCH}= http://www.your.org/dnscache/
-.endif
-
-.if !empty(PKG_OPTIONS:Mdjbdns-qmerge2)
+.if !empty(PKG_OPTIONS:Mdjbdns-mergequeries)
USE_TOOLS+= patch
-post-patch: patch-qmerge2
-.PHONY: patch-qmerge2
-patch-qmerge2:
- cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-qmerge2
+post-patch: patch-mergequeries
+.PHONY: patch-mergequeries
+patch-mergequeries:
+ cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries
+ cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries-boundscheck
.endif
.if !empty(PKG_OPTIONS:Mdjbdns-tinydns64)
Index: pkgsrc/net/djbdns/patches/patch-response.c
diff -u pkgsrc/net/djbdns/patches/patch-response.c:1.1 pkgsrc/net/djbdns/patches/patch-response.c:1.2
--- pkgsrc/net/djbdns/patches/patch-response.c:1.1 Fri May 26 15:16:45 2017
+++ pkgsrc/net/djbdns/patches/patch-response.c Fri Sep 28 20:36:24 2018
@@ -1,6 +1,7 @@
-$NetBSD: patch-response.c,v 1.1 2017/05/26 15:16:45 schmonz Exp $
+$NetBSD: patch-response.c,v 1.2 2018/09/28 20:36:24 schmonz Exp $
Fix the security hole found by Matthew Dempsky.
+From DJB in <https://marc.info/?l=djbdns&m=123613000920446&w=2>
--- response.c.orig 2001-02-11 16:11:45.000000000 -0500
+++ response.c
Added files:
Index: pkgsrc/net/djbdns/files/patch-mergequeries
diff -u /dev/null pkgsrc/net/djbdns/files/patch-mergequeries:1.1
--- /dev/null Fri Sep 28 20:36:24 2018
+++ pkgsrc/net/djbdns/files/patch-mergequeries Fri Sep 28 20:36:24 2018
@@ -0,0 +1,259 @@
+$NetBSD: patch-mergequeries,v 1.1 2018/09/28 20:36:24 schmonz Exp $
+
+Address the dnscache poisoning weaknesses described in CVE-2008-4392.
+From Jeff King in <https://marc.info/?l=djbdns&m=123859517723684&w=2>
+
+--- clients.h.orig 2009-04-21 23:43:02.000000000 -0400
++++ clients.h
+@@ -0,0 +1,7 @@
++#ifndef CLIENTS_H
++#define CLIENTS_H
++
++#define MAXUDP 200
++#define MAXTCP 20
++
++#endif /* CLIENTS_H */
+--- dns.h.orig 2001-02-11 16:11:45.000000000 -0500
++++ dns.h
+@@ -4,6 +4,7 @@
+ #include "stralloc.h"
+ #include "iopause.h"
+ #include "taia.h"
++#include "clients.h"
+
+ #define DNS_C_IN "\0\1"
+ #define DNS_C_ANY "\0\377"
+@@ -37,8 +38,14 @@ struct dns_transmit {
+ const char *servers;
+ char localip[4];
+ char qtype[2];
++ struct dns_transmit *master;
++ struct dns_transmit *slaves[MAXUDP];
++ int nslaves;
+ } ;
+
++extern void dns_enable_merge(void (*logger)(const char *, const char *,
++ const char *));
++
+ extern void dns_random_init(const char *);
+ extern unsigned int dns_random(unsigned int);
+
+--- dns_transmit.c.orig 2001-02-11 16:11:45.000000000 -0500
++++ dns_transmit.c
+@@ -7,6 +7,61 @@
+ #include "byte.h"
+ #include "uint16.h"
+ #include "dns.h"
++#include "strerr.h"
++
++static int merge_enable;
++static void (*merge_logger)(const char *, const char *, const char *);
++void dns_enable_merge(void (*f)(const char *, const char *, const char *))
++{
++ merge_enable = 1;
++ merge_logger = f;
++}
++
++static int merge_equal(struct dns_transmit *a, struct dns_transmit *b)
++{
++ const char *ip1 = a->servers + 4 * a->curserver;
++ const char *ip2 = b->servers + 4 * b->curserver;
++ return
++ byte_equal(ip1, 4, ip2) &&
++ byte_equal(a->qtype, 2, b->qtype) &&
