From 46b10b01a295e78d1ab8c91af65197763956141d Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Tue, 10 Jun 2014 07:18:25 -0300 Subject: [PATCH] bind: security bump to version 9.9.5 Fixes CVE-2014-0591 (a crafted query against an NSEC3-signed zone can crash BIND). The 9.9.x series is the new ESV vesion, 9.6.x has been retired. Also cleanup the initscript while at it. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- package/bind/Config.in | 5 +- package/bind/S81named | 45 +++++--------- package/bind/bind-01-disable-tests.patch | 26 +++++--- package/bind/bind.mk | 76 ++++++++++++++++-------- 4 files changed, 86 insertions(+), 66 deletions(-) diff --git a/package/bind/Config.in b/package/bind/Config.in index 047f682b2e..4f65e1ce16 100644 --- a/package/bind/Config.in +++ b/package/bind/Config.in @@ -2,8 +2,7 @@ config BR2_PACKAGE_BIND bool "bind" depends on BR2_INET_IPV6 depends on BR2_LARGEFILE - # fork() - depends on BR2_USE_MMU + depends on BR2_USE_MMU # fork() help BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly @@ -35,7 +34,7 @@ config BR2_PACKAGE_BIND_SERVER config BR2_PACKAGE_BIND_TOOLS bool "Install tools" help - Install tools (host, nslookup, dig, nsupdate) + Install tools (dig, host, nslookup, nsupdate) endif diff --git a/package/bind/S81named b/package/bind/S81named index 0160c11440..4010886411 100644 --- a/package/bind/S81named +++ b/package/bind/S81named @@ -1,48 +1,31 @@ #!/bin/sh -# -# System-V init to control the bind DNS Daemon -# -NAME=named -DAEMON=/usr/sbin/$NAME +CONFIG=/etc/bind/named.conf +DAEMON=/usr/sbin/named -# this file contains a few tunable parameters -test -r /etc/default/named && . /etc/default/named - -test -f $DAEMON || exit 0 - -set -e +[ -x $DAEMON ] || exit 0 +[ -f $CONFIG ] || exit 0 case "$1" in start) - test -z "$CHROOT" || ARGS="$ARGS -t $CHROOT" - test -z "$SETUID" || ARGS="$ARGS -u $SETUID" - if [ ! -f $CHROOT/etc/rndc.key ]; then - echo "Initializing $NAME control key: rndc-confgen" - set +e - + if [ ! -f /etc/rndc.key ]; then + echo -n "Initializing bind control key: " # if rndc.key is a symlink, the target must exist - touch $CHROOT/etc/rndc.key - touch etc/rndc.key - - rndc-confgen -a -r /dev/urandom $ARGS || true - set -e + touch /etc/rndc.key + rndc-confgen -a -r /dev/urandom 2>/dev/null && echo "OK" || echo "FAIL" fi - test -z "$CONF" || ARGS="$ARGS -c $CONF" - echo -n "Starting domain name daemon: $NAME" - trap 'echo failed' 0 - start-stop-daemon -S -x $DAEMON -- $ARGS - trap - 0 - echo "." + echo -n "Starting domain name daemon: " + start-stop-daemon -S -x $DAEMON -- -c $CONFIG -u named + [ $? == 0 ] && echo "OK" || echo "FAIL" ;; stop) - echo -n "Stopping domain name daemon: $NAME" + echo -n "Stopping domain name daemon: " rndc stop || start-stop-daemon -K -x $DAEMON - echo "." + [ $? == 0 ] && echo "OK" || echo "FAIL" ;; restart) $0 stop || true - sleep 2 + sleep 1 $0 start ;; reload|force-reload) diff --git a/package/bind/bind-01-disable-tests.patch b/package/bind/bind-01-disable-tests.patch index 9c3d52ed7d..181b229d9a 100644 --- a/package/bind/bind-01-disable-tests.patch +++ b/package/bind/bind-01-disable-tests.patch @@ -2,15 +2,27 @@ Disable tests to avoid cross-compilation issues (tries to run genrandom). Signed-off-by: Gustavo Zacarias -diff -Nura bind-9.6-ESV-R9-P1.orig/bin/Makefile.in bind-9.6-ESV-R9-P1/bin/Makefile.in ---- bind-9.6-ESV-R9-P1.orig/bin/Makefile.in 2013-06-04 15:30:48.000000000 -0300 -+++ bind-9.6-ESV-R9-P1/bin/Makefile.in 2013-07-19 15:32:19.018287733 -0300 +diff -Nura bind-9.9.4-P2.orig/bin/Makefile.in bind-9.9.4-P2/bin/Makefile.in +--- bind-9.9.4-P2.orig/bin/Makefile.in 2013-12-19 21:28:28.000000000 -0300 ++++ bind-9.9.4-P2/bin/Makefile.in 2014-01-17 11:41:25.378784210 -0300 @@ -19,7 +19,7 @@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig dnssec tests nsupdate check -+SUBDIRS = named rndc dig dnssec nsupdate check + +-SUBDIRS = named rndc dig dnssec tools tests nsupdate \ ++SUBDIRS = named rndc dig dnssec tools nsupdate \ + check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = - + +diff -Nura bind-9.9.4-P2.orig/lib/Makefile.in bind-9.9.4-P2/lib/Makefile.in +--- bind-9.9.4-P2.orig/lib/Makefile.in 