From patchwork Fri Apr 26 11:32:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1091496 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="vDXm9diS"; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44rBkk39Phz9s5c for ; Fri, 26 Apr 2019 21:33:15 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A8349898BA; Fri, 26 Apr 2019 11:33:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RqnidB-uFZp; Fri, 26 Apr 2019 11:33:07 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id D98FF87EA9; Fri, 26 Apr 2019 11:33:07 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id E1BE61BF5F5 for ; Fri, 26 Apr 2019 11:33:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 2BFFF87DFE for ; Fri, 26 Apr 2019 11:33:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1dglFfzWJyS for ; Fri, 26 Apr 2019 11:33:04 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) by whitealder.osuosl.org (Postfix) with ESMTPS id 0C3F587DF2 for ; Fri, 26 Apr 2019 11:33:04 +0000 (UTC) Received: by mail-ed1-f67.google.com with SMTP id d46so2858832eda.7 for ; Fri, 26 Apr 2019 04:33:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=+shboRwF8I59TzAWofVZnoshPr/LSHfsCDlq2uoW2fs=; b=vDXm9diSpoXIjMHRCA/HFE2/KFkl60Mgas0FcmJ7yB15twE+BlHQig6McdspWgWiwl +ecWOYffI+v0i6SGYVteYofS4ogiSrUM/tCXmmAsuxSGxmJufsG6efYUIxpM8d0r36cm cGPWqesq894e801kKsf76gu4gdYC/wdNW6suz+1tHNfNirkSyZ/wD89RnFKHM5wZu8rf 50qb/8sgG52DpusuvO97wjoDurla/AnWWEVRIsdCJDjAOeHL0EZRNMhcvTJUki/rPYyn zOMLtntNJqFtJWuEqF8IU3sz5TzFagvFF1dNLEbxI3FVuAjK8qQE5g7uagBX/WyRyTQB vFYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=+shboRwF8I59TzAWofVZnoshPr/LSHfsCDlq2uoW2fs=; b=ULDoGNe173d8c0WEYCBAsqMJyOvO9dds+Jm4YtoBisH60Z5aRYxyJJzyqYBJWDVpfr vbEnK9uRFrmkir8O6ldwFmr7I2YfIYIFH/DeBnc/YdcO77U1aWvXsAgStWct6wGxH3A6 eg1RX2ChSH1MRzLHgnoXkUI72C9ywsU9ovfq7hfc3ZARcL+duVfbqW98hTFYkQXtgXAp CKSTG3+qnoQ1ALUYDnC3bs9zMyn+vAP69besGLpi9P7f/t6UMaXlLHWD2s1PYXN3t8xQ OF7cVF9vJ2dROg5XyvmSOWUGJhtOuqqkn+Wa2oQh6cs97GiWHMEezVc/ZL3LQcx9DLXL aFig== X-Gm-Message-State: APjAAAWDlXW72Qv69QGXlD/fctF3IE2IoQKmGo85JHvjAlPD2/t1dpHh dkxqpdMHUgDkkyR12mHsd1MWpz5G X-Google-Smtp-Source: APXvYqwMFmUf1ondFObZIL3Sc0lzDnST1iitTVsioNSMhQPL5rDyEOQtcz9k+NAwOrFQtsqVT++fiQ== X-Received: by 2002:a17:906:5d4:: with SMTP id t20mr22539901ejt.80.1556278381920; Fri, 26 Apr 2019 04:33:01 -0700 (PDT) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id d23sm4510150eja.42.2019.04.26.04.33.00 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 04:33:00 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.89) (envelope-from ) id 1hJz6C-0000We-DX; Fri, 26 Apr 2019 13:33:00 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Fri, 26 Apr 2019 13:32:56 +0200 Message-Id: <20190426113256.1977-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Subject: [Buildroot] [PATCH] package/bind: security bump to version 9.11.6-P1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Korsgaard MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security issues: - CVE-2018-5743: Limiting simultaneous TCP clients is ineffective https://kb.isc.org/docs/cve-2018-5743 - CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c https://kb.isc.org/docs/cve-2019-6467 - CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used https://kb.isc.org/docs/cve-2019-6468 Add an upstream patch to fix building on architectures where bind does not implement isc_atomic_*. Upstream moved to a 2019 signing key, so update comment in .hash file. Signed-off-by: Peter Korsgaard --- ...mic-operations-in-bin-named-client.c-with.patch | 133 +++++++++++++++++++++ package/bind/bind.hash | 6 +- package/bind/bind.mk | 2 +- 3 files changed, 137 insertions(+), 4 deletions(-) create mode 100644 package/bind/0002-Replace-atomic-operations-in-bin-named-client.c-with.patch diff --git a/package/bind/0002-Replace-atomic-operations-in-bin-named-client.c-with.patch b/package/bind/0002-Replace-atomic-operations-in-bin-named-client.c-with.patch new file mode 100644 index 0000000000..2701de766a --- /dev/null +++ b/package/bind/0002-Replace-atomic-operations-in-bin-named-client.c-with.patch @@ -0,0 +1,133 @@ +From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 17 Apr 2019 15:22:27 +0200 +Subject: [PATCH] Replace atomic operations in bin/named/client.c with + isc_refcount reference counting + +Signed-off-by: Peter