From f8cb93d57c5be83e9cfbb515d2e8fc1abef24e29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 29 Apr 2021 18:12:16 +0200 Subject: [PATCH] Update to 9.16.15 Resolves CVE-2021-25215 and CVE-2021-25214. Removes disable-isc-spnego flag, because custom isc spnego code were removed with also this flag. It is default (and the only) option now. --- .gitignore | 2 ++ bind-9.10-dist-native-pkcs11.patch | 44 ++++++++++++------------- bind-9.16-isc-constructor.h | 53 ------------------------------ bind.spec | 9 +++-- sources | 4 +-- 5 files changed, 30 insertions(+), 82 deletions(-) delete mode 100644 bind-9.16-isc-constructor.h diff --git a/.gitignore b/.gitignore index afa828e..e46cd63 100644 --- a/.gitignore +++ b/.gitignore @@ -144,3 +144,5 @@ bind-9.7.2b1.tar.gz /bind-9.16.11.tar.xz.asc /bind-9.16.13.tar.xz /bind-9.16.13.tar.xz.asc +/bind-9.16.15.tar.xz +/bind-9.16.15.tar.xz.asc diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 2003f1b..72a8317 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -1,4 +1,4 @@ -From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001 +From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 21 Jan 2021 10:46:20 +0100 Subject: [PATCH] Enable custom pkcs11 native build @@ -247,7 +247,7 @@ index 98125dd..518a75f 100644 @DLZ_DRIVER_RULES@ diff --git a/configure.ac b/configure.ac -index 08a7d8a..4d762c9 100644 +index da99e85..55680ea 100644 --- a/configure.ac +++ b/configure.ac @@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) @@ -265,7 +265,7 @@ index 08a7d8a..4d762c9 100644 # # was --with-lmdb specified? -@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) +@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) AC_SUBST(BIND9_NS_BUILDINCLUDE) AC_SUBST(BIND9_BIND9_BUILDINCLUDE) AC_SUBST(BIND9_IRS_BUILDINCLUDE) @@ -274,7 +274,7 @@ index 08a7d8a..4d762c9 100644 if test "X$srcdir" != "X"; then BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then +@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" @@ -283,7 +283,7 @@ index 08a7d8a..4d762c9 100644 else BIND9_ISC_BUILDINCLUDE="" BIND9_ISCCC_BUILDINCLUDE="" -@@ -2368,6 +2374,8 @@ else +@@ -2343,6 +2349,8 @@ else BIND9_NS_BUILDINCLUDE="" BIND9_BIND9_BUILDINCLUDE="" BIND9_IRS_BUILDINCLUDE="" @@ -292,7 +292,7 @@ index 08a7d8a..4d762c9 100644 fi AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([ +@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -304,7 +304,7 @@ index 08a7d8a..4d762c9 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/plugins/Makefile -@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([ +@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -315,7 +315,7 @@ index 08a7d8a..4d762c9 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([ +@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile @@ -340,28 +340,28 @@ index ffa2d5a..6fbc192 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 283b7f2..a234dc5 100644 +index 58bda3c..d6a45df 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@ +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ ${ISC_INCLUDES} \ ${FSTRM_CFLAGS} \ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -34,7 +34,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ${LMDB_CFLAGS} \ ${MAXMINDDB_CFLAGS} --CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} -+CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@ +-CDEFINES = @USE_GSSAPI@ ++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ CWARNINGS = -@@ -137,15 +137,15 @@ version.@O@: version.c +@@ -135,15 +135,15 @@ version.