From 935add8c0f7f6c11b2382695b3369beb40d3618c Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 30 Apr 2019 14:54:39 +0200
Subject: main/bind: security upgrade to 9.11.6_p1
 (CVE-2018-5743,CVE-2019-6467)

This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.

There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.

Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html

fixes #10370
---
 main/bind/APKBUILD                        |  47 +++++++++--
 main/bind/Replace-atomic-operations.patch | 133 ++++++++++++++++++++++++++++++
 2 files changed, 174 insertions(+), 6 deletions(-)
 create mode 100644 main/bind/Replace-atomic-operations.patch

(limited to 'main')

diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 74c6236ca0..edd50dad42 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=bind
-pkgver=9.11.5_p4
+pkgver=9.11.6_p1
 _ver=${pkgver%_p*}
 _p=${pkgver#*_p}
 [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
@@ -15,10 +15,14 @@ license="MPL-2.0"
 depends=""
 pkgusers="named"
 pkggroups="named"
-makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev"
+_py3deps="python3 py3-ply"
+makedepends="bash libressl-dev libcap-dev perl linux-headers bsd-compat-headers libxml2-dev
+	$_py3deps"
 install="$pkgname.pre-install"
-subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-tools"
+subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-tools
+	py3-$pkgname:_py3 $pkgname-dnssec-tools:_dnssec_tools"
 source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
+	Replace-atomic-operations.patch
 	bind.so_bsdcompat.patch
 	named.initd
 	named.confd
@@ -30,6 +34,9 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
 	"
 
 # secfixes:
+#   9.11.6_p1-r0:
+#     - CVE-2018-5743
+#     - CVE-2019-6467
 #   9.11.5_p4-r0:
 #     - CVE-2019-6465
 #     - CVE-2018-5745
@@ -137,6 +144,21 @@ package() {
 	ln -s named.ca root.cache || return 1
 }
 
+_py3() {
+	pkgdesc="A module allowing rndc commands to be sent from Python programs"
+	depends="$_py3deps"
+	mkdir -p "$subpkgdir"/usr/lib
+	mv "$pkgdir"/usr/lib/python3* "$subpkgdir"/usr/lib/
+}
+
+_dnssec_tools() {
+	pkgdesc="Utilities for DNSSEC keys and DNS zone files management"
+	depends="py3-$pkgname=$pkgver-r$pkgrel"
+	mkdir -p "$subpkgdir"/usr/sbin
+	mv  "$pkgdir"/usr/sbin/dnssec* \
+		"$subpkgdir"/usr/sbin/
+}
+
 tools() {
 	pkgdesc="The ISC DNS tools"
 	install=""
@@ -148,12 +170,25 @@ tools() {
 	done
 
 	mkdir -p "$subpkgdir"/usr/sbin
-	for i in "$pkgdir"/usr/sbin/dnssec-*; do
-		mv "$i" "$subpkgdir"/usr/sbin || return 1
+	# keep those in -tools subpackage for for backwards compatibility
+	# in stable branches
+	for i in \
+		dnssec-dsfromkey \
+		dnssec-importkey \
+		dnssec-keyfromlabel \
+		dnssec-keygen \
+		dnssec-revoke \
+		dnssec-settime \
+		dnssec-signzone \
+		dnssec-verify \
+		; do
+
+		mv "$pkgdir"/usr/sbin/$i "$subpkgdir"/usr/sbin
 	done
 }
 