2013-12-19 21:28:28.000000000 -0300 ++++ bind-9.9.4-P2/lib/Makefile.in 2014-01-17 11:41:30.489954861 -0300 +@@ -23,7 +23,7 @@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns isccfg bind9 lwres tests ++SUBDIRS = isc isccc dns isccfg bind9 lwres + TARGETS = + @BIND9_MAKE_RULES@ diff --git a/package/bind/bind.mk b/package/bind/bind.mk index 862be1bc9d..0a611eaa3a 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -4,26 +4,36 @@ # ################################################################################ -BIND_VERSION = 9.6-ESV-R10 +BIND_VERSION = 9.9.5 BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION) -BIND_MAKE = $(MAKE1) BIND_INSTALL_STAGING = YES +BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh BIND_LICENSE = ISC BIND_LICENSE_FILES = COPYRIGHT -BIND_TARGET_SBINS = lwresd named named-checkconf named-checkzone -BIND_TARGET_SBINS += named-compilezone rndc rndc-confgen dnssec-dsfromkey -BIND_TARGET_SBINS += dnssec-keyfromlabel dnssec-keygen dnssec-signzone -BIND_TARGET_BINS = dig host nslookup nsupdate -BIND_TARGET_LIBS = libbind9.* libdns.* libisc.* libisccc.* libisccfg.* liblwres.* +BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage +BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke +BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom +BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash +BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone +BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey +BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone +BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate BIND_CONF_ENV = BUILD_CC="$(TARGET_CC)" \ BUILD_CFLAGS="$(TARGET_CFLAGS)" -BIND_CONF_OPT = --sysconfdir=/etc \ - --localstatedir=/var \ +BIND_CONF_OPT = --localstatedir=/var \ --with-randomdev=/dev/urandom \ - --enable-epoll --with-libtool + --enable-epoll --with-libtool \ + --with-gssapi=no --enable-rrl + +ifeq ($(BR2_PACKAGE_LIBCAP),y) + BIND_CONF_OPT += --enable-linux-caps + BIND_DEPENDENCIES += libcap +else + BIND_CONF_OPT += --disable-linux-caps +endif ifeq ($(BR2_PACKAGE_LIBXML2),y) - BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr + BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr --enable-newstats BIND_DEPENDENCIES += libxml2 else BIND_CONF_OPT += --with-libxml2=no @@ -31,36 +41,52 @@ endif ifeq ($(BR2_PACKAGE_OPENSSL),y) BIND_DEPENDENCIES += openssl - BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz" + BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz" \ + --with-ecdsa=yes +# GOST cipher support requires openssl extra engines +ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y) + BIND_CONF_OPT += --with-gost=yes +else + BIND_CONF_OPT += --with-gost=no +endif else BIND_CONF_OPT += --with-openssl=no endif -define BIND_INSTALL_INIT_SYSV - $(INSTALL) -m 0755 -D package/bind/S81named \ - $(TARGET_DIR)/etc/init.d/S81named -endef - -define BIND_TARGET_INSTALL_FIXES - rm -f $(TARGET_DIR)/usr/bin/isc-config.sh -endef +# Used by dnssec-checkds and dnssec-coverage +ifeq ($(BR2_PACKAGE_PYTHON)$(BR2_PACKAGE_PYTHON3),) + BIND_CONF_OPT += --with-python=no +endif -BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_INSTALL_FIXES +ifeq ($(BR2_PACKAGE_READLINE),y) + BIND_DEPENDENCIES += readline +else + BIND_CONF_OPT += --with-readline=no +endif define BIND_TARGET_REMOVE_SERVER - rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SBINS)) + rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN)) endef define BIND_TARGET_REMOVE_TOOLS - rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_BINS)) + rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN)) endef -ifneq ($(BR2_PACKAGE_BIND_SERVER),y) +ifeq ($(BR2_PACKAGE_BIND_SERVER),y) +define BIND_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/bind/S81named \ + $(TARGET_DIR)/etc/init.d/S81named +endef +else BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER endif -ifneq ($(BR2_PACKAGE_BIND_TOOLS),y) +ifeq ($(BR2_PACKAGE_BIND_TOOLS),) BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS endif +define BIND_USERS +named -1 named -1 * /etc/bind - - BIND daemon +endef + $(eval $(autotools-package)) -- 2.30.2