Korsgaard +--- + bin/named/client.c | 18 +++++++----------- + bin/named/include/named/interfacemgr.h | 5 +++-- + bin/named/interfacemgr.c | 7 +++++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index 845326abc0..29fecadca8 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) { + static void + mark_tcp_active(ns_client_t *client, bool active) { + if (active && !client->tcpactive) { +- isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ isc_refcount_increment0(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } else if (!active && client->tcpactive) { +- uint32_t old = +- isc_atomic_xadd(&client->interface->ntcpactive, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } + } +@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) { + if (client->mortal && TCP_CLIENT(client) && + client->newstate != NS_CLIENTSTATE_FREED && + !ns_g_clienttest && +- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ isc_refcount_current(&client->interface->ntcpaccepting) == 0) + { + /* Nobody else is accepting */ + client->mortal = false; +@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + INSIST(client->naccepts == 1); + client->naccepts--; + +- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); + + /* + * We must take ownership of the new socket before the exit +@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) { + * quota is tcp-clients plus the number of listening + * interfaces plus 1.) + */ +- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > +- (client->tcpactive ? 1 : 0)); ++ exit = (isc_refcount_current(&client->interface->ntcpactive) > ++ (client->tcpactive ? 1U : 0U)); + if (exit) { + client->newstate = NS_CLIENTSTATE_INACTIVE; + (void)exit_check(client); +@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) { + * listening for connections itself to prevent the interface + * going dead. + */ +- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); ++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); + } + + static void +diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h +index 3535ef22a8..6e10f210fd 100644 +--- a/bin/named/include/named/interfacemgr.h ++++ b/bin/named/include/named/interfacemgr.h +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + +@@ -75,11 +76,11 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int32_t ntcpaccepting; /*%< Number of clients ++ isc_refcount_t ntcpaccepting; /*%< Number of clients + ready to accept new + TCP connections on this + interface */ +- int32_t ntcpactive; /*%< Number of clients ++ isc_refcount_t ntcpactive; /*%< Number of clients + servicing TCP queries + (whether accepting or + connected) */ +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d9f6df5802..135533be6b 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcpaccepting = 0; +- ifp->ntcpactive = 0; ++ isc_refcount_init(&ifp->ntcpaccepting, 0); ++ isc_refcount_init(&ifp->ntcpactive, 0); + + ifp->nudpdispatch = 0; + +@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) { + + ns_interfacemgr_detach(&ifp->mgr); + ++ isc_refcount_destroy(&ifp->ntcpactive); ++ isc_refcount_destroy(&ifp->ntcpaccepting); ++ + ifp->magic = 0; + isc_mem_put(mctx, ifp, sizeof(*ifp)); + } +-- +2.11.0 + diff --git a/package/bind/bind.hash b/package/bind/bind.hash index 3072d2d2a0..cdd4bdd312 100644 --- a/package/bind/bind.hash +++ b/package/bind/bind.hash @@ -1,4 +1,4 @@ -# Verified from https://ftp.isc.org/isc/bind9/9.11.5-P4/bind-9.11.5-P4.tar.gz.asc -# with key BE0E9748B718253A28BB89FFF1B11BF05CF02E57 -sha256 7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434 bind-9.11.5-P4.tar.gz +# Verified from https://ftp.isc.org/isc/bind9/9.11.6-P1/bind-9.11.6-P1.tar.gz.asc +# with key 156890685EA0DF6A1371EF2017CC5DB1F0088407 +sha256 58ace2abb4d048b67abcdef0649ecd6cbd3b0652734a41a1d34f942d5500f8ef bind-9.11.6-P1.tar.gz sha256 cd02c93b8dcda794f55dfd1231828d69633072a98eee4874f9cf732d22d9dcde COPYRIGHT diff --git a/package/bind/bind.mk b/package/bind/bind.mk index b2bbafab20..356bc259b2 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -4,7 +4,7 @@ # ################################################################################ -BIND_VERSION = 9.11.5-P4 +BIND_VERSION = 9.11.6-P1 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION) # bind does not support parallel builds. BIND_MAKE = $(MAKE1)