summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJaco Kroon <jaco@uls.co.za>2024-05-27 16:37:52 +0200
committerViorel Munteanu <ceamac@gentoo.org>2024-05-27 18:08:30 +0300
commitb938f9f9a917d3bacb73ef914c371dfc5f2d8ebe (patch)
tree1e3f7b51ca2a6650c6cec704612a9f05d51bdb15 /net-dns
parentnet-dns/djbdns: Add myself as maintainer. (diff)
downloadgentoo-b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe.tar.gz
gentoo-b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe.tar.bz2
gentoo-b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe.zip
net-dns/djbdns: 1.05-r40
Work around local receive overflow bug. Bug: https://bugs.gentoo.org/932846 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/36841 Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>
Diffstat (limited to 'net-dns')
-rw-r--r--net-dns/djbdns/djbdns-1.05-r40.ebuild143
-rw-r--r--net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch13
-rw-r--r--net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch34
3 files changed, 190 insertions, 0 deletions
diff --git a/net-dns/djbdns/djbdns-1.05-r40.ebuild b/net-dns/djbdns/djbdns-1.05-r40.ebuild
new file mode 100644
index 000000000000..f5a5afde9b70
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r40.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="https://cr.yp.to/djbdns.html"
+IPV6_PATCH="test32"
+
+SRC_URI="https://cr.yp.to/djbdns/${P}.tar.gz
+ https://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+ ipv6? ( https://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+RDEPEND="
+ acct-user/dnscache
+ acct-user/dnslog
+ acct-user/tinydns
+ sys-apps/ucspi-tcp
+ virtual/daemontools
+ selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack() {
+ # Unpack both djbdns and its man pages to separate directories.
+ default
+
+ # Now move the man pages under ${S} so that user patches can be
+ # applied to them as well in src_prepare().
+ mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+PATCHES=(
+ "${FILESDIR}/dnsroots.patch"
+ "${FILESDIR}/dnstracesort.patch"
+ "${FILESDIR}/string_length_255.patch"
+ "${FILESDIR}/srv_record_support.patch"
+ "${FILESDIR}/increase-cname-recustion-depth.patch"
+ "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+ "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+ "${FILESDIR}/AR-and-RANLIB-support.patch"
+ "${FILESDIR}/tinydns-softlimit.patch"
+ "${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch"
+)
+
+src_prepare() {
+ if use ipv6; then
+ PATCHES=(${PATCHES[@]}
+ # The big ipv6 patch.
+ "${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+ # Fix CVE2008-4392 (ipv6)
+ "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch"
+ "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch"
+ "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch"
+ "${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-v6.patch"
+ )
+ else
+ PATCHES=(${PATCHES[@]}
+ "${FILESDIR}/implicit-declarations-nov6.patch"
+ # Fix CVE2008-4392 (no ipv6)
+ "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch"
+ "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+ # Later versions of the ipv6 patch include this
+ "${FILESDIR}/${PV}-errno-r1.patch"
+ "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch"
+ "${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-nov6.patch"
+ )
+ fi
+
+ default
+
+ # Change "head -X" to the posix-compatible "head -nX" within the
+ # Makefile. We do this with sed instead of a patch because the ipv6
+ # patch uses some of the surrounding lines; we'd need two versions
+ # of the patch.
+ sed -i Makefile \
+ -e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \
+ || die 'failed to sed head in the Makefile'
+}
+
+src_compile() {
+ # Bug 927539. This is beyond our ability to realistically fix due
+ # to patch conflicts.
+ append-cflags $(test-flags-CC -Wno-error=incompatible-pointer-types)
+
+ echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+ echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+ echo "/usr" > conf-home || die
+ emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB)
+}
+
+src_install() {
+ insinto /etc
+ doins dnsroots.global
+
+ into /usr
+ dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+ *-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+ dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+ if use ipv6; then
+ dobin dnsip6 dnsip6q
+ fi
+
+ dodoc CHANGES README
+
+ doman man/*.[158]
+
+ readme.gentoo_create_doc
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+ http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+ axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+ dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+ tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+ 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+ 2. dnscache-conf dnscache dnslog /var/dnscache $ip
+ 3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+ 4. rbldns-conf $username dnslog /var/rbldns $ip $base
+ 5. walldns-conf $username dnslog /var/walldns $ip
+'
diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch
new file mode 100644
index 000000000000..058691cb94ff
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch
@@ -0,0 +1,13 @@
+--- djbdns-1.05.o/dns_transmit.c 2001-02-11 23:11:45.000000000 +0200
++++ djbdns-1.05/dns_transmit.c 2024-05-27 16:25:11.857369652 +0200
+@@ -265,9 +265,9 @@
+ if (errno == error_connrefused) if (d->udploop == 2) return 0;
+ return nextudp(d);
+ }
+- if (r + 1 > sizeof udpbuf) return 0;
+
+ if (irrelevant(d,udpbuf,r)) return 0;
++ if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */
+ if (serverwantstcp(udpbuf,r)) return firsttcp(d);
+ if (serverfailed(udpbuf,r)) {
+ if (d->udploop == 2) return 0;
diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch
new file mode 100644
index 000000000000..bf55e7dd86df
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch
@@ -0,0 +1,34 @@
+Deal with local recv() truncation.
+
+In the case where an upstream cache sends a UDP response that would overflow
+the djb cache's default receive buffer, then djbdns would treat this as an
+invalid response. The norm nowadays is the send >512b UDP responses,
+especially for TXT RRs. It looks like up to around 4KB is deemed acceptable in
+most cases I've investigated.
+
+So, in the case where we locally end up reciving a truncated packet by way of
+recv() because the local UDP buffer is too small, treat that like the TC bit
+was set, because really we can know the response was truncated.
+
+Therefor check the irrelevant (inappropriate response) data first, then if the
+buffer was fully received (it might be that the response fits exactly, but
+short of parsing this buffer there is no simple way to confirm this, so just
+assume it's unlikely to get an exact sized buffer back and retry using TCP
+anyway). Yes, this is a waste of resources in this specific case, but so be
+it.
+
+Signed-off-by: <jaco@uls.co.za>
+
+--- djbdns-1.05.o/dns_transmit.c 2024-05-27 13:20:25.788463090 +0200
++++ djbdns-1.05/dns_transmit.c 2024-05-27 14:13:38.786335627 +0200
+@@ -266,9 +266,9 @@
+ if (errno == error_connrefused) if (d->udploop == 2) return 0;
+ return nextudp(d);
+ }
+- if ((size_t)r + 1 > sizeof udpbuf) return 0;
+
+ if (irrelevant(d,udpbuf,r)) return 0;
++ if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */
+ if (serverwantstcp(udpbuf,r)) return firsttcp(d);
+ if (serverfailed(udpbuf,r)) {
+ if (d->udploop == 2) return 0;