diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/bind/bind')
17 files changed, 1585 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch new file mode 100644 index 000000000..805cbb331 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch @@ -0,0 +1,50 @@ +xml2-config is disabled, so change the configure script to use pkgconfig to find +libxml2. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@intel.com> + +Update context for version 9.10.3-P2. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + configure.in | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +diff --git a/configure.in b/configure.in +index 0db826d..75819eb 100644 +--- a/configure.in ++++ b/configure.in +@@ -2107,26 +2107,9 @@ case "$use_libxml2" in + DST_LIBXML2_INC="" + ;; + auto|yes) +- case X`(xml2-config --version) 2>/dev/null` in +- X2.[[6789]].*) +- libxml2_libs=`xml2-config --libs` +- libxml2_cflags=`xml2-config --cflags` +- ;; +- *) +- if test "$use_libxml2" = "yes" ; then +- AC_MSG_RESULT(no) +- AC_MSG_ERROR(required libxml2 version not available) +- else +- libxml2_libs= +- libxml2_cflags= +- fi +- ;; +- esac +- ;; +- *) +- if test -f "$use_libxml2/bin/xml2-config" ; then +- libxml2_libs=`$use_libxml2/bin/xml2-config --libs` +- libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags` ++ if pkg-config --exists libxml-2.0 ; then ++ libxml2_libs=`pkg-config libxml-2.0 --libs` ++ libxml2_cflags=`pkg-config libxml-2.0 --cflags` + fi + ;; + esac +-- +2.1.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch new file mode 100644 index 000000000..121509371 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch @@ -0,0 +1,25 @@ +Upstream-Status: Pending + +Subject: gen.c: extend DIRNAMESIZE from 256 to 512 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + lib/dns/gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/gen.c b/lib/dns/gen.c +index 7a7dafb..51a0435 100644 +--- a/lib/dns/gen.c ++++ b/lib/dns/gen.c +@@ -148,7 +148,7 @@ static const char copyright[] = + #define TYPECLASSBUF (TYPECLASSLEN + 1) + #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d" + #define ATTRIBUTESIZE 256 +-#define DIRNAMESIZE 256 ++#define DIRNAMESIZE 512 + + static struct cc { + struct cc *next; +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch new file mode 100644 index 000000000..1ed858cd3 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch @@ -0,0 +1,34 @@ +From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Wed, 16 Sep 2015 20:23:47 -0700 +Subject: [PATCH] lib/dns/gen.c: fix too long error + +The 512 is a little short when build in deep dir, and cause "too long" +error, use PATH_MAX if defined. + +Upstream-Status: Pending + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + lib/dns/gen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/dns/gen.c b/lib/dns/gen.c +index 51a0435..3d7214f 100644 +--- a/lib/dns/gen.c ++++ b/lib/dns/gen.c +@@ -148,7 +148,11 @@ static const char copyright[] = + #define TYPECLASSBUF (TYPECLASSLEN + 1) + #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d" + #define ATTRIBUTESIZE 256 ++#ifdef PATH_MAX ++#define DIRNAMESIZE PATH_MAX ++#else + #define DIRNAMESIZE 512 ++#endif + + static struct cc { + struct cc *next; +-- +1.7.9.5 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch new file mode 100644 index 000000000..2149bd180 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch @@ -0,0 +1,154 @@ +From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 18 Feb 2016 12:11:27 +1100 +Subject: [PATCH] 4318. [security] Malformed control messages can + trigger assertions in named and rndc. (CVE-2016-1285) + [RT #41666] + +(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) + +CVE: CVE-2016-1285 +Upstream-Status: Backport +[Removed doc/arm/notes.xml changes from upstream patch] + +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + CHANGES | 3 +++ + bin/named/control.c | 2 +- + bin/named/controlconf.c | 2 +- + bin/rndc/rndc.c | 8 ++++---- + doc/arm/notes.xml | 11 +++++++++++ + lib/isccc/cc.c | 14 +++++++------- + 6 files changed, 27 insertions(+), 13 deletions(-) + +diff --git a/CHANGES b/CHANGES +index b9bd9ef..2c727d5 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,6 @@ ++4318. [security] Malformed control messages can trigger assertions ++ in named and rndc. (CVE-2016-1285) [RT #41666] ++ + --- 9.10.3-P3 released --- + + 4288. [bug] Fixed