bind: security bump to version 9.9.5

Fixes CVE-2014-0591 (a crafted query against an NSEC3-signed zone can crash BIND). The 9.9.x series is the new ESV vesion, 9.6.x has been retired. Also cleanup the initscript while at it. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2025-07-27 05:06:39 +00:00 · 2014-06-10 07:18:25 -03:00 · 2014-06-10 07:18:25 -03:00 · 46b10b01a2
commit 46b10b01a2
parent f20f48e5e4
4 changed files with 86 additions and 66 deletions
--- a/package/bind/Config.in
+++ b/package/bind/Config.in
@ -2,8 +2,7 @@ config BR2_PACKAGE_BIND
 	bool "bind"
 	depends on BR2_INET_IPV6
 	depends on BR2_LARGEFILE
-	# fork()
+	depends on BR2_USE_MMU # fork()
 	depends on BR2_USE_MMU
 	help
 	  BIND (Berkeley Internet Name Domain) is an implementation of
 	  the Domain Name System (DNS) protocols and provides an openly
@ -35,7 +34,7 @@ config BR2_PACKAGE_BIND_SERVER
 config BR2_PACKAGE_BIND_TOOLS
 	bool "Install tools"
 	help
-	  Install tools (host, nslookup, dig, nsupdate)
+	  Install tools (dig, host, nslookup, nsupdate)
 endif
--- a/package/bind/S81named
+++ b/package/bind/S81named
@ -1,48 +1,31 @@
 #!/bin/sh
 #
 # System-V init to control the bind DNS Daemon
 #
-NAME=named
+CONFIG=/etc/bind/named.conf
-DAEMON=/usr/sbin/$NAME
+DAEMON=/usr/sbin/named
-# this file contains a few tunable parameters
+[ -x $DAEMON ] || exit 0
-test -r /etc/default/named && . /etc/default/named
+[ -f $CONFIG ] || exit 0
 test -f $DAEMON || exit 0
 set -e
 case "$1" in
 	start)
-		test -z "$CHROOT" || ARGS="$ARGS -t $CHROOT"
+		if [ ! -f /etc/rndc.key ]; then
-		test -z "$SETUID" || ARGS="$ARGS -u $SETUID"
+		    echo -n "Initializing bind control key: "
 		if [ ! -f $CHROOT/etc/rndc.key ]; then
 		    echo "Initializing $NAME control key: rndc-confgen"
 		    set +e
                    # if rndc.key is a symlink, the target must exist
-		    touch $CHROOT/etc/rndc.key
+		    touch /etc/rndc.key
-		    touch etc/rndc.key
+		    rndc-confgen -a -r /dev/urandom 2>/dev/null && echo "OK" || echo "FAIL"
 		    rndc-confgen -a -r /dev/urandom $ARGS || true
 		    set -e
 		fi
-		test -z "$CONF" || ARGS="$ARGS -c $CONF"
+		echo -n "Starting domain name daemon: "
-		echo -n "Starting domain name daemon: $NAME"
+		start-stop-daemon -S -x $DAEMON -- -c $CONFIG -u named
-		trap 'echo failed' 0
+		[ $? == 0 ] && echo "OK" || echo "FAIL"
 		start-stop-daemon -S -x $DAEMON -- $ARGS
 		trap - 0
 		echo "."
 		;;
 	stop)
-		echo -n "Stopping domain name daemon: $NAME"
+		echo -n "Stopping domain name daemon: "
 		rndc stop || start-stop-daemon -K -x $DAEMON
-		echo "."
+		[ $? == 0 ] && echo "OK" || echo "FAIL"
 		;;
 	restart)
 		$0 stop || true
-		sleep 2
+		sleep 1
 		$0 start
 		;;
 	reload|force-reload)
--- a/package/bind/bind-01-disable-tests.patch
+++ b/package/bind/bind-01-disable-tests.patch
@ -2,15 +2,27 @@ Disable tests to avoid cross-compilation issues (tries to run genrandom).
