diff options
author | Saul Wold <sgw@linux.intel.com> | 2014-03-04 13:56:06 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-11 20:28:57 -0700 |
commit | 5ab5b77999d06ce7b8e4c789cf4eccf5c3ffc7a1 (patch) | |
tree | 269a424906715d34f8d06b8ddab7cc30d0e1546b /meta/recipes-connectivity/bind/bind | |
parent | f7557a1793b45b7bdbcc06e875021d9a8b43ec79 (diff) | |
download | poky-5ab5b77999d06ce7b8e4c789cf4eccf5c3ffc7a1.tar.gz |
bind: Update to 9.9.5
Remove CVE patches that are in bind
Updated COPYRIGHT includes date changes the NetBSD Copyright
Modifies the Base BSD License to 3-Clause (removes advertising clause)w
Add patch to disable running tests on host
Add python-core to RDEPENDS for dnssec-checkds and dnssec-coverage and fix path to python
(From OE-Core rev: 041576d6d63ad807ca405dcea9eeecf1c9ccd7fe)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bind/bind')
11 files changed, 1016 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch b/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch new file mode 100644 index 0000000000..0abb475adc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | bind_Fix_for_CVE-2012-5166 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:http://launchpadlibrarian.net/119212498/bind9_1%3A9.7.3.dfsOBg | ||
6 | -1ubuntu2.6_1%3A9.7.3.dfsg-1ubuntu2.7.diff.gz | ||
7 | |||
8 | ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before | ||
9 | 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows | ||
10 | remote attackers to cause a denial of service (named daemon hang) | ||
11 | via unspecified combinations of resource records. | ||
12 | |||
13 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5166 | ||
14 | |||
15 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
16 | diff -urpN a/bin/named/query.c b/bin/named/query.c | ||
17 | --- a/bin/named/query.c 2012-10-22 13:24:27.000000000 +0800 | ||
18 | +++ b/bin/named/query.c 2012-10-22 13:17:04.000000000 +0800 | ||
19 | @@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d | ||
20 | mname = NULL; | ||
21 | } | ||
22 | |||
23 | - /* | ||
24 | - * If the dns_name_t we're looking up is already in the message, | ||
25 | - * we don't want to trigger the caller's name replacement logic. | ||
26 | - */ | ||
27 | - if (name == mname) | ||
28 | - mname = NULL; | ||
29 | - | ||
30 | *mnamep = mname; | ||
31 | |||
32 | CTRACE("query_isduplicate: false: done"); | ||
33 | @@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_ | ||
34 | if (dns_rdataset_isassociated(rdataset) && | ||
35 | !query_isduplicate(client, fname, type, &mname)) { | ||
36 | if (mname != NULL) { | ||
37 | + INSIST(mname != fname); | ||
38 | query_releasename(client, &fname); | ||
39 | fname = mname; | ||
40 | } else | ||
41 | @@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_ | ||
42 | mname = NULL; | ||
43 | if (!query_isduplicate(client, fname, | ||
44 | dns_rdatatype_a, &mname)) { | ||
45 | - if (mname != NULL) { | ||
46 | - query_releasename(client, &fname); | ||
47 | - fname = mname; | ||
48 | - } else | ||
49 | - need_addname = ISC_TRUE; | ||
50 | + if (mname != fname) { | ||
51 | + if (mname != NULL) { | ||
52 | + query_releasename(client, &fname); | ||
53 | + fname = mname; | ||
54 | + } else | ||
55 | + need_addname = ISC_TRUE; | ||
56 | + } | ||
57 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
58 | added_something = ISC_TRUE; | ||
59 | if (sigrdataset != NULL && | ||
60 | @@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_ | ||
61 | mname = NULL; | ||
62 | if (!query_isduplicate(client, fname, | ||
63 | dns_rdatatype_aaaa, &mname)) { | ||
64 | - if (mname != NULL) { | ||
65 | - query_releasename(client, &fname); | ||
66 | - fname = mname; | ||
67 | - } else | ||
68 | - need_addname = ISC_TRUE; | ||
69 | + if (mname != fname) { | ||
70 | + if (mname != NULL) { | ||
71 | + query_releasename(client, &fname); | ||
72 | + fname = mname; | ||
73 | + } else | ||
74 | + need_addname = ISC_TRUE; | ||
75 | + } | ||
76 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
77 | added_something = ISC_TRUE; | ||
78 | if (sigrdataset != NULL && | ||
79 | @@ -1960,22 +1958,24 @@ query_addadditional2(void *arg, dns_name | ||
80 | crdataset->type == dns_rdatatype_aaaa) { | ||
81 | if (!query_isduplicate(client, fname, crdataset->type, | ||
82 | &mname)) { | ||
83 | - if (mname != NULL) { | ||
84 | - /* | ||
85 | - * A different type of this name is | ||
86 | - * already stored in the additional | ||
87 | - * section. We'll reuse the name. | ||
88 | - * Note that this should happen at most | ||
89 | - * once. Otherwise, fname->link could | ||
90 | - * leak below. | ||
91 | - */ | ||
92 | - INSIST(mname0 == NULL); | ||
93 | - | ||
94 | - query_releasename(client, &fname); | ||
95 | - fname = mname; | ||
96 | - mname0 = mname; | ||
97 | - } else | ||
98 | - need_addname = ISC_TRUE; | ||
99 | + if (mname != fname) { | ||
100 | + if (mname != NULL) { | ||
101 | + /* | ||
102 | + * A different type of this name is | ||
103 | + * already stored in the additional | ||
104 | + * section. We'll reuse the name. | ||
105 | + * Note that this should happen at most | ||
106 | + * once. Otherwise, fname->link could | ||
107 | + * leak below. | ||
108 | + */ | ||
109 | + INSIST(mname0 == NULL); | ||
110 | + | ||
111 | + query_releasename(client, &fname); | ||
