From a709bf2f4f9f74506c98441f07bbde4010a9d2e3 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 27 Jun 2017 11:35:01 +0200 Subject: [PATCH] Bump BIND to 9.11.1 and coverity fixes Signed-off-by: Tomas Krizek --- ...ty-fix-REVERSE_INULL-for-pevent-inst.patch | 116 ++++++++++++++++++ 0002-Add-empty-callback-for-getsize.patch | 30 +++++ bind-dyndb-ldap.spec | 18 ++- 3 files changed, 160 insertions(+), 4 deletions(-) create mode 100644 0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch create mode 100644 0002-Add-empty-callback-for-getsize.patch diff --git a/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch b/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch new file mode 100644 index 0000000..04b6cb8 --- /dev/null +++ b/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch @@ -0,0 +1,116 @@ +From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 27 Mar 2017 19:41:05 +0200 +Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst + +With the DynDB API changes, the ldap instance is acquired +differently. Previously, obtaining the instance could fail when +LDAP was disconnecting, thus the NULL check was necessary in the +cleanup part. + +Now, inst is obtained directly from the API. I'm not sure what is +the exact behaviour in edge cases such as LDAP disconnecting, so +I perform the NULL check a bit earlier, just to be safe. +--- + src/ldap_helper.c | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/src/ldap_helper.c b/src/ldap_helper.c +index 1fa0ec9adfa2b9ca589587244da03cc6f0584919..e0c4b76f0bd350eda2d81588e6efb67b5221d630 100644 +--- a/src/ldap_helper.c ++++ b/src/ldap_helper.c +@@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event) + mctx = pevent->mctx; + dns_name_init(&prevname, NULL); + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + + if (SYNCREPL_DEL(pevent->chgtype)) { +@@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event) + } + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- if (dns_name_dynamic(&prevname)) +- dns_name_free(&prevname, inst->mctx); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ if (dns_name_dynamic(&prevname)) ++ dns_name_free(&prevname, inst->mctx); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_zone (syncrepl) failed for %s. " + "Zones can be outdated, run `rndc reload`", +@@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event) + + mctx = pevent->mctx; + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + CHECK(ldap_parse_configentry(entry, inst)); + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_config (syncrepl) failed for %s. " + "Configuration can be outdated, run `rndc reload`", +@@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event) + + mctx = pevent->mctx; + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + CHECK(ldap_parse_serverconfigentry(entry, inst)); + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_serverconfig (syncrepl) failed for %s. " + "Configuration can be outdated, run `rndc reload`", +@@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event) + dns_name_init(&prevname, NULL); + dns_name_init(&prevorigin, NULL); + ++ REQUIRE(inst != NULL); + CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure)); + zone_found = ISC_TRUE; + +@@ -4020,13 +4021,12 @@ cleanup: + ldap_entry_logname(entry), pevent->chgtype); + } + +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- if (dns_name_dynamic(&prevname)) +- dns_name_free(&prevname, inst->mctx); +- if (dns_name_dynamic(&prevorigin)) +- dns_name_free(&prevorigin, inst->mctx); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ if (dns_name_dynamic(&prevname)) ++ dns_name_free(&prevname, inst->mctx); ++ if (dns_name_dynamic(&prevorigin)) ++ dns_name_free(&prevorigin, inst->mctx); ++ + if (raw != NULL) + dns_zone_detach(&raw); + if (secure != NULL) +-- +2.9.3 + diff --git a/0002-Add-empty-callback-for-getsize.patch b/0002-Add-empty-callback-for-getsize.patch new file mode 100644 index 0000000..63f08b9 --- /dev/null +++ b/0002-Add-empty-callback-for-getsize.patch @@ -0,0 +1,30 @@ +From 107c5ed7247788a04a23d6c65fca50f96c944345 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Tue, 27 Jun 2017 10:41:03 +0200 +Subject: [PATCH] Add empty callback for getsize + +BIND introduced getsize method in db.h. This is related to +CVE-2016-6170 and allows to set restriction of zone size limit. + +Signed-off-by: Tomas Krizek +--- + src/ldap_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/ldap_driver.c b/src/ldap_driver.c +index 53ce1a9..38673b0 100644 +--- a/src/ldap_driver.c ++++ b/src/ldap_driver.c +@@ -867,7 +867,8 @@ static dns_dbmethods_t ldapdb_methods = { + findext, + setcachestats, + hashsize, +- nodefullname ++ nodefullname, ++ NULL, // getsize method not implemented (related BZ1353563) + }; + + isc_result_t ATTR_NONNULLS +-- +2.9.4 + diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec index a77e6be..6835bd7 100644 --- a/bind-dyndb-ldap.spec +++ b/bind-dyndb-ldap.spec @@ -1,8 +1,10 @@ %define VERSION %{version} +%define bind_version 32:9.11.1-1.P1 + Name: bind-dyndb-ldap Version: 11.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: LDAP back-end plug-in for BIND Group: System Environment/Libraries @@ -11,14 +13,16 @@ URL: https://releases.pagure.org/bind-dyndb-ldap Source0: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2 Source1: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Patch1: 0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch +Patch2: 0002-Add-empty-callback-for-getsize.patch -BuildRequires: bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2, bind-pkcs11-devel >= 32:9.11.0-6.P2 +BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}, bind-pkcs11-devel >= %{bind_version} BuildRequires: krb5-devel BuildRequires: openldap-devel BuildRequires: libuuid-devel BuildRequires: automake, autoconf, libtool -Requires: bind-pkcs11 >= 32:9.11.0-6.P2, bind-pkcs11-utils >= 32:9.11.0-6.P2 +Requires: bind-pkcs11 >= %{bind_version}, bind-pkcs11-utils >= %{bind_version} %description @@ -29,7 +33,9 @@ off of your LDAP server. %prep %setup -q -n %{name}-%{VERSION} - +%patch1 -p1 +%patch2 -p1 + %build autoreconf -fiv %configure @@ -116,6 +122,10 @@ rm -rf %{buildroot} %changelog +* Tue Jun 27 2017 Tomas Krizek - 11.1-4 +- Bump BIND version and fix library dependecies +- Coverity fixes + * Mon Jun 26 2017 Petr Menšík - 11.1-3 - Build with updated libraries