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-diff -Nura bind-9.6-ESV-R9-P1.orig/bin/Makefile.in bind-9.6-ESV-R9-P1/bin/Makefile.in
+diff -Nura bind-9.9.4-P2.orig/bin/Makefile.in bind-9.9.4-P2/bin/Makefile.in
--- bind-9.6-ESV-R9-P1.orig/bin/Makefile.in	2013-06-04 15:30:48.000000000 -0300
+--- bind-9.9.4-P2.orig/bin/Makefile.in	2013-12-19 21:28:28.000000000 -0300
-+++ bind-9.6-ESV-R9-P1/bin/Makefile.in	2013-07-19 15:32:19.018287733 -0300
+++ bind-9.9.4-P2/bin/Makefile.in	2014-01-17 11:41:25.378784210 -0300
@@ -19,7 +19,7 @@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
-SUBDIRS =	named rndc dig dnssec tests nsupdate check
+-SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
-+SUBDIRS =	named rndc dig dnssec nsupdate check
+SUBDIRS =	named rndc dig dnssec tools nsupdate \
 		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
 TARGETS =
 diff -Nura bind-9.9.4-P2.orig/lib/Makefile.in bind-9.9.4-P2/lib/Makefile.in
 --- bind-9.9.4-P2.orig/lib/Makefile.in	2013-12-19 21:28:28.000000000 -0300
 +++ bind-9.9.4-P2/lib/Makefile.in	2014-01-17 11:41:30.489954861 -0300
@@ -23,7 +23,7 @@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
 -SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
 +SUBDIRS =	isc isccc dns isccfg bind9 lwres
 TARGETS =
 @BIND9_MAKE_RULES@
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@ -4,26 +4,36 @@
 #
 ################################################################################
-BIND_VERSION = 9.6-ESV-R10
+BIND_VERSION = 9.9.5
 BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 BIND_MAKE = $(MAKE1)
 BIND_INSTALL_STAGING = YES
 BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
 BIND_LICENSE = ISC
 BIND_LICENSE_FILES = COPYRIGHT
-BIND_TARGET_SBINS = lwresd named named-checkconf named-checkzone
+BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
-BIND_TARGET_SBINS += named-compilezone rndc rndc-confgen dnssec-dsfromkey
+BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
-BIND_TARGET_SBINS += dnssec-keyfromlabel dnssec-keygen dnssec-signzone
+BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
-BIND_TARGET_BINS = dig host nslookup nsupdate
+BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
-BIND_TARGET_LIBS = libbind9.* libdns.* libisc.* libisccc.* libisccfg.* liblwres.*
+BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
 BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
 BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone
 BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
 BIND_CONF_ENV =	BUILD_CC="$(TARGET_CC)" \
 		BUILD_CFLAGS="$(TARGET_CFLAGS)"
-BIND_CONF_OPT =	--sysconfdir=/etc \
+BIND_CONF_OPT = --localstatedir=/var \
 		--localstatedir=/var \
 		--with-randomdev=/dev/urandom \
-		--enable-epoll --with-libtool
+		--enable-epoll --with-libtool \
 		--with-gssapi=no --enable-rrl
 ifeq ($(BR2_PACKAGE_LIBCAP),y)
 	BIND_CONF_OPT += --enable-linux-caps
 	BIND_DEPENDENCIES += libcap
 else
 	BIND_CONF_OPT += --disable-linux-caps
 endif
 ifeq ($(BR2_PACKAGE_LIBXML2),y)
-	BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr
+	BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr --enable-newstats
 	BIND_DEPENDENCIES += libxml2
 else
 	BIND_CONF_OPT += --with-libxml2=no
@ -31,36 +41,52 @@ endif
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
 	BIND_DEPENDENCIES += openssl
-	BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz"
+	BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz" \
 		--with-ecdsa=yes
 # GOST cipher support requires openssl extra engines
 ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
 	BIND_CONF_OPT += --with-gost=yes
 else
 	BIND_CONF_OPT += --with-gost=no
 endif
 else
 	BIND_CONF_OPT += --with-openssl=no
 endif
-define BIND_INSTALL_INIT_SYSV
+# Used by dnssec-checkds and dnssec-coverage
-	$(INSTALL) -m 0755 -D package/bind/S81named \
+ifeq ($(BR2_PACKAGE_PYTHON)$(BR2_PACKAGE_PYTHON3),)
-		$(TARGET_DIR)/etc/init.d/S81named
+	BIND_CONF_OPT += --with-python=no
-endef
+endif
-define BIND_TARGET_INSTALL_FIXES
+ifeq ($(BR2_PACKAGE_READLINE),y)
-	rm -f $(TARGET_DIR)/usr/bin/isc-config.sh
+	BIND_DEPENDENCIES += readline
-endef
+else
-
+	BIND_CONF_OPT += --with-readline=no
-BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_INSTALL_FIXES
+endif
 define BIND_TARGET_REMOVE_SERVER
-	rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SBINS))
+	rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
 endef
 define BIND_TARGET_REMOVE_TOOLS
-	rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_BINS))
+	rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
 endef
-ifneq ($(BR2_PACKAGE_BIND_SERVER),y)
+ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
 define BIND_INSTALL_INIT_SYSV
        $(INSTALL) -m 0755 -D package/bind/S81named \
                $(TARGET_DIR)/etc/init.d/S81named
 endef
 else
 BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
 endif
-ifneq ($(BR2_PACKAGE_BIND_TOOLS),y)
+ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
 BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
 endif
 define BIND_USERS
 named -1 named -1 * /etc/bind - - BIND daemon
 endef
 $(eval $(autotools-package))