112 | + fname = mname; | ||
113 | + mname0 = mname; | ||
114 | + } else | ||
115 | + need_addname = ISC_TRUE; | ||
116 | + } | ||
117 | ISC_LIST_UNLINK(cfname.list, crdataset, link); | ||
118 | ISC_LIST_APPEND(fname->list, crdataset, link); | ||
119 | added_something = ISC_TRUE; | ||
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch new file mode 100644 index 0000000000..19d8df1c2d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | The patch to fix CVE-2011-4313 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference: https://www.redhat.com/security/data/cve/CVE-2011-4313.html | ||
6 | |||
7 | query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV | ||
8 | through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 | ||
9 | through 9.9.0b1 allows remote attackers to cause a denial of service | ||
10 | (assertion failure and named exit) via unknown vectors related to recursive DNS | ||
11 | queries, error logging, and the caching of an invalid record by the resolver. | ||
12 | |||
13 | Signed-off-by Ming Liu <ming.liu@windriver.com> | ||
14 | --- | ||
15 | bin/named/query.c | 19 ++++++++----------- | ||
16 | lib/dns/rbtdb.c | 4 ++-- | ||
17 | 2 files changed, 10 insertions(+), 13 deletions(-) | ||
18 | |||
19 | --- a/bin/named/query.c | ||
20 | +++ b/bin/named/query.c | ||
21 | @@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_ | ||
22 | goto addname; | ||
23 | if (result == DNS_R_NCACHENXRRSET) { | ||
24 | dns_rdataset_disassociate(rdataset); | ||
25 | - /* | ||
26 | - * Negative cache entries don't have sigrdatasets. | ||
27 | - */ | ||
28 | - INSIST(sigrdataset == NULL || | ||
29 | - ! dns_rdataset_isassociated(sigrdataset)); | ||
30 | + if (sigrdataset != NULL && | ||
31 | + dns_rdataset_isassociated(sigrdataset)) | ||
32 | + dns_rdataset_disassociate(sigrdataset); | ||
33 | } | ||
34 | if (result == ISC_R_SUCCESS) { | ||
35 | mname = NULL; | ||
36 | @@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_ | ||
37 | goto addname; | ||
38 | if (result == DNS_R_NCACHENXRRSET) { | ||
39 | dns_rdataset_disassociate(rdataset); | ||
40 | - INSIST(sigrdataset == NULL || | ||
41 | - ! dns_rdataset_isassociated(sigrdataset)); | ||
42 | + if (sigrdataset != NULL && | ||
43 | + dns_rdataset_isassociated(sigrdataset)) | ||
44 | + dns_rdataset_disassociate(sigrdataset); | ||
45 | } | ||
46 | if (result == ISC_R_SUCCESS) { | ||
47 | mname = NULL; | ||
48 | @@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name | ||
49 | goto setcache; | ||
50 | if (result == DNS_R_NCACHENXRRSET) { | ||
51 | dns_rdataset_disassociate(rdataset); | ||
52 | - /* | ||
53 | - * Negative cache entries don't have sigrdatasets. | ||
54 | - */ | ||
55 | - INSIST(! dns_rdataset_isassociated(sigrdataset)); | ||
56 | + if (dns_rdataset_isassociated(sigrdataset)) | ||
57 | + dns_rdataset_disassociate(sigrdataset); | ||
58 | } | ||
59 | if (result == ISC_R_SUCCESS) { | ||
60 | /* Remember the result as a cache */ | ||
61 | --- a/lib/dns/rbtdb.c | ||
62 | +++ b/lib/dns/rbtdb.c | ||
63 | @@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *nam | ||
64 | rdataset); | ||
65 | if (need_headerupdate(found, search.now)) | ||
66 | update = found; | ||
67 | - if (foundsig != NULL) { | ||
68 | + if (!NEGATIVE(found) && foundsig != NULL) { | ||
69 | bind_rdataset(search.rbtdb, node, foundsig, search.now, | ||
70 | sigrdataset); | ||
71 | if (need_headerupdate(foundsig, search.now)) | ||
72 | @@ -5596,7 +5596,7 @@ zone_findrdataset(dns_db_t *db, dns_dbno | ||
73 | } | ||
74 | if (found != NULL) { | ||
75 | bind_rdataset(rbtdb, rbtnode, found, now, rdataset); | ||
76 | - if (foundsig != NULL) | ||
77 | + if (!NEGATIVE(found) && foundsig != NULL) | ||
78 | bind_rdataset(rbtdb, rbtnode, foundsig, now, | ||
79 | sigrdataset); | ||
80 | } | ||
81 | @@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn | ||
82 | } | ||
83 | if (found != NULL) { | ||
84 | bind_rdataset(rbtdb, rbtnode, found, now, rdataset); | ||
85 | - if (foundsig != NULL) | ||
86 | + if (!NEGATIVE(found) && foundsig != NULL) | ||
87 | bind_rdataset(rbtdb, rbtnode, foundsig, now, | ||
88 | sigrdataset); | ||
89 | } | ||
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch new file mode 100644 index 0000000000..c441eab65d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | bind CVE-2012-1667 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, | ||
6 | and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource | ||
7 | records with a zero-length RDATA section, which allows remote DNS servers to | ||
8 | cause a denial of service (daemon crash or data corruption) or obtain | ||
9 | sensitive information from process memory via a crafted record. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667 | ||
12 | |||
13 | The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package. | ||
14 | |||
15 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
16 | --- | ||
17 | lib/dns/rdata.c | 8 ++++---- | ||
18 | lib/dns/rdataslab.c | 11 ++++++++--- | ||
19 | 2 files changed, 12 insertions(+), 7 deletions(-) | ||
20 | |||
21 | diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c | ||
22 | index 063b1f6..9337a80 100644 | ||
23 | --- a/lib/dns/rdata.c | ||
24 | +++ b/lib/dns/rdata.c | ||
25 | @@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { | ||
26 | |||