@O@: version.c -DMAPAPI=\"${MAPAPI}\" \ -c ${srcdir}/version.c @@ -381,7 +381,7 @@ index 283b7f2..a234dc5 100644 include: gen ${MAKE} include/dns/enumtype.h -@@ -176,22 +176,22 @@ gen: gen.c +@@ -174,22 +174,22 @@ gen: gen.c ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_LIBS} ${LFS_LIBS} @@ -434,12 +434,12 @@ index 3bb5e01..c96fe7d 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index f126f1f..21b20e4 100644 +index bc683ce..7a9d2f2 100644 --- a/lib/ns-pkcs11/Makefile.in +++ b/lib/ns-pkcs11/Makefile.in -@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ +@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ - ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ @@ -453,7 +453,7 @@ index f126f1f..21b20e4 100644 CWARNINGS = -@@ -31,9 +31,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ +@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ @@ -465,7 +465,7 @@ index f126f1f..21b20e4 100644 LIBS = @LIBS@ -@@ -62,28 +62,28 @@ version.@O@: version.c +@@ -60,28 +60,28 @@ version.@O@: version.c -DMAJOR=\"${MAJOR}\" \ -c ${srcdir}/version.c @@ -546,5 +546,5 @@ index b8317d3..b73b0c4 100644 + -I${top_srcdir}/lib/ns-pkcs11/include + -- -2.26.2 +2.26.3 diff --git a/bind-9.16-isc-constructor.h b/bind-9.16-isc-constructor.h deleted file mode 100644 index 71a08b3..0000000 --- a/bind-9.16-isc-constructor.h +++ /dev/null @@ -1,53 +0,0 @@ -From 48df32cadb5071f5b186b00da3f4406a13320b44 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 26 Mar 2021 11:01:59 +0100 -Subject: [PATCH] Do not require config.h to use isc/util.h - -util.h requires ISC_CONSTRUCTOR definition, which depends on config.h -inclusion. It does not include it from isc/util.h (or any other header). -Using isc/util.h fails hard when isc/util.h is used without including -bind's config.h. - -Move the check to c file, where ISC_CONSTRUCTOR is used. Ensure config.h -is included there. ---- - lib/isc/include/isc/util.h | 2 -- - lib/isc/lib.c | 5 +++++ - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h -index 3c8c40b..3144557 100644 ---- a/lib/isc/include/isc/util.h -+++ b/lib/isc/include/isc/util.h -@@ -54,8 +54,6 @@ - #elif WIN32 - #define ISC_CONSTRUCTOR(priority) - #define ISC_DESTRUCTOR(priority) --#else --#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9. - #endif - - /*% -diff --git a/lib/isc/lib.c b/lib/isc/lib.c -index 27d7be1..08a1b91 100644 ---- a/lib/isc/lib.c -+++ b/lib/isc/lib.c -@@ -17,10 +17,15 @@ - #include - #include - -+#include "config.h" - #include "mem_p.h" - #include "tls_p.h" - #include "trampoline_p.h" - -+#ifndef ISC_CONSTRUCTOR -+#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9. -+#endif -+ - /*** - *** Functions - ***/ --- -2.26.2 - diff --git a/bind.spec b/bind.spec index 77448d3..a16adc2 100644 --- a/bind.spec +++ b/bind.spec @@ -61,7 +61,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.13 +Version: 9.16.15 Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ @@ -114,8 +114,6 @@ Patch157:bind-9.11-fips-tests.patch Patch164:bind-9.11-rh1666814.patch Patch170:bind-9.11-feature-test-named.patch Patch171:bind-9.11-tests-variants.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4840 -Patch172:bind-9.16-isc-constructor.h Requires(post): systemd Requires(preun): systemd @@ -420,7 +418,6 @@ in HTML and PDF format. %patch164 -p1 -b .rh1666814 %patch170 -p1 -b .featuretest-named %patch171 -p1 -b .test-variant -%patch172 -p1 -b .isc-constructor %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -505,7 +502,6 @@ export LIBDIR_SUFFIX --with-dlopen=yes \ %if %{with GSSTSIG} --with-gssapi=yes \ - --disable-isc-spnego \ %endif %if %{with LMDB} --with-lmdb=yes \ @@ -1142,6 +1138,9 @@ fi; %endif %changelog +* Thu Apr 29 2021 Petr Menšík - 32:9.16.15-1 +- Update to 9.16.15 + * Thu Mar 25 2021 Petr Menšík - 32:9.16.13-1 - Update to 9.16.13 - Changed displayed version just to include -RH suffix, not release diff --git a/sources b/sources index cc951ad..3dd65a2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b -SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e +SHA512 (bind-9.16.15.tar.xz) = 30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033 +SHA512 (bind-9.16.15.tar.xz.asc) = b845f0527235a5b24c617e4e0975988df3966b05db3eec33c798c242b00560dbfdb3258da991743629eb24017759d7deccbaf58277d215ff4616f6c255a8c0d4