++ dns_domain_equal(a->query + 14, b->query + 14);
++}
++
++struct dns_transmit *inprogress[MAXUDP];
++
++static int try_merge(struct dns_transmit *d)
++{
++ int i;
++ for (i = 0; i < MAXUDP; i++) {
++ if (!inprogress[i]) continue;
++ if (!merge_equal(d, inprogress[i])) continue;
++ d->master = inprogress[i];
++ inprogress[i]->slaves[inprogress[i]->nslaves++] = d;
++ return 1;
++ }
++ return 0;
++}
++
++static void register_inprogress(struct dns_transmit *d)
++{
++ int i;
++ for (i = 0; i < MAXUDP; i++) {
++ if (!inprogress[i]) {
++ inprogress[i] = d;
++ return;
++ }
++ }
++ strerr_die1x(100, "BUG: out of inprogress slots");
++}
++
++static void unregister_inprogress(struct dns_transmit *d)
++{
++ int i;
++ for (i = 0; i < MAXUDP; i++) {
++ if (inprogress[i] == d)
++ inprogress[i] = 0;
++ }
++}
+
+ static int serverwantstcp(const char *buf,unsigned int len)
+ {
+@@ -59,8 +114,28 @@ static void packetfree(struct dns_transm
+ d->packet = 0;
+ }
+
++static void mergefree(struct dns_transmit *d)
++{
++ int i;
++ if (merge_enable)
++ unregister_inprogress(d);
++ /* unregister us from our master */
++ if (d->master) {
++ for (i = 0; i < d->master->nslaves; i++)
++ if (d->master->slaves[i] == d)
++ d->master->slaves[i] = 0;
++ }
++ /* and unregister all of our slaves from us */
++ for (i = 0; i < d->nslaves; i++) {
++ if (d->slaves[i])
++ d->slaves[i]->master = NULL;
++ }
++ d->nslaves = 0;
++}
++
+ static void queryfree(struct dns_transmit *d)
+ {
++ mergefree(d);
+ if (!d->query) return;
+ alloc_free(d->query);
+ d->query = 0;
+@@ -99,11 +174,18 @@ static int thisudp(struct dns_transmit *
+ const char *ip;
+
+ socketfree(d);
++ mergefree(d);
+
+ while (d->udploop < 4) {
+ for (;d->curserver < 16;++d->curserver) {
+ ip = d->servers + 4 * d->curserver;
+ if (byte_diff(ip,4,"\0\0\0\0")) {
++ if (merge_enable && try_merge(d)) {
++ if (merge_logger)
++ merge_logger(ip, d->qtype, d->query + 14);
++ return 0;
++ }
++
+ d->query[2] = dns_random(256);
+ d->query[3] = dns_random(256);
+
+@@ -118,6 +200,8 @@ static int thisudp(struct dns_transmit *
+ taia_uint(&d->deadline,timeouts[d->udploop]);
+ taia_add(&d->deadline,&d->deadline,&now);
+ d->tcpstate = 0;
++ if (merge_enable)
++ register_inprogress(d);
+ return 0;
+ }
+
+@@ -226,8 +310,12 @@ void dns_transmit_io(struct dns_transmit
+ x->fd = d->s1 - 1;
+
+ switch(d->tcpstate) {
+- case 0: case 3: case 4: case 5:
+- x->events = IOPAUSE_READ;
++ case 0:
++ if (d->master) return;
++ if (d->packet) { taia_now(deadline); return; }
++ /* otherwise, fall through */
++ case 3: case 4: case 5:
++ x->events = IOPAUSE_READ;
+ break;
+ case 1: case 2:
+ x->events = IOPAUSE_WRITE;
+@@ -244,10 +332,14 @@ int dns_transmit_get(struct dns_transmit
+ unsigned char ch;
+ int r;
+ int fd;
++ int i;
+
+ errno = error_io;
+ fd = d->s1 - 1;
+
++ if (d->tcpstate == 0 && d->master) return 0;
++ if (d->tcpstate == 0 && d->packet) return 1;
++
+ if (!x->revents) {
+ if (taia_less(when,&d->deadline)) return 0;
+ errno = error_timeout;
+@@ -279,6 +371,15 @@ have sent query to curserver on UDP sock
+ d->packet = alloc(d->packetlen);
+ if (!d->packet) { dns_transmit_free(d); return -1; }