27 | REQUIRE(rdata1 != NULL); | ||
28 | REQUIRE(rdata2 != NULL); | ||
29 | - REQUIRE(rdata1->data != NULL); | ||
30 | - REQUIRE(rdata2->data != NULL); | ||
31 | + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); | ||
32 | + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); | ||
33 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); | ||
34 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); | ||
35 | |||
36 | @@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { | ||
37 | |||
38 | REQUIRE(rdata1 != NULL); | ||
39 | REQUIRE(rdata2 != NULL); | ||
40 | - REQUIRE(rdata1->data != NULL); | ||
41 | - REQUIRE(rdata2->data != NULL); | ||
42 | + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); | ||
43 | + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); | ||
44 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); | ||
45 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); | ||
46 | |||
47 | diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
48 | index a41f16f..ed13b30 100644 | ||
49 | --- a/lib/dns/rdataslab.c | ||
50 | +++ b/lib/dns/rdataslab.c | ||
51 | @@ -125,6 +125,11 @@ isc_result_t | ||
52 | dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
53 | isc_region_t *region, unsigned int reservelen) | ||
54 | { | ||
55 | + /* | ||
56 | + * Use &removed as a sentinal pointer for duplicate | ||
57 | + * rdata as rdata.data == NULL is valid. | ||
58 | + */ | ||
59 | + static unsigned char removed; | ||
60 | struct xrdata *x; | ||
61 | unsigned char *rawbuf; | ||
62 | #if DNS_RDATASET_FIXED | ||
63 | @@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
64 | INSIST(result == ISC_R_SUCCESS); | ||
65 | dns_rdata_init(&x[i].rdata); | ||
66 | dns_rdataset_current(rdataset, &x[i].rdata); | ||
67 | + INSIST(x[i].rdata.data != &removed); | ||
68 | #if DNS_RDATASET_FIXED | ||
69 | x[i].order = i; | ||
70 | #endif | ||
71 | @@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
72 | */ | ||
73 | for (i = 1; i < nalloc; i++) { | ||
74 | if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { | ||
75 | - x[i-1].rdata.data = NULL; | ||
76 | - x[i-1].rdata.length = 0; | ||
77 | + x[i-1].rdata.data = &removed; | ||
78 | #if DNS_RDATASET_FIXED | ||
79 | /* | ||
80 | * Preserve the least order so A, B, A -> A, B | ||
81 | @@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
82 | #endif | ||
83 | |||
84 | for (i = 0; i < nalloc; i++) { | ||
85 | - if (x[i].rdata.data == NULL) | ||
86 | + if (x[i].rdata.data == &removed) | ||
87 | continue; | ||
88 | #if DNS_RDATASET_FIXED | ||
89 | offsettable[x[i].order] = rawbuf - offsetbase; | ||
90 | -- | ||
91 | 1.7.0.5 | ||
92 | |||
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch new file mode 100644 index 0000000000..1e159bd2f8 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | bind: fix for CVE-2012-3817 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; | ||
6 | 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation | ||
7 | is enabled, does not properly initialize the failing-query cache, which allows | ||
8 | remote attackers to cause a denial of service (assertion failure and daemon exit) | ||
9 | by sending many queries. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 | ||
12 | |||
13 | This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package. | ||
14 | |||
15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
16 | --- | ||
17 | resolver.c | 5 +++-- | ||
18 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
19 | |||
20 | --- a/lib/dns/resolver.c | ||
21 | +++ b/lib/dns/resolver.c | ||
22 | @@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t | ||
23 | goto cleanup; | ||
24 | bad->type = type; | ||
25 | bad->hashval = hashval; | ||
26 | + bad->expire = *expire; | ||
27 | isc_buffer_init(&buffer, bad + 1, name->length); | ||
28 | dns_name_init(&bad->name, NULL); | ||
29 | dns_name_copy(name, &bad->name, &buffer); | ||
30 | @@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t | ||
31 | if (resolver->badcount < resolver->badhash * 2 && | ||
32 | resolver->badhash > DNS_BADCACHE_SIZE) | ||
33 | resizehash(resolver, &now, ISC_FALSE); | ||
34 | - } | ||
35 | - bad->expire = *expire; | ||
36 | + } else | ||
37 | + bad->expire = *expire; | ||
38 | cleanup: | ||
39 | UNLOCK(&resolver->lock); | ||
40 | } | ||
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch new file mode 100644 index 0000000000..7ec6deb714 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | bind: fix for CVE-2013-2266 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, | ||
6 | 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows | ||
7 | remote attackers to cause a denial of service (memory consumption) via a | ||
8 | crafted regular expression, as demonstrated by a memory-exhaustion attack | ||
9 | against a machine running a named process. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2266 | ||
12 | |||
13 | Signed-off-by Ming Liu <ming.liu@windriver.com> | ||
14 | --- | ||
15 | config.h.in | 3 --- | ||
16 | configure.in | 2 +- | ||
17 | 2 files changed, 1 insertion(+), 4 deletions(-) | ||
18 | |||
19 | --- a/config.h.in | ||
20 | +++ b/config.h.in | ||
21 | @@ -277,9 +277,6 @@ int sigwait(const unsigned int *set, int | ||
22 | /* Define if your OpenSSL version supports GOST. */ | ||
23 | #undef HAVE_OPENSSL_GOST | ||