-sha512sums="ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573  bind-9.11.5-P4.tar.gz
+sha512sums="419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03  bind-9.11.6-P1.tar.gz
+d3b0329f48bd296988d8854ec4c7738c611d96e13c0439326a9cf801bc41a9504b1e0673f06fd66c5e36949192c6968d512d53a91d5d5fa96783c8b2c6ec88e3  Replace-atomic-operations.patch
 f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3  bind.so_bsdcompat.patch
 196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015  named.initd
 127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf  named.confd
diff --git a/main/bind/Replace-atomic-operations.patch b/main/bind/Replace-atomic-operations.patch
new file mode 100644
index 0000000000..75bb9ffcc0
--- /dev/null
+++ b/main/bind/Replace-atomic-operations.patch
@@ -0,0 +1,133 @@
+From d72f436b7d7c697b262968c48c2d7643069ab17f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: [PATCH] Replace atomic operations in bin/named/client.c with
+ isc_refcount reference counting
+
+(cherry picked from commit ef49780d30d3ddc5735cfc32561b678a634fa72f)
+---
+ lib/ns/client.c                  | 18 +++++++-----------
+ lib/ns/include/ns/interfacemgr.h |  5 +++--
+ lib/ns/interfacemgr.c            |  7 +++++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/lib/ns/client.c b/lib/ns/client.c
+index d8ab3ce9c6..24f4f830d9 100644
+--- a/lib/ns/client.c
++++ b/lib/ns/client.c
+@@ -428,12 +428,10 @@ tcpconn_detach(ns_client_t *client) {
+ static void
+ mark_tcp_active(ns_client_t *client, bool active) {
+ 	if (active && !client->tcpactive) {
+-		isc_atomic_xadd(&client->interface->ntcpactive, 1);
++		isc_refcount_increment0(&client->interface->ntcpactive, NULL);
+ 		client->tcpactive = active;
+ 	} else if (!active && client->tcpactive) {
+-		uint32_t old =
+-			isc_atomic_xadd(&client->interface->ntcpactive, -1);
+-		INSIST(old > 0);
++		isc_refcount_decrement(&client->interface->ntcpactive, NULL);
+ 		client->tcpactive = active;
+ 	}
+ }
+@@ -580,7 +578,7 @@ exit_check(ns_client_t *client) {
+ 		if (client->mortal && TCP_CLIENT(client) &&
+ 		    client->newstate != NS_CLIENTSTATE_FREED &&
+ 		    (client->sctx->options & NS_SERVER_CLIENTTEST) == 0 &&
+-		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
++		    isc_refcount_current(&client->interface->ntcpaccepting) == 0)
+ 		{
+ 			/* Nobody else is accepting */
+ 			client->mortal = false;
+@@ -3306,7 +3304,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ 	ns_client_t *client = event->ev_arg;
+ 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+ 	dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->interface->mgr);
+-	uint32_t old;
+ 
+ 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+ 	REQUIRE(NS_CLIENT_VALID(client));
+@@ -3326,8 +3323,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ 	INSIST(client->naccepts == 1);
+ 	client->naccepts--;
+ 
+-	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+-	INSIST(old > 0);
++	isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
+ 
+ 	/*
+ 	 * We must take ownership of the new socket before the exit
+@@ -3457,8 +3453,8 @@ client_accept(ns_client_t *client) {
+ 		 * quota is tcp-clients plus the number of listening
+ 		 * interfaces plus 1.)
+ 		 */
+-		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+-			(client->tcpactive ? 1 : 0));
++		exit = (isc_refcount_current(&client->interface->ntcpactive) >
++			(client->tcpactive ? 1U : 0U));
+ 		if (exit) {
+ 			client->newstate = NS_CLIENTSTATE_INACTIVE;
+ 			(void)exit_check(client);
+@@ -3516,7 +3512,7 @@ client_accept(ns_client_t *client) {
+ 	 * listening for connections itself to prevent the interface
+ 	 * going dead.
+ 	 */
+-	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
++	isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
+ }
+ 
+ static void
+diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
+index 24552ed353..6bbb0e67f3 100644
+--- a/lib/ns/include/ns/interfacemgr.h
++++ b/lib/ns/include/ns/interfacemgr.h
+@@ -45,6 +45,7 @@
+ #include <isc/magic.h>
+ #include <isc/mem.h>
+ #include <isc/socket.h>
++#include <isc/refcount.h>
+ 
+ #include <dns/geoip.h>
+ #include <dns/result.h>
+@@ -76,11 +77,11 @@ struct ns_interface {
+ 						/*%< UDP dispatchers. */
+ 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
+ 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
+-	int32_t			ntcpaccepting;	/*%< Number of clients
++	isc_refcount_t		ntcpaccepting;	/*%< Number of clients
+ 						     ready to accept new
+ 						     TCP connections on this
+ 						     interface */
+-	int32_t			ntcpactive;	/*%< Number of clients
++	isc_refcount_t		ntcpactive;	/*%< Number of clients
+ 						     servicing TCP queries
+ 						     (whether accepting or
+ 						     connected) */
+diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
+index 5f9cd8c0b9..e4e9b5e10d 100644
+--- a/lib/ns/interfacemgr.c
++++ b/lib/ns/interfacemgr.c
+@@ -429,8 +429,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+ 	 * connections will be handled in parallel even though there is
+ 	 * only one client initially.
+ 	 */
+-	ifp->ntcpaccepting = 0;
+-	ifp->ntcpactive = 0;
++	isc_refcount_init(&ifp->ntcpaccepting, 0);
++	isc_refcount_init(&ifp->ntcpactive, 0);
+ 
+ 	ifp->nudpdispatch = 0;
+ 
+@@ -663,6 +663,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
+ 
+ 	ns_interfacemgr_detach(&ifp->mgr);
+ 
++	isc_refcount_destroy(&ifp->ntcpactive);
++	isc_refcount_destroy(&ifp->ntcpaccepting);
++
+ 	ifp->magic = 0;
+ 	isc_mem_put(mctx, ifp, sizeof(*ifp));
+ }
+-- 
+2.18.1
+
-- 
cgit v1.2.3