[Buildroot] [PATCHv2] bind: security bump to version 9.9.5

Gustavo Zacarias gustavo at zacarias.com.ar
Tue Jun 10 10:18:25 UTC 2014


Fixes CVE-2014-0591 (a crafted query against an NSEC3-signed zone can
crash BIND).
The 9.9.x series is the new ESV vesion, 9.6.x has been retired.
Also cleanup the initscript while at it.

Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
---
 package/bind/Config.in                   |  5 +--
 package/bind/S81named                    | 45 ++++++-------------
 package/bind/bind-01-disable-tests.patch | 26 ++++++++---
 package/bind/bind.mk                     | 76 +++++++++++++++++++++-----------
 4 files changed, 86 insertions(+), 66 deletions(-)

diff --git a/package/bind/Config.in b/package/bind/Config.in
index 047f682..4f65e1c 100644
--- a/package/bind/Config.in
+++ b/package/bind/Config.in
@@ -2,8 +2,7 @@ config BR2_PACKAGE_BIND
 	bool "bind"
 	depends on BR2_INET_IPV6
 	depends on BR2_LARGEFILE
-	# fork()
-	depends on BR2_USE_MMU
+	depends on BR2_USE_MMU # fork()
 	help
 	  BIND (Berkeley Internet Name Domain) is an implementation of
 	  the Domain Name System (DNS) protocols and provides an openly
@@ -35,7 +34,7 @@ config BR2_PACKAGE_BIND_SERVER
 config BR2_PACKAGE_BIND_TOOLS
 	bool "Install tools"
 	help
-	  Install tools (host, nslookup, dig, nsupdate)
+	  Install tools (dig, host, nslookup, nsupdate)
 
 endif
 
diff --git a/package/bind/S81named b/package/bind/S81named
index 0160c11..4010886 100644
--- a/package/bind/S81named
+++ b/package/bind/S81named
@@ -1,48 +1,31 @@
 #!/bin/sh
-#
-# System-V init to control the bind DNS Daemon
-#
 
-NAME=named
-DAEMON=/usr/sbin/$NAME
+CONFIG=/etc/bind/named.conf
+DAEMON=/usr/sbin/named
 
-# this file contains a few tunable parameters
-test -r /etc/default/named && . /etc/default/named
-
-test -f $DAEMON || exit 0
-
-set -e
+[ -x $DAEMON ] || exit 0
+[ -f $CONFIG ] || exit 0
 
 case "$1" in
 	start)
-		test -z "$CHROOT" || ARGS="$ARGS -t $CHROOT"
-		test -z "$SETUID" || ARGS="$ARGS -u $SETUID"
-		if [ ! -f $CHROOT/etc/rndc.key ]; then
-		    echo "Initializing $NAME control key: rndc-confgen"
-		    set +e
-
+		if [ ! -f /etc/rndc.key ]; then
+		    echo -n "Initializing bind control key: "
                     # if rndc.key is a symlink, the target must exist
-		    touch $CHROOT/etc/rndc.key
-		    touch etc/rndc.key
-
-		    rndc-confgen -a -r /dev/urandom $ARGS || true
-		    set -e
+		    touch /etc/rndc.key
+		    rndc-confgen -a -r /dev/urandom 2>/dev/null && echo "OK" || echo "FAIL"
 		fi
-		test -z "$CONF" || ARGS="$ARGS -c $CONF"
-		echo -n "Starting domain name daemon: $NAME"
-		trap 'echo failed' 0
-		start-stop-daemon -S -x $DAEMON -- $ARGS
-		trap - 0
-		echo "."
+		echo -n "Starting domain name daemon: "
+		start-stop-daemon -S -x $DAEMON -- -c $CONFIG -u named
+		[ $? == 0 ] && echo "OK" || echo "FAIL"
 		;;
 	stop)
-		echo -n "Stopping domain name daemon: $NAME"
+		echo -n "Stopping domain name daemon: "
 		rndc stop || start-stop-daemon -K -x $DAEMON
-		echo "."
+		[ $? == 0 ] && echo "OK" || echo "FAIL"
 		;;
 	restart)
 		$0 stop || true
-		sleep 2
+		sleep 1
 		$0 start
 		;;
 	reload|force-reload)
diff --git a/package/bind/bind-01-disable-tests.patch b/package/bind/bind-01-disable-tests.patch
index 9c3d52e..181b229 100644
--- a/package/bind/bind-01-disable-tests.patch
+++ b/package/bind/bind-01-disable-tests.patch
@@ -2,15 +2,27 @@ Disable tests to avoid cross-compilation issues (tries to run genrandom).
 
 Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
 
-diff -Nura bind-9.6-ESV-R9-P1.orig/bin/Makefile.in bind-9.6-ESV-R9-P1/bin/Makefile.in
---- bind-9.6-ESV-R9-P1.orig/bin/Makefile.in	2013-06-04 15:30:48.000000000 -0300
-+++ bind-9.6-ESV-R9-P1/bin/Makefile.in	2013-07-19 15:32:19.018287733 -0300
+diff -Nura bind-9.9.4-P2.orig/bin/Makefile.in bind-9.9.4-P2/bin/Makefile.in
+--- bind-9.9.4-P2.orig/bin/Makefile.in	2013-12-19 21:28:28.000000000 -0300
++++ bind-9.9.4-P2/bin/Makefile.in	2014-01-17 11:41:25.378784210 -0300
 @@ -19,7 +19,7 @@
  VPATH =		@srcdir@
  top_srcdir =	@top_srcdir@
-
--SUBDIRS =	named rndc dig dnssec tests nsupdate check
-+SUBDIRS =	named rndc dig dnssec nsupdate check
+ 
+-SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
++SUBDIRS =	named rndc dig dnssec tools nsupdate \
+ 		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
  TARGETS =
-
+ 
+diff -Nura bind-9.9.4-P2.orig/lib/Makefile.in bind-9.9.4-P2/lib/Makefile.in
+--- bind-9.9.4-P2.orig/lib/Makefile.in	2013-12-19 21:28:28.000000000 -0300
++++ bind-9.9.4-P2/lib/Makefile.in	2014-01-17 11:41:30.489954861 -0300
+@@ -23,7 +23,7 @@
+ # Attempt to disable parallel processing.
+ .NOTPARALLEL:
+ .NO_PARALLEL:
+-SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
++SUBDIRS =	isc isccc dns isccfg bind9 lwres
+ TARGETS =
+ 
  @BIND9_MAKE_RULES@
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 862be1b..0a611ea 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,26 +4,36 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.6-ESV-R10
+BIND_VERSION = 9.9.5
 BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
-BIND_MAKE = $(MAKE1)
 BIND_INSTALL_STAGING = YES
+BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
 BIND_LICENSE = ISC
 BIND_LICENSE_FILES = COPYRIGHT
-BIND_TARGET_SBINS = lwresd named named-checkconf named-checkzone
-BIND_TARGET_SBINS += named-compilezone rndc rndc-confgen dnssec-dsfromkey
-BIND_TARGET_SBINS += dnssec-keyfromlabel dnssec-keygen dnssec-signzone
-BIND_TARGET_BINS = dig host nslookup nsupdate
-BIND_TARGET_LIBS = libbind9.* libdns.* libisc.* libisccc.* libisccfg.* liblwres.*
+BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
+BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
+BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
+BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
+BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
+BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
+BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone
+BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
 BIND_CONF_ENV =	BUILD_CC="$(TARGET_CC)" \
 		BUILD_CFLAGS="$(TARGET_CFLAGS)"
-BIND_CONF_OPT =	--sysconfdir=/etc \
-		--localstatedir=/var \
+BIND_CONF_OPT = --localstatedir=/var \
 		--with-randomdev=/dev/urandom \
-		--enable-epoll --with-libtool
+		--enable-epoll --with-libtool \
+		--with-gssapi=no --enable-rrl
+
+ifeq ($(BR2_PACKAGE_LIBCAP),y)
+	BIND_CONF_OPT += --enable-linux-caps
+	BIND_DEPENDENCIES += libcap
+else
+	BIND_CONF_OPT += --disable-linux-caps
+endif
 
 ifeq ($(BR2_PACKAGE_LIBXML2),y)
-	BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr
+	BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr --enable-newstats
 	BIND_DEPENDENCIES += libxml2
 else
 	BIND_CONF_OPT += --with-libxml2=no
@@ -31,36 +41,52 @@ endif
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
 	BIND_DEPENDENCIES += openssl
-	BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz"
+	BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz" \
+		--with-ecdsa=yes
+# GOST cipher support requires openssl extra engines
+ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
+	BIND_CONF_OPT += --with-gost=yes
+else
+	BIND_CONF_OPT += --with-gost=no
+endif
 else
 	BIND_CONF_OPT += --with-openssl=no
 endif
 
-define BIND_INSTALL_INIT_SYSV
-	$(INSTALL) -m 0755 -D package/bind/S81named \
-		$(TARGET_DIR)/etc/init.d/S81named
-endef
-
-define BIND_TARGET_INSTALL_FIXES
-	rm -f $(TARGET_DIR)/usr/bin/isc-config.sh
-endef
+# Used by dnssec-checkds and dnssec-coverage
+ifeq ($(BR2_PACKAGE_PYTHON)$(BR2_PACKAGE_PYTHON3),)
+	BIND_CONF_OPT += --with-python=no
+endif
 
-BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_INSTALL_FIXES
+ifeq ($(BR2_PACKAGE_READLINE),y)
+	BIND_DEPENDENCIES += readline
+else
+	BIND_CONF_OPT += --with-readline=no
+endif
 
 define BIND_TARGET_REMOVE_SERVER
-	rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SBINS))
+	rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
 endef
 
 define BIND_TARGET_REMOVE_TOOLS
-	rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_BINS))
+	rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
 endef
 
-ifneq ($(BR2_PACKAGE_BIND_SERVER),y)
+ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
+define BIND_INSTALL_INIT_SYSV
+        $(INSTALL) -m 0755 -D package/bind/S81named \
+                $(TARGET_DIR)/etc/init.d/S81named
+endef
+else
 BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
 endif
 
-ifneq ($(BR2_PACKAGE_BIND_TOOLS),y)
+ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
 BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
 endif
 
+define BIND_USERS
+named -1 named -1 * /etc/bind - - BIND daemon
+endef
+
 $(eval $(autotools-package))
-- 
1.8.5.5



More information about the buildroot mailing list