24 | |||
25 | -/* Define to 1 if you have the <regex.h> header file. */ | ||
26 | -#undef HAVE_REGEX_H | ||
27 | - | ||
28 | /* Define to 1 if you have the `setegid' function. */ | ||
29 | #undef HAVE_SETEGID | ||
30 | |||
31 | --- a/configure.in | ||
32 | +++ b/configure.in | ||
33 | @@ -279,7 +279,7 @@ esac | ||
34 | |||
35 | AC_HEADER_STDC | ||
36 | |||
37 | -AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, | ||
38 | +AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, | ||
39 | [$ac_includes_default | ||
40 | #ifdef HAVE_SYS_PARAM_H | ||
41 | # include <sys/param.h> | ||
diff --git a/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch new file mode 100644 index 0000000000..5dd6f69e45 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch | |||
@@ -0,0 +1,141 @@ | |||
1 | bind_Fix_for_CVE-2012-4244 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit | ||
6 | |||
7 | ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, | ||
8 | and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to | ||
9 | cause a denial of service (assertion failure and named daemon exit) via | ||
10 | a query for a long resource record. | ||
11 | |||
12 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
13 | |||
14 | diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h | ||
15 | --- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800 | ||
16 | +++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800 | ||
17 | @@ -147,6 +147,17 @@ struct dns_rdata { | ||
18 | (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) | ||
19 | |||
20 | /* | ||
21 | + * The maximum length of a RDATA that can be sent on the wire. | ||
22 | + * Max packet size (65535) less header (12), less name (1), type (2), | ||
23 | + * class (2), ttl(4), length (2). | ||
24 | + * | ||
25 | + * None of the defined types that support name compression can exceed | ||
26 | + * this and all new types are to be sent uncompressed. | ||
27 | + */ | ||
28 | + | ||
29 | +#define DNS_RDATA_MAXLENGTH 65512U | ||
30 | + | ||
31 | +/* | ||
32 | * Flags affecting rdata formatting style. Flags 0xFFFF0000 | ||
33 | * are used by masterfile-level formatting and defined elsewhere. | ||
34 | * See additional comments at dns_rdata_tofmttext(). | ||
35 | diff -urpN a/lib/dns/master.c b/lib/dns/master.c | ||
36 | --- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800 | ||
37 | +++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800 | ||
38 | @@ -75,7 +75,7 @@ | ||
39 | /*% | ||
40 | * max message size - header - root - type - class - ttl - rdlen | ||
41 | */ | ||
42 | -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) | ||
43 | +#define MINTSIZ DNS_RDATA_MAXLENGTH | ||
44 | /*% | ||
45 | * Size for tokens in the presentation format, | ||
46 | * The largest tokens are the base64 blocks in KEY and CERT records, | ||
47 | diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c | ||
48 | --- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800 | ||
49 | +++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800 | ||
50 | @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
51 | isc_buffer_t st; | ||
52 | isc_boolean_t use_default = ISC_FALSE; | ||
53 | isc_uint32_t activelength; | ||
54 | + size_t length; | ||
55 | |||
56 | REQUIRE(dctx != NULL); | ||
57 | if (rdata != NULL) { | ||
58 | @@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
59 | } | ||
60 | |||
61 | /* | ||
62 | + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH | ||
63 | + * as we cannot transmit it. | ||
64 | + */ | ||
65 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
66 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
67 | + result = DNS_R_FORMERR; | ||
68 | + | ||
69 | + /* | ||
70 | * We should have consumed all of our buffer. | ||
71 | */ | ||
72 | if (result == ISC_R_SUCCESS && !buffer_empty(source)) | ||
73 | @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
74 | |||
75 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
76 | region.base = isc_buffer_used(&st); | ||
77 | - region.length = isc_buffer_usedlength(target) - | ||
78 | - isc_buffer_usedlength(&st); | ||
79 | + region.length = length; | ||
80 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
81 | } | ||
82 | |||
83 | @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
84 | unsigned long line; | ||
85 | void (*callback)(dns_rdatacallbacks_t *, const char *, ...); | ||
86 | isc_result_t tresult; | ||
87 | + size_t length; | ||
88 | |||
89 | REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); | ||
90 | if (rdata != NULL) { | ||
91 | @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
92 | } | ||
93 | } while (1); | ||
94 | |||
95 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
96 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
97 | + result = ISC_R_NOSPACE; | ||
98 | + | ||
99 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
100 | region.base = isc_buffer_used(&st); | ||
101 | - region.length = isc_buffer_usedlength(target) - | ||
102 | - isc_buffer_usedlength(&st); | ||
103 | + region.length = length; | ||
104 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
105 | } | ||
106 | if (result != ISC_R_SUCCESS) { | ||
107 | @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
108 | isc_buffer_t st; | ||
109 | isc_region_t region; | ||
