net-dns/djbdns: Sec rev bump to v1.05-r32 (bug #404959)

CVE-2012-1191

Closes: https://github.com/gentoo/gentoo/pull/2988

Package-Manager: portage-2.3.2

2 files changed, 177 insertions, 0 deletions

diff --git a/net-dns/djbdns/djbdns-1.05-r32.ebuild b/net-dns/djbdns/djbdns-1.05-r32.ebuild
new file mode 100644
index 000000000000..8dcc0f36d47d
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r32.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs user
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="http://cr.yp.to/djbdns.html"
+IPV6_PATCH="test27"
+
+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
+	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+	ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.bz2 )"
+
+SLOT="0"
+LICENSE="public-domain"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+DEPEND=""
+RDEPEND="sys-apps/ucspi-tcp
+	virtual/daemontools
+	selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack(){
+	# Unpack both djbdns and its man pages to separate directories.
+	default
+
+	# Now move the man pages under ${S} so that user patches can be
+	# applied to them as well in src_prepare().
+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+src_prepare() {
+	eapply \
+		"${FILESDIR}/headtail-r1.patch" \
+		"${FILESDIR}/dnsroots.patch" \
+		"${FILESDIR}/dnstracesort.patch" \
+		"${FILESDIR}/string_length_255.patch" \
+		"${FILESDIR}/srv_record_support.patch" \
+		"${FILESDIR}/increase-cname-recustion-depth.patch"
+
+	# Fix CVE2009-0858
+	eapply "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+
+	# Fix CVE2012-1191
+	eapply "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+
+	if use ipv6; then
+		elog 'At present dnstrace does NOT support IPv6. It will'\
+			 'be compiled without IPv6 support.'
+
+		# Create a separate copy of the source tree for dnstrace.
+		cp -pR "${S}" "${S}-noipv6" || die
+
+		# The big ipv6 patch.
+		eapply "${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+
+		# Fix CVE2008-4392 (ipv6)
+		eapply \
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test25-r1.patch" \
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6.patch" \
+			"${FILESDIR}/makefile-parallel-test25.patch"
+
+		cd "${S}-noipv6" || die
+	fi
+
+	# Fix CVE2008-4392 (no ipv6)
+	eapply \
+		"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" \
+		"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+
+	# Later versions of the ipv6 patch include this, but even if
+	# USE=ipv6, we're in the ${S}-noipv6 directory at this point.
+	eapply "${FILESDIR}/${PV}-errno-r1.patch"
+
+	eapply_user
+}
+
+src_compile() {
+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+	echo "/usr" > conf-home || die
+	emake
+
+	# If djbdns is compiled with IPv6 support, it breaks dnstrace.
+	# Therefore we must compile dnstrace separately without IPv6
+	# support.
+	if use ipv6; then
+		elog 'Compiling dnstrace without ipv6 support'
+		cp conf-cc conf-ld conf-home "${S}-noipv6/" || die
+		cd "${S}-noipv6" || die
+		emake dnstrace
+	fi
+}
+
+src_install() {
+	insinto /etc
+	doins dnsroots.global
+
+	into /usr
+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+	if use ipv6; then
+		dobin dnsip6 dnsip6q "${S}-noipv6/dnstrace"
+	fi
+
+	dodoc CHANGES README
+
+	doman man/*.[158]
+
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	# The nofiles group is no longer provided by baselayout.
+	# Share it with qmail if possible.
+	enewgroup nofiles 200
+
+	enewuser dnscache -1 -1 -1 nofiles
+	enewuser dnslog -1 -1 -1 nofiles
+	enewuser tinydns -1 -1 -1 nofiles
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+	http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+	tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+	2. dnscache-conf dnscache dnslog /var/dnscache $ip
+	3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+	4. rbldns-conf $username dnslog /var/rbldns $ip $base
+	5. walldns-conf $username dnslog /var/walldns $ip
+'
diff --git a/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
new file mode 100644
index 000000000000..8d9b194411f3
--- /dev/null
+++ b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
@@ -0,0 +1,22 @@
+Fix ghost domain attack vulnerability (CVE-2012-1191)
+
+Author: Peter Conrad <conrad@tivano.de>
+Origin: http://marc.info/?l=djbdns&m=134269902121506&w=2
+
+Gentoo-Bug: https://bugs.gentoo.org/404959
+
+--- a/query.c
++++ b/query.c
+@@ -792,6 +792,12 @@ static int doit(struct query *z,int state)
+     }
+ 
+     if (!dns_domain_suffix(t1,control)) { i = j; continue; }
++
++    if (!flagforwardonly && byte_equal(type,2,DNS_T_NS) && dns_domain_equal(t1,control)) {
++        char dummy[256];
++        if (!roots(dummy,control)) { i = j; continue; }
++    }
++
+     if (!roots_same(t1,control)) { i = j; continue; }
+ 
+     if (byte_equal(type,2,DNS_T_ANY))