+ byte_copy(d->packet,d->packetlen,udpbuf);
++
++ for (i = 0; i < d->nslaves; i++) {
++ if (!d->slaves[i]) continue;
++ d->slaves[i]->packetlen = d->packetlen;
++ d->slaves[i]->packet = alloc(d->packetlen);
++ if (!d->slaves[i]->packet) { dns_transmit_free(d->slaves[i]); continue; }
++ byte_copy(d->slaves[i]->packet,d->packetlen,udpbuf);
++ }
++
+ queryfree(d);
+ return 1;
+ }
+--- dnscache.c.orig 2001-02-11 16:11:45.000000000 -0500
++++ dnscache.c
+@@ -54,7 +54,6 @@ uint64 numqueries = 0;
+
+ static int udp53;
+
+-#define MAXUDP 200
+ static struct udpclient {
+ struct query q;
+ struct taia start;
+@@ -131,7 +130,6 @@ void u_new(void)
+
+ static int tcp53;
+
+-#define MAXTCP 20
+ struct tcpclient {
+ struct query q;
+ struct taia start;
+@@ -435,6 +433,8 @@ int main()
+ response_hidettl();
+ if (env_get("FORWARDONLY"))
+ query_forwardonly();
++ if (env_get("MERGEQUERIES"))
++ dns_enable_merge(log_merge);
+
+ if (!roots_init())
+ strerr_die2sys(111,FATAL,"unable to read servers: ");
+--- log.c.orig 2001-02-11 16:11:45.000000000 -0500
++++ log.c
+@@ -150,6 +150,12 @@ void log_tx(const char *q,const char qty
+ line();
+ }
+
++void log_merge(const char *addr, const char qtype[2], const char *q)
++{
++ string("merge "); ip(addr); space(); logtype(qtype); space(); name(q);
++ line();
++}
++
+ void log_cachedanswer(const char *q,const char type[2])
+ {
+ string("cached "); logtype(type); space();
+--- log.h.orig 2001-02-11 16:11:45.000000000 -0500
++++ log.h
+@@ -18,6 +18,7 @@ extern void log_cachednxdomain(const cha
+ extern void log_cachedns(const char *,const char *);
+
+ extern void log_tx(const char *,const char *,const char *,const char *,unsigned int);
++extern void log_merge(const char *, const char *, const char *);
+
+ extern void log_nxdomain(const char *,const char *,unsigned int);
+ extern void log_nodata(const char *,const char *,const char *,unsigned int);
Index: pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck
diff -u /dev/null pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck:1.1
--- /dev/null Fri Sep 28 20:36:24 2018
+++ pkgsrc/net/djbdns/files/patch-mergequeries-boundscheck Fri Sep 28 20:36:24 2018
@@ -0,0 +1,27 @@
+$NetBSD: patch-mergequeries-boundscheck,v 1.1 2018/09/28 20:36:24 schmonz Exp $
+
+Add a missing bounds check to the MERGEQUERIES patch's try_merge().
+From Tim Stewart in <https://marc.info/?l=djbdns&m=153020962703821>
+
+--- dns_transmit.c.orig 2018-09-28 20:25:42.000000000 +0000
++++ dns_transmit.c
+@@ -35,6 +35,7 @@ static int try_merge(struct dns_transmit
+ for (i = 0; i < MAXUDP; i++) {
+ if (!inprogress[i]) continue;
+ if (!merge_equal(d, inprogress[i])) continue;
++ if (inprogress[i]->nslaves == MAXUDP) continue;
+ d->master = inprogress[i];
+ inprogress[i]->slaves[inprogress[i]->nslaves++] = d;
+ return 1;
+@@ -127,8 +128,10 @@ static void mergefree(struct dns_transmi
+ }
+ /* and unregister all of our slaves from us */
+ for (i = 0; i < d->nslaves; i++) {
+- if (d->slaves[i])
++ if (d->slaves[i]) {
+ d->slaves[i]->master = NULL;
++ d->slaves[i] = 0;
++ }
+ }
+ d->nslaves = 0;
+ }
Home |
Main Index |
Thread Index |
Old Index