110 | isc_boolean_t use_default = ISC_FALSE; | ||
111 | + size_t length; | ||
112 | |||
113 | REQUIRE(source != NULL); | ||
114 | if (rdata != NULL) { | ||
115 | @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
116 | if (use_default) | ||
117 | (void)NULL; | ||
118 | |||
119 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
120 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
121 | + result = ISC_R_NOSPACE; | ||
122 | + | ||
123 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
124 | region.base = isc_buffer_used(&st); | ||
125 | - region.length = isc_buffer_usedlength(target) - | ||
126 | - isc_buffer_usedlength(&st); | ||
127 | + region.length = length; | ||
128 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
129 | } | ||
130 | if (result != ISC_R_SUCCESS) | ||
131 | diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
132 | --- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800 | ||
133 | +++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800 | ||
134 | @@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ | ||
135 | length = x[i].rdata.length; | ||
136 | if (rdataset->type == dns_rdatatype_rrsig) | ||
137 | length++; | ||
138 | + INSIST(length <= 0xffff); | ||
139 | *rawbuf++ = (length & 0xff00) >> 8; | ||
140 | *rawbuf++ = (length & 0x00ff); | ||
141 | #if DNS_RDATASET_FIXED | ||
diff --git a/meta/recipes-connectivity/bind/bind/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch new file mode 100644 index 0000000000..2785c6a22f --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/conf.patch | |||
@@ -0,0 +1,314 @@ | |||
1 | Upstream-Status: Inappropriate [configuration] | ||
2 | |||
3 | the patch is imported from openembedded project | ||
4 | |||
5 | 11/30/2010 - Qing He <qing.he@intel.com> | ||
6 | |||
7 | diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0 | ||
8 | --- bind-9.3.1.orig/conf/db.0 1970-01-01 01:00:00.000000000 +0100 | ||
9 | +++ bind-9.3.1/conf/db.0 2005-07-10 22:14:00.000000000 +0200 | ||
10 | @@ -0,0 +1,12 @@ | ||
11 | +; | ||
12 | +; BIND reverse data file for broadcast zone | ||
13 | +; | ||
14 | +$TTL 604800 | ||
15 | +@ IN SOA localhost. root.localhost. ( | ||
16 | + 1 ; Serial | ||
17 | + 604800 ; Refresh | ||
18 | + 86400 ; Retry | ||
19 | + 2419200 ; Expire | ||
20 | + 604800 ) ; Negative Cache TTL | ||
21 | +; | ||
22 | +@ IN NS localhost. | ||
23 | diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127 | ||
24 | --- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100 | ||
25 | +++ bind-9.3.1/conf/db.127 2005-07-10 22:14:00.000000000 +0200 | ||
26 | @@ -0,0 +1,13 @@ | ||
27 | +; | ||
28 | +; BIND reverse data file for local loopback interface | ||
29 | +; | ||
30 | +$TTL 604800 | ||
31 | +@ IN SOA localhost. root.localhost. ( | ||
32 | + 1 ; Serial | ||
33 | + 604800 ; Refresh | ||
34 | + 86400 ; Retry | ||
35 | + 2419200 ; Expire | ||
36 | + 604800 ) ; Negative Cache TTL | ||
37 | +; | ||
38 | +@ IN NS localhost. | ||
39 | +1.0.0 IN PTR localhost. | ||
40 | diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty | ||
41 | --- bind-9.3.1.orig/conf/db.empty 1970-01-01 01:00:00.000000000 +0100 | ||
42 | +++ bind-9.3.1/conf/db.empty 2005-07-10 22:14:00.000000000 +0200 | ||
43 | @@ -0,0 +1,14 @@ | ||
44 | +; BIND reverse data file for empty rfc1918 zone | ||
45 | +; | ||
46 | +; DO NOT EDIT THIS FILE - it is used for multiple zones. | ||
47 | +; Instead, copy it, edit named.conf, and use that copy. | ||
48 | +; | ||
49 | +$TTL 86400 | ||
50 | +@ IN SOA localhost. root.localhost. ( | ||
51 | + 1 ; Serial | ||
52 | + 604800 ; Refresh | ||
53 | + 86400 ; Retry | ||
54 | + 2419200 ; Expire | ||
55 | + 86400 ) ; Negative Cache TTL | ||
56 | +; | ||
57 | +@ IN NS localhost. | ||
58 | diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local | ||
59 | --- bind-9.3.1.orig/conf/db.local 1970-01-01 01:00:00.000000000 +0100 | ||
60 | +++ bind-9.3.1/conf/db.local 2005-07-10 22:14:00.000000000 +0200 | ||
61 | @@ -0,0 +1,13 @@ | ||
62 | +; | ||
63 | +; BIND data file for local loopback interface | ||
64 | +; | ||
65 | +$TTL 604800 | ||
66 | +@ IN SOA localhost. root.localhost. ( | ||
67 | + 1 ; Serial | ||
68 | + 604800 ; Refresh | ||
69 | + 86400 ; Retry | ||
70 | + 2419200 ; Expire | ||
71 | + 604800 ) ; Negative Cache TTL | ||
72 | +; | ||
73 | +@ IN NS localhost. | ||
74 | +@ IN A 127.0.0.1 | ||
75 | diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root | ||
76 | --- bind-9.3.1.orig/conf/db.root 1970-01-01 01:00:00.000000000 +0100 | ||
77 | +++ bind-9.3.1/conf/db.root 2005-07-10 22:14:00.000000000 +0200 | ||
78 | @@ -0,0 +1,45 @@ | ||
79 | + | ||
80 | +; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net. | ||
81 | +;; global options: printcmd | ||
82 | +;; Got answer: | ||
83 | +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944 | ||
84 | +;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 | ||
85 | + | ||
86 | +;; QUESTION SECTION: | ||
87 | +;. IN NS | ||
88 | + | ||
89 | +;; ANSWER SECTION: | ||
90 | +. 518400 IN NS A.ROOT-SERVERS.NET. | ||
91 | +. 518400 IN NS B.ROOT-SERVERS.NET. | ||
92 | +. 518400 IN NS C.ROOT-SERVERS.NET. | ||
93 | +. 518400 IN NS D.ROOT-SERVERS.NET. | ||
94 | +. 518400 IN NS E.ROOT-SERVERS.NET. | ||
95 | +. 518400 IN NS F.ROOT-SERVERS.NET. | ||
96 | +. 518400 IN NS G.ROOT-SERVERS.NET. | ||
