Bump BIND to 9.11.1 and coverity fixes

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
Tomas Krizek 2017-06-27 11:35:01 +02:00
parent 99268f00fb
commit a709bf2f4f
No known key found for this signature in database
GPG Key ID: 22A2A94B5E49415A
3 changed files with 160 additions and 4 deletions

View File

@ -0,0 +1,116 @@
From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 27 Mar 2017 19:41:05 +0200
Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst
With the DynDB API changes, the ldap instance is acquired
differently. Previously, obtaining the instance could fail when
LDAP was disconnecting, thus the NULL check was necessary in the
cleanup part.
Now, inst is obtained directly from the API. I'm not sure what is
the exact behaviour in edge cases such as LDAP disconnecting, so
I perform the NULL check a bit earlier, just to be safe.
---
src/ldap_helper.c | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 1fa0ec9adfa2b9ca589587244da03cc6f0584919..e0c4b76f0bd350eda2d81588e6efb67b5221d630 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event)
mctx = pevent->mctx;
dns_name_init(&prevname, NULL);
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
if (SYNCREPL_DEL(pevent->chgtype)) {
@@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event)
}
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- if (dns_name_dynamic(&prevname))
- dns_name_free(&prevname, inst->mctx);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+ if (dns_name_dynamic(&prevname))
+ dns_name_free(&prevname, inst->mctx);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_zone (syncrepl) failed for %s. "
"Zones can be outdated, run `rndc reload`",
@@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event)
mctx = pevent->mctx;
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
CHECK(ldap_parse_configentry(entry, inst));
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_config (syncrepl) failed for %s. "
"Configuration can be outdated, run `rndc reload`",
@@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event)
mctx = pevent->mctx;
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
CHECK(ldap_parse_serverconfigentry(entry, inst));
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_serverconfig (syncrepl) failed for %s. "
"Configuration can be outdated, run `rndc reload`",
@@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event)
dns_name_init(&prevname, NULL);
dns_name_init(&prevorigin, NULL);
+ REQUIRE(inst != NULL);
CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure));
zone_found = ISC_TRUE;
@@ -4020,13 +4021,12 @@ cleanup:
ldap_entry_logname(entry), pevent->chgtype);
}
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- if (dns_name_dynamic(&prevname))
- dns_name_free(&prevname, inst->mctx);
- if (dns_name_dynamic(&prevorigin))
- dns_name_free(&prevorigin, inst->mctx);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ if (dns_name_dynamic(&prevname))
+ dns_name_free(&prevname, inst->mctx);
+ if (dns_name_dynamic(&prevorigin))
+ dns_name_free(&prevorigin, inst->mctx);
+
if (raw != NULL)
dns_zone_detach(&raw);
if (secure != NULL)
--
2.9.3

View File

@ -0,0 +1,30 @@
From 107c5ed7247788a04a23d6c65fca50f96c944345 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Tue, 27 Jun 2017 10:41:03 +0200
Subject: [PATCH] Add empty callback for getsize
BIND introduced getsize method in db.h. This is related to
CVE-2016-6170 and allows to set restriction of zone size limit.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
---
src/ldap_driver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 53ce1a9..38673b0 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -867,7 +867,8 @@ static dns_dbmethods_t ldapdb_methods = {
findext,
setcachestats,
hashsize,
- nodefullname
+ nodefullname,
+ NULL, // getsize method not implemented (related BZ1353563)
};
isc_result_t ATTR_NONNULLS
--
2.9.4

View File

@ -1,8 +1,10 @@
%define VERSION %{version}
%define bind_version 32:9.11.1-1.P1
Name: bind-dyndb-ldap
Version: 11.1
Release: 3%{?dist}
Release: 4%{?dist}
Summary: LDAP back-end plug-in for BIND
Group: System Environment/Libraries
@ -11,14 +13,16 @@ URL: https://releases.pagure.org/bind-dyndb-ldap
Source0: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
Source1: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: 0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch
Patch2: 0002-Add-empty-callback-for-getsize.patch
BuildRequires: bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2, bind-pkcs11-devel >= 32:9.11.0-6.P2
BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}, bind-pkcs11-devel >= %{bind_version}
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: libuuid-devel
BuildRequires: automake, autoconf, libtool
Requires: bind-pkcs11 >= 32:9.11.0-6.P2, bind-pkcs11-utils >= 32:9.11.0-6.P2
Requires: bind-pkcs11 >= %{bind_version}, bind-pkcs11-utils >= %{bind_version}
%description
@ -29,6 +33,8 @@ off of your LDAP server.
%prep
%setup -q -n %{name}-%{VERSION}
%patch1 -p1
%patch2 -p1
%build
autoreconf -fiv
@ -116,6 +122,10 @@ rm -rf %{buildroot}
%changelog
* Tue Jun 27 2017 Tomas Krizek <tkrizek@redhat.com> - 11.1-4
- Bump BIND version and fix library dependecies
- Coverity fixes
* Mon Jun 26 2017 Petr Menšík <pemensik@redhat.com> - 11.1-3
- Build with updated libraries