commit: b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe Author: Jaco Kroon <jaco <AT> uls <DOT> co <DOT> za> AuthorDate: Mon May 27 14:37:52 2024 +0000 Commit: Viorel Munteanu <ceamac <AT> gentoo <DOT> org> CommitDate: Mon May 27 15:08:30 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b938f9f9
net-dns/djbdns: 1.05-r40 Work around local receive overflow bug. Bug: https://bugs.gentoo.org/932846 Signed-off-by: Jaco Kroon <jaco <AT> uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/36841 Signed-off-by: Viorel Munteanu <ceamac <AT> gentoo.org> net-dns/djbdns/djbdns-1.05-r40.ebuild | 143 +++++++++++++++++++++ ...dp-overflow-response-buffer-truncate-nov6.patch | 13 ++ ...-udp-overflow-response-buffer-truncate-v6.patch | 34 +++++ 3 files changed, 190 insertions(+) diff --git a/net-dns/djbdns/djbdns-1.05-r40.ebuild b/net-dns/djbdns/djbdns-1.05-r40.ebuild new file mode 100644 index 000000000000..f5a5afde9b70 --- /dev/null +++ b/net-dns/djbdns/djbdns-1.05-r40.ebuild @@ -0,0 +1,143 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit flag-o-matic readme.gentoo-r1 toolchain-funcs + +DESCRIPTION="Collection of DNS client/server software" +HOMEPAGE="https://cr.yp.to/djbdns.html"; +IPV6_PATCH="test32" + +SRC_URI="https://cr.yp.to/djbdns/${P}.tar.gz + https://smarden.org/pape/djb/manpages/${P}-man.tar.gz + ipv6? ( https://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86" +IUSE="ipv6 selinux" + +RDEPEND=" + acct-user/dnscache + acct-user/dnslog + acct-user/tinydns + sys-apps/ucspi-tcp + virtual/daemontools + selinux? ( sec-policy/selinux-djbdns )" + +src_unpack() { + # Unpack both djbdns and its man pages to separate directories. + default + + # Now move the man pages under ${S} so that user patches can be + # applied to them as well in src_prepare(). + mv "${PN}-man" "${P}/man" || die "failed to transplant man pages" +} + +PATCHES=( + "${FILESDIR}/dnsroots.patch" + "${FILESDIR}/dnstracesort.patch" + "${FILESDIR}/string_length_255.patch" + "${FILESDIR}/srv_record_support.patch" + "${FILESDIR}/increase-cname-recustion-depth.patch" + "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch" + "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch" + "${FILESDIR}/AR-and-RANLIB-support.patch" + "${FILESDIR}/tinydns-softlimit.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch" +) + +src_prepare() { + if use ipv6; then + PATCHES=(${PATCHES[@]} + # The big ipv6 patch. + "${WORKDIR}/${P}-${IPV6_PATCH}.diff" + # Fix CVE2008-4392 (ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch" + "${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-v6.patch" + ) + else + PATCHES=(${PATCHES[@]} + "${FILESDIR}/implicit-declarations-nov6.patch" + # Fix CVE2008-4392 (no ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch" + # Later versions of the ipv6 patch include this + "${FILESDIR}/${PV}-errno-r1.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch" + "${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-nov6.patch" + ) + fi + + default + + # Change "head -X" to the posix-compatible "head -nX" within the + # Makefile. We do this with sed instead of a patch because the ipv6 + # patch uses some of the surrounding lines; we'd need two versions + # of the patch. + sed -i Makefile \ + -e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \ + || die 'failed to sed head in the Makefile' +} + +src_compile() { + # Bug 927539. This is beyond our ability to realistically fix due + # to patch conflicts. + append-cflags $(test-flags-CC -Wno-error=incompatible-pointer-types) + + echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die + echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die + echo "/usr" > conf-home || die + emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) +} + +src_install() { + insinto /etc + doins dnsroots.global + + into /usr + dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \ + *-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \ + dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort + + if use ipv6; then + dobin dnsip6 dnsip6q + fi + + dodoc CHANGES README + + doman man/*.[158] + + readme.gentoo_create_doc +} + +DISABLE_AUTOFORMATTING=1 +DOC_CONTENTS=' +To configure djbdns, please follow the instructions at, + + http://cr.yp.to/djbdns.html + +Of particular interest are, + + axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html + dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html + tinydns : http://cr.yp.to/djbdns/run-server.html + +Portage has created users for axfrdns, dnscache, and tinydns; the +commands to configure these programs are, + + 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip + 2. dnscache-conf dnscache dnslog /var/dnscache $ip + 3. tinydns-conf tinydns dnslog /var/tinydns $ip + +(replace $ip with the ip address on which the server will run). + +If you wish to configure rbldns or walldns, you will need to create +those users yourself (although you should still use the "dnslog" +user for the logs): + + 4. rbldns-conf $username dnslog /var/rbldns $ip $base + 5. walldns-conf $username dnslog /var/walldns $ip +' diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch new file mode 100644 index 000000000000..058691cb94ff --- /dev/null +++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch @@ -0,0 +1,13 @@ +--- djbdns-1.05.o/dns_transmit.c 2001-02-11 23:11:45.000000000 +0200 ++++ djbdns-1.05/dns_transmit.c 2024-05-27 16:25:11.857369652 +0200 +@@ -265,9 +265,9 @@ + if (errno == error_connrefused) if (d->udploop == 2) return 0; + return nextudp(d); + } +- if (r + 1 > sizeof udpbuf) return 0; + + if (irrelevant(d,udpbuf,r)) return 0; ++ if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */ + if (serverwantstcp(udpbuf,r)) return firsttcp(d); + if (serverfailed(udpbuf,r)) { + if (d->udploop == 2) return 0; diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch new file mode 100644 index 000000000000..bf55e7dd86df --- /dev/null +++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch @@ -0,0 +1,34 @@ +Deal with local recv() truncation. + +In the case where an upstream cache sends a UDP response that would overflow +the djb cache's default receive buffer, then djbdns would treat this as an +invalid response. The norm nowadays is the send >512b UDP responses, +especially for TXT RRs. It looks like up to around 4KB is deemed acceptable in +most cases I've investigated. + +So, in the case where we locally end up reciving a truncated packet by way of +recv() because the local UDP buffer is too small, treat that like the TC bit +was set, because really we can know the response was truncated. + +Therefor check the irrelevant (inappropriate response) data first, then if the +buffer was fully received (it might be that the response fits exactly, but +short of parsing this buffer there is no simple way to confirm this, so just +assume it's unlikely to get an exact sized buffer back and retry using TCP +anyway). Yes, this is a waste of resources in this specific case, but so be +it. + +Signed-off-by: <j...@uls.co.za> + +--- djbdns-1.05.o/dns_transmit.c 2024-05-27 13:20:25.788463090 +0200 ++++ djbdns-1.05/dns_transmit.c 2024-05-27 14:13:38.786335627 +0200 +@@ -266,9 +266,9 @@ + if (errno == error_connrefused) if (d->udploop == 2) return 0; + return nextudp(d); + } +- if ((size_t)r + 1 > sizeof udpbuf) return 0; + + if (irrelevant(d,udpbuf,r)) return 0; ++ if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */ + if (serverwantstcp(udpbuf,r)) return firsttcp(d); + if (serverfailed(udpbuf,r)) { + if (d->udploop == 2) return 0;