97 | +. 518400 IN NS H.ROOT-SERVERS.NET. | ||
98 | +. 518400 IN NS I.ROOT-SERVERS.NET. | ||
99 | +. 518400 IN NS J.ROOT-SERVERS.NET. | ||
100 | +. 518400 IN NS K.ROOT-SERVERS.NET. | ||
101 | +. 518400 IN NS L.ROOT-SERVERS.NET. | ||
102 | +. 518400 IN NS M.ROOT-SERVERS.NET. | ||
103 | + | ||
104 | +;; ADDITIONAL SECTION: | ||
105 | +A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 | ||
106 | +B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 | ||
107 | +C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 | ||
108 | +D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 | ||
109 | +E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 | ||
110 | +F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 | ||
111 | +G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 | ||
112 | +H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 | ||
113 | +I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 | ||
114 | +J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 | ||
115 | +K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 | ||
116 | +L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12 | ||
117 | +M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 | ||
118 | + | ||
119 | +;; Query time: 81 msec | ||
120 | +;; SERVER: 198.41.0.4#53(a.root-servers.net.) | ||
121 | +;; WHEN: Sun Feb 1 11:27:14 2004 | ||
122 | +;; MSG SIZE rcvd: 436 | ||
123 | + | ||
124 | diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf | ||
125 | --- bind-9.3.1.orig/conf/named.conf 1970-01-01 01:00:00.000000000 +0100 | ||
126 | +++ bind-9.3.1/conf/named.conf 2005-07-10 22:33:46.000000000 +0200 | ||
127 | @@ -0,0 +1,49 @@ | ||
128 | +// This is the primary configuration file for the BIND DNS server named. | ||
129 | +// | ||
130 | +// If you are just adding zones, please do that in /etc/bind/named.conf.local | ||
131 | + | ||
132 | +include "/etc/bind/named.conf.options"; | ||
133 | + | ||
134 | +// prime the server with knowledge of the root servers | ||
135 | +zone "." { | ||
136 | + type hint; | ||
137 | + file "/etc/bind/db.root"; | ||
138 | +}; | ||
139 | + | ||
140 | +// be authoritative for the localhost forward and reverse zones, and for | ||
141 | +// broadcast zones as per RFC 1912 | ||
142 | + | ||
143 | +zone "localhost" { | ||
144 | + type master; | ||
145 | + file "/etc/bind/db.local"; | ||
146 | +}; | ||
147 | + | ||
148 | +zone "127.in-addr.arpa" { | ||
149 | + type master; | ||
150 | + file "/etc/bind/db.127"; | ||
151 | +}; | ||
152 | + | ||
153 | +zone "0.in-addr.arpa" { | ||
154 | + type master; | ||
155 | + file "/etc/bind/db.0"; | ||
156 | +}; | ||
157 | + | ||
158 | +zone "255.in-addr.arpa" { | ||
159 | + type master; | ||
160 | + file "/etc/bind/db.255"; | ||
161 | +}; | ||
162 | + | ||
163 | +// zone "com" { type delegation-only; }; | ||
164 | +// zone "net" { type delegation-only; }; | ||
165 | + | ||
166 | +// From the release notes: | ||
167 | +// Because many of our users are uncomfortable receiving undelegated answers | ||
168 | +// from root or top level domains, other than a few for whom that behaviour | ||
169 | +// has been trusted and expected for quite some length of time, we have now | ||
170 | +// introduced the "root-delegations-only" feature which applies delegation-only | ||
171 | +// logic to all top level domains, and to the root domain. An exception list | ||
172 | +// should be specified, including "MUSEUM" and "DE", and any other top level | ||
173 | +// domains from whom undelegated responses are expected and trusted. | ||
174 | +// root-delegation-only exclude { "DE"; "MUSEUM"; }; | ||
175 | + | ||
176 | +include "/etc/bind/named.conf.local"; | ||
177 | diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local | ||
178 | --- bind-9.3.1.orig/conf/named.conf.local 1970-01-01 01:00:00.000000000 +0100 | ||
179 | +++ bind-9.3.1/conf/named.conf.local 2005-07-10 22:14:06.000000000 +0200 | ||
180 | @@ -0,0 +1,8 @@ | ||
181 | +// | ||
182 | +// Do any local configuration here | ||
183 | +// | ||
184 | + | ||
185 | +// Consider adding the 1918 zones here, if they are not used in your | ||
186 | +// organization | ||
187 | +//include "/etc/bind/zones.rfc1918"; | ||
188 | + | ||
189 | diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options | ||
190 | --- bind-9.3.1.orig/conf/named.conf.options 1970-01-01 01:00:00.000000000 +0100 | ||
191 | +++ bind-9.3.1/conf/named.conf.options 2005-07-10 22:14:06.000000000 +0200 | ||
192 | @@ -0,0 +1,24 @@ | ||
193 | +options { | ||
194 | + directory "/var/cache/bind"; | ||
195 | + | ||
196 | + // If there is a firewall between you and nameservers you want | ||
197 | + // to talk to, you might need to uncomment the query-source | ||
198 | + // directive below. Previous versions of BIND always asked | ||
199 | + // questions using port 53, but BIND 8.1 and later use an unprivileged | ||
200 | + // port by default. | ||
201 | + | ||
202 | + // query-source address * port 53; | ||
203 | + | ||
204 | + // If your ISP provided one or more IP addresses for stable | ||
205 | + // nameservers, you probably want to use them as forwarders. | ||
206 | + // Uncomment the following block, and insert the addresses replacing | ||
207 | + // the all-0's placeholder. | ||
208 | + | ||
209 | + // forwarders { | ||
210 | + // 0.0.0.0; | ||
211 | + // }; | ||
212 | + | ||
213 | + auth-nxdomain no; # conform to RFC1035 | ||
214 | + | ||
215 | +}; | ||
216 | + | ||
217 | diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918 | ||
218 | --- bind-9.3.1.orig/conf/zones.rfc1918 1970-01-01 01:00:00.000000000 +0100 | ||
219 | +++ bind-9.3.1/conf/zones.rfc1918 2005-07-10 22:14:10.000000000 +0200 | ||
220 | @@ -0,0 +1,20 @@ | ||
221 | +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
222 | + | ||
223 | +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
224 | +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
225 | +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
226 | +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
227 | +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
228 | +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
229 | +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
230 | +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
231 | +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
232 | +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
233 | +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
234 | +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
235 | +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
236 | +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
237 | +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
238 | +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
239 | + | ||
240 | +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; | ||
241 | diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d | ||
242 | --- bind-9.3.1.orig/init.d 1970-01-01 01:00:00.000000000 +0100 | ||
243 | +++ bind-9.3.1/init.d 2005-07-10 23:09:58.000000000 +0200 | ||
244 | @@ -0,0 +1,70 @@ | ||
245 | +#!/bin/sh | ||
246 | + | ||
247 | +PATH=/sbin:/bin:/usr/sbin:/usr/bin | ||
248 | + | ||
249 | +# for a chrooted server: "-u bind -t /var/lib/named" | ||
250 | +# Don't modify this line, change or create /etc/default/bind9. | ||
251 | +OPTIONS="" | ||
252 | + | ||
253 | +test -f /etc/default/bind9 && . /etc/default/bind9 | ||
254 | + | ||
255 | +test -x /usr/sbin/rndc || exit 0 | ||
256 | + | ||
257 | +case "$1" in | ||
258 | + start) | ||
259 | + echo -n "Starting domain name service: named" | ||
260 | + | ||
261 | + modprobe capability >/dev/null 2>&1 || true | ||
262 | + if [ ! -f /etc/bind/rndc.key ]; then | ||
263 | + /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom | ||
264 | + chown 0640 /etc/bind/rndc.key | ||
265 | + fi | ||
266 | + if [ -f /var/run/named/named.pid ]; then | ||
267 | + ps `cat /var/run/named/named.pid` > /dev/null && exit 1 | ||
268 | + fi | ||
269 | + | ||
270 | + # dirs under /var/run can go away on reboots. | ||
271 | + mkdir -p /var/run/named | ||
272 | + mkdir -p /var/cache/bind | ||
273 | + chmod 775 /var/run/named | ||
274 | + chown root:bind /var/run/named >/dev/null 2>&1 || true | ||
275 | + | ||
276 | + if [ ! -x /usr/sbin/named ]; then | ||
277 | + echo "named binary missing - not starting" | ||
278 | + exit 1 | ||
279 | + fi | ||
280 | + if start-stop-daemon --start --quiet --exec /usr/sbin/named \ | ||
281 | + --pidfile /var/run/named/named.pid -- $OPTIONS; then | ||
282 | + if [ -x /sbin/resolvconf ] ; then | ||
283 | + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo | ||
284 | + fi | ||
285 | + fi | ||
286 | + echo "." | ||
287 | + ;; | ||
288 | + | ||
289 | + stop) | ||
290 | + echo -n "Stopping domain name service: named" | ||
291 | + if [ -x /sbin/resolvconf ]; then | ||
292 | + /sbin/resolvconf -d lo | ||
293 | + fi | ||
294 | + /usr/sbin/rndc stop >/dev/null 2>&1 | ||
295 | + echo "." | ||
296 | + ;; | ||
297 | + | ||
298 | + reload) | ||
299 | + /usr/sbin/rndc reload | ||
300 | + ;; | ||
301 | + | ||
302 | + restart|force-reload) | ||
303 | + $0 stop | ||
304 | + sleep 2 | ||
305 | + $0 start | ||
306 | + ;; | ||
307 | + | ||
308 | + *) | ||
309 | + echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2 | ||
310 | + exit 1 | ||
311 | + ;; | ||
312 | +esac | ||
313 | + | ||
314 | +exit 0 | ||
diff --git a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch new file mode 100644 index 0000000000..4c37b6b00c --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | Upstream-Status: Inappropriate [configuration] | ||
2 | |||
3 | 11/30/2010 | ||
4 | gen.c should be build by ${BUILD_CC} | ||
5 | |||
6 | Signed-off-by: Qing He <qing.he@intel.com> | ||
7 | |||
8 | diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in | ||
9 | index aeadf57..d3fae74 100644 | ||
10 | --- a/lib/export/dns/Makefile.in | ||
11 | +++ b/lib/export/dns/Makefile.in | ||
12 | @@ -166,7 +166,8 @@ code.h: gen | ||
13 | ./gen -s ${srcdir} > code.h | ||
14 | |||
15 | gen: ${srcdir}/gen.c | ||
16 | - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS} | ||
17 | + ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ | ||
18 | + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} | ||
19 | |||
20 | #We don't need rbtdb64 for this library | ||
21 | #rbtdb64.@O@: rbtdb.c | ||
diff --git a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch new file mode 100644 index 0000000000..89207404b5 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch | |||
@@ -0,0 +1,13 @@ | |||
1 | Index: bind-9.9.5/bin/Makefile.in | ||
2 | =================================================================== | ||
3 | --- bind-9.9.5.orig/bin/Makefile.in | ||
4 | +++ bind-9.9.5/bin/Makefile.in | ||
5 | @@ -19,7 +19,7 @@ srcdir = @srcdir@ | ||
6 | VPATH = @srcdir@ | ||
7 | top_srcdir = @top_srcdir@ | ||
8 | |||
9 | -SUBDIRS = named rndc dig dnssec tools tests nsupdate \ | ||
10 | +SUBDIRS = named rndc dig dnssec tools nsupdate \ | ||
11 | check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ | ||
12 | TARGETS = | ||
13 | |||
diff --git a/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch new file mode 100644 index 0000000000..146f3e35db --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | bind: make "/etc/init.d/bind stop" work | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Add some configurations, make rndc command be able to controls | ||
6 | the named daemon. | ||
7 | |||
8 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
9 | --- | ||
10 | conf/named.conf | 5 +++++ | ||
11 | conf/rndc.conf | 5 +++++ | ||
12 | 2 files changed, 10 insertions(+), 0 deletions(-) | ||
13 | create mode 100644 conf/rndc.conf | ||
14 | |||
15 | diff --git a/conf/named.conf b/conf/named.conf | ||
16 | index 95829cf..c8899e7 100644 | ||
17 | --- a/conf/named.conf | ||
18 | +++ b/conf/named.conf | ||
19 | @@ -47,3 +47,8 @@ zone "255.in-addr.arpa" { | ||
20 | // root-delegation-only exclude { "DE"; "MUSEUM"; }; | ||
21 | |||
22 | include "/etc/bind/named.conf.local"; | ||
23 | +include "/etc/bind/rndc.key" ; | ||
24 | +controls { | ||
25 | + inet 127.0.0.1 allow { localhost; } | ||
26 | + keys { rndc-key; }; | ||
27 | +}; | ||
28 | diff --git a/conf/rndc.conf b/conf/rndc.conf | ||
29 | new file mode 100644 | ||
30 | index 0000000..a0b481d | ||
31 | --- /dev/null | ||
32 | +++ b/conf/rndc.conf | ||
33 | @@ -0,0 +1,5 @@ | ||
34 | +include "/etc/bind/rndc.key"; | ||
35 | +options { | ||
36 | + default-server localhost; | ||
37 | + default-key rndc-key; | ||
38 | +}; | ||
39 | |||
40 | -- | ||
41 | 1.7.5.4 | ||
42 | |||
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff new file mode 100644 index 0000000000..2930796b6a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff | |||
@@ -0,0 +1,104 @@ | |||
1 | bind: port a patch to fix a build failure | ||
2 | |||
3 | mips1 does not support ll and sc instructions, and lead to below error, now | ||
4 | we port a patch from debian to fix it | ||
5 | [http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz] | ||
6 | |||
7 | | {standard input}: Assembler messages: | ||
8 | | {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)' | ||
9 | | {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)' | ||
10 | |||
11 | Upstream-Status: Pending | ||
12 | |||
13 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
14 | |||
15 | --- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h | ||
16 | +++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h | ||
17 | @@ -31,18 +31,20 @@ | ||
18 | isc_atomic_xadd(isc_int32_t *p, int val) { | ||
19 | isc_int32_t orig; | ||
20 | |||
21 | - /* add is a cheat, since MIPS has no mov instruction */ | ||
22 | - __asm__ volatile ( | ||
23 | - "1:" | ||
24 | - "ll $3, %1\n" | ||
25 | - "add %0, $0, $3\n" | ||
26 | - "add $3, $3, %2\n" | ||
27 | - "sc $3, %1\n" | ||
28 | - "beq $3, 0, 1b" | ||
29 | - : "=&r"(orig) | ||
30 | - : "m"(*p), "r"(val) | ||
31 | - : "memory", "$3" | ||
32 | - ); | ||
33 | + __asm__ __volatile__ ( | ||
34 | + " .set push \n" | ||
35 | + " .set mips2 \n" | ||
36 | + " .set noreorder \n" | ||
37 | + " .set noat \n" | ||
38 | + "1: ll $1, %1 \n" | ||
39 | + " addu %0, $1, %2 \n" | ||
40 | + " sc %0, %1 \n" | ||
41 | + " beqz %0, 1b \n" | ||
42 | + " move %0, $1 \n" | ||
43 | + " .set pop \n" | ||
44 | + : "=&r" (orig), "+R" (*p) | ||
45 | + : "r" (val) | ||
46 | + : "memory"); | ||
47 | |||
48 | return (orig); | ||
49 | } | ||
50 | @@ -52,16 +54,7 @@ | ||
51 | */ | ||
52 | static inline void | ||
53 | isc_atomic_store(isc_int32_t *p, isc_int32_t val) { | ||
54 | - __asm__ volatile ( | ||
55 | - "1:" | ||
56 | - "ll $3, %0\n" | ||
57 | - "add $3, $0, %1\n" | ||
58 | - "sc $3, %0\n" | ||
59 | - "beq $3, 0, 1b" | ||
60 | - : | ||
61 | - : "m"(*p), "r"(val) | ||
62 | - : "memory", "$3" | ||
63 | - ); | ||
64 | + *p = val; | ||
65 | } | ||
66 | |||
67 | /* | ||
68 | @@ -72,20 +65,23 @@ | ||
69 | static inline isc_int32_t | ||
70 | isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { | ||
71 | isc_int32_t orig; | ||
72 | + isc_int32_t tmp; | ||
73 | |||
74 | - __asm__ volatile( | ||
75 | - "1:" | ||
76 | - "ll $3, %1\n" | ||
77 | - "add %0, $0, $3\n" | ||
78 | - "bne $3, %2, 2f\n" | ||
79 | - "add $3, $0, %3\n" | ||
80 | - "sc $3, %1\n" | ||
81 | - "beq $3, 0, 1b\n" | ||
82 | - "2:" | ||
83 | - : "=&r"(orig) | ||
84 | - : "m"(*p), "r"(cmpval), "r"(val) | ||
85 | - : "memory", "$3" | ||
86 | - ); | ||
87 | + __asm__ __volatile__ ( | ||
88 | + " .set push \n" | ||
89 | + " .set mips2 \n" | ||
90 | + " .set noreorder \n" | ||
91 | + " .set noat \n" | ||
92 | + "1: ll $1, %1 \n" | ||
93 | + " bne $1, %3, 2f \n" | ||
94 | + " move %2, %4 \n" | ||
95 | + " sc %2, %1 \n" | ||
96 | + " beqz %2, 1b \n" | ||
97 | + "2: move %0, $1 \n" | ||
98 | + " .set pop \n" | ||
99 | + : "=&r"(orig), "+R" (*p), "=r" (tmp) | ||
100 | + : "r"(cmpval), "r"(val) | ||
101 | + : "memory"); | ||
102 | |||
103 | return (orig); | ||
104 | } | ||