a regression in resolver.c:possibly_mark() +diff --git a/bin/named/control.c b/bin/named/control.c +index 8554335..81340ca 100644 +--- a/bin/named/control.c ++++ b/bin/named/control.c +@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { + #endif + + data = isccc_alist_lookup(message, "_data"); +- if (data == NULL) { ++ if (!isccc_alist_alistp(data)) { + /* + * No data section. + */ +diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c +index 765afdd..a39ab8b 100644 +--- a/bin/named/controlconf.c ++++ b/bin/named/controlconf.c +@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + * Limit exposure to replay attacks. + */ + _ctrl = isccc_alist_lookup(request, "_ctrl"); +- if (_ctrl == NULL) { ++ if (!isccc_alist_alistp(_ctrl)) { + log_invalid(&conn->ccmsg, ISC_R_FAILURE); + goto cleanup_request; + } +diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c +index cb17050..b6e05c8 100644 +--- a/bin/rndc/rndc.c ++++ b/bin/rndc/rndc.c +@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { + isccc_cc_fromwire(&source, &response, algorithm, &secret)); + + data = isccc_alist_lookup(response, "_data"); +- if (data == NULL) +- fatal("no data section in response"); ++ if (!isccc_alist_alistp(data)) ++ fatal("bad or missing data section in response"); + result = isccc_cc_lookupstring(data, "err", &errormsg); + if (result == ISC_R_SUCCESS) { + failed = ISC_TRUE; +@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { + isccc_cc_fromwire(&source, &response, algorithm, &secret)); + + _ctrl = isccc_alist_lookup(response, "_ctrl"); +- if (_ctrl == NULL) +- fatal("_ctrl section missing"); ++ if (!isccc_alist_alistp(_ctrl)) ++ fatal("bad or missing ctrl section in response"); + nonce = 0; + if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) + nonce = 0; +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index 47a3b74..2bb961e 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + * Extract digest. + */ + _auth = isccc_alist_lookup(alist, "_auth"); +- if (_auth == NULL) ++ if (!isccc_alist_alistp(_auth)) + return (ISC_R_FAILURE); + if (algorithm == ISCCC_ALG_HMACMD5) + hmac = isccc_alist_lookup(_auth, "hmd5"); + else + hmac = isccc_alist_lookup(_auth, "hsha"); +- if (hmac == NULL) ++ if (!isccc_sexpr_binaryp(hmac)) + return (ISC_R_FAILURE); + /* + * Compute digest. +@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, + REQUIRE(ackp != NULL && *ackp == NULL); + + _ctrl = isccc_alist_lookup(message, "_ctrl"); +- if (_ctrl == NULL || ++ if (!isccc_alist_alistp(_ctrl) || + isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || + isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) + return (ISC_R_FAILURE); +@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) + isccc_sexpr_t *_ctrl; + + _ctrl = isccc_alist_lookup(message, "_ctrl"); +- if (_ctrl == NULL) ++ if (!isccc_alist_alistp(_ctrl)) + return (ISC_FALSE); + if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) + return (ISC_TRUE); +@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) + isccc_sexpr_t *_ctrl; + + _ctrl = isccc_alist_lookup(message, "_ctrl"); +- if (_ctrl == NULL) ++ if (!isccc_alist_alistp(_ctrl)) + return (ISC_FALSE); + if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) + return (ISC_TRUE); +@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, + + _ctrl = isccc_alist_lookup(message, "_ctrl"); + _data = isccc_alist_lookup(message, "_data"); +- if (_ctrl == NULL || _data == NULL || ++ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || + isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || + isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) + return (ISC_R_FAILURE); +@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, + isccc_sexpr_t *_ctrl; + + _ctrl = isccc_alist_lookup(message, "_ctrl"); +- if (_ctrl == NULL || ++ if (!isccc_alist_alistp(_ctrl) || + isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || + isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) + return (ISC_R_FAILURE); +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch new file mode 100644 index 000000000..ae5cc48d9 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch @@ -0,0 +1,79 @@ +From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 +From: Mukund Sivaraman <muks@isc.org> +Date: Mon, 22 Feb 2016 12:22:43 +0530 +Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling + (CVE-2016-1286) (#41753) + +(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) + +CVE: CVE-2016-1286 +Upstream-Status: Backport + +[Removed doc/arm/notes.xml changes from upstream patch.] + +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- +diff -ruN a/CHANGES b/CHANGES +--- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 ++++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 +@@ -1,3 +1,7 @@ ++4319. [security] Fix resolver assertion failure due to improper ++ DNAME handling when parsing fetch reply messages. ++ (CVE-2016-1286) [RT #41753] ++ + 4318. [security] Malformed control messages can trigger assertions + in named and rndc. (CVE-2016-1285) [RT #41666] + +diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c +--- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 ++++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 +@@ -6967,21 +6967,26 @@ + isc_boolean_t found_dname = ISC_FALSE; + dns_name_t *dname_name; + ++ /* ++ * Only pass DNAME or RRSIG(DNAME). ++ */ ++ if (rdataset->type != dns_rdatatype_dname && ++ (rdataset->type != dns_rdatatype_rrsig || ++ rdataset->covers != dns_rdatatype_dname)) ++ continue; ++ ++ /* ++ * If we're not chaining, then the DNAME and ++ * its signature should not be external. ++ */ ++ if (!chaining && external) { ++ log_formerr(fctx, "external DNAME"); ++ return (DNS_R_FORMERR); ++ } ++ + found = ISC_FALSE; + aflag = 0; + if (rdataset->type == dns_rdatatype_dname) { +- /* +- * We're looking for something else, +- * but we found a DNAME. +- * +- * If we're not chaining, then the +- * DNAME should not be external. +- */ +- if (!chaining && external) { +- log_formerr(fctx, +- "external DNAME"); +- return (DNS_R_FORMERR); +- } + found = ISC_TRUE; + want_chaining = ISC_TRUE; + POST(want_chaining); +@@ -7010,9 +7015,7 @@ + &fctx->domain)) { + return (DNS_R_SERVFAIL); + } +- } else if (rdataset->type == dns_rdatatype_rrsig +- && rdataset->covers == +- dns_rdatatype_dname) { ++ } else { + /* + * We've found a signature that + * covers the DNAME. diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch new file mode 100644 index 000000000..a31ea81f8 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch @@ -0,0 +1,314 @@ +From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Mon, 29 Feb 2016 07:16:48 +1100 +Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion + failure due to improper DNAME handling when parsing + fetch reply messages. (CVE-2016-1286) [RT #41753] + +(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 93 insertions(+), 99 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 70aba87..41e9df4 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { + } + + static inline isc_result_t +-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, +- dns_name_t *oname, dns_fixedname_t *fixeddname) ++dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, ++ unsigned int nlabels, dns_fixedname_t *fixeddname) + { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; +- unsigned int nlabels; +- int order; +- dns_namereln_t namereln; + dns_rdata_dname_t dname; + dns_fixedname_t prefix; + +@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, + if (result != ISC_R_SUCCESS) + return (result); + +- /* +- * Get the prefix of qname. +- */ +- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); +- if (namereln != dns_namereln_subdomain) { +- char qbuf[DNS_NAME_FORMATSIZE]; +- char obuf[DNS_NAME_FORMATSIZE]; +- +- dns_rdata_freestruct(&dname); +- dns_name_format(qname, qbuf, sizeof(qbuf)); +- dns_name_format(oname, obuf, sizeof(obuf)); +- log_formerr(fctx, "unrelated DNAME in answer: " +- "%s is not in %s", qbuf, obuf); +- return (DNS_R_FORMERR); +- } + dns_fixedname_init(&prefix); + dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); + dns_fixedname_init(fixeddname); +@@ -6736,13 +6718,13 @@ static isc_result_t + answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; +- dns_name_t *name, *qname, tname, *ns_name; ++ dns_name_t *name, *dname, *qname, tname, *ns_name; + dns_rdataset_t *rdataset, *ns_rdataset; + isc_boolean_t done, external, chaining, aa, found, want_chaining; + isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; + unsigned int aflag; + dns_rdatatype_t type; +- dns_fixedname_t dname, fqname; ++ dns_fixedname_t fdname, fqname; + dns_view_t *view; + + FCTXTRACE("answer_response"); +@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) { + view = fctx->res->view; + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { ++ dns_namereln_t namereln; ++ int order; ++ unsigned int nlabels; ++ + name = NULL; + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); +- if (dns_name_equal(name, qname)) { ++ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); ++ if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) { + */ + INSIST(!external); + if (aflag == +- DNS_RDATASETATTR_ANSWER) ++ DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; +- name->attributes |= +- DNS_NAMEATTR_ANSWER; ++ name->attributes |= ++ DNS_NAMEATTR_ANSWER; ++ } + rdataset->attributes |= aflag; + if (aa) + rdataset->trust = +@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) { + if (wanted_chaining) + chaining = ISC_TRUE; + } else { ++ dns_rdataset_t *dnameset = NULL; ++ + /* + * Look for a DNAME (or its SIG). Anything else is + * ignored. +@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +- rdataset = ISC_LIST_NEXT(rdataset, link)) { +- isc_boolean_t found_dname = ISC_FALSE; +- dns_name_t *dname_name; +- ++ rdataset = ISC_LIST_NEXT(rdataset, link)) ++ { + /* + * Only pass DNAME or RRSIG(DNAME). + */ +@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) { + * its signature should not be external. + */ + if (!chaining && external) { +- log_formerr(fctx, "external DNAME"); ++ char qbuf[DNS_NAME_FORMATSIZE]; ++ char obuf[DNS_NAME_FORMATSIZE]; ++ ++ dns_name_format(name, qbuf, ++ sizeof(qbuf)); ++ dns_name_format(&fctx->domain, obuf, ++ sizeof(obuf)); ++ log_formerr(fctx, "external DNAME or " ++ "RRSIG covering DNAME " ++ "in answer: %s is " ++ "not in %s", qbuf, obuf); ++ return (DNS_R_FORMERR); ++ } ++ ++ if (namereln != dns_namereln_subdomain) { ++ char qbuf[DNS_NAME_FORMATSIZE]; ++ char obuf[DNS_NAME_FORMATSIZE]; ++ ++ dns_name_format(qname, qbuf, ++ sizeof(qbuf)); ++ dns_name_format(name, obuf, ++ sizeof(obuf)); ++ log_formerr(fctx, "unrelated DNAME " ++ "in answer: %s is " ++ "not in %s", qbuf, obuf); + return (DNS_R_FORMERR); + } + +- found = ISC_FALSE; + aflag = 0; + if (rdataset->type == dns_rdatatype_dname) { +- found = ISC_TRUE; + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(fctx, rdataset, +- qname, name, +- &dname); ++ result = dname_target(rdataset, qname, ++ nlabels, &fdname); + if (result == ISC_R_NOSPACE) { + /* + * We can't construct the +@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) { + } else if (result != ISC_R_SUCCESS) + return (result); + else +- found_dname = ISC_TRUE; ++ dnameset = rdataset; + +- dname_name = dns_fixedname_name(&dname); ++ dname = dns_fixedname_name(&fdname); + if (!is_answertarget_allowed(view, +- qname, +- rdataset->type, +- dname_name, +- &fctx->domain)) { ++ qname, rdataset->type, ++ dname, &fctx->domain)) { + return (DNS_R_SERVFAIL); + } + } else { +@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) { + * We've found a signature that + * covers the DNAME. + */ +- found = ISC_TRUE; + aflag = DNS_RDATASETATTR_ANSWERSIG; + } + +- if (found) { ++ /* ++ * We've found an answer to our ++ * question. ++ */ ++ name->attributes |= DNS_NAMEATTR_CACHE; ++ rdataset->attributes |= DNS_RDATASETATTR_CACHE; ++ rdataset->trust = dns_trust_answer; ++ if (!chaining) { + /* +- * We've found an answer to our +- * question. ++ * This data is "the" answer to ++ * our question only if we're ++ * not chaining. + */ +- name->attributes |= +- DNS_NAMEATTR_CACHE; +- rdataset->attributes |= +- DNS_RDATASETATTR_CACHE; +- rdataset->trust = dns_trust_answer; +- if (!chaining) { +- /* +- * This data is "the" answer +- * to our question only if +- * we're not chaining. +- */ +- INSIST(!external); +- if (aflag == +- DNS_RDATASETATTR_ANSWER) +- have_answer = ISC_TRUE; ++ INSIST(!external); ++ if (aflag == DNS_RDATASETATTR_ANSWER) { ++ have_answer = ISC_TRUE; + name->attributes |= + DNS_NAMEATTR_ANSWER; +- rdataset->attributes |= aflag; +- if (aa) +- rdataset->trust = +- dns_trust_authanswer; +- } else if (external) { +- rdataset->attributes |= +- DNS_RDATASETATTR_EXTERNAL; +- } +- +- /* +- * DNAME chaining. +- */ +- if (found_dname) { +- /* +- * Copy the dname into the +- * qname fixed name. +- * +- * Although we check for +- * failure of the copy +- * operation, in practice it +- * should never fail since +- * we already know that the +- * result fits in a fixedname. +- */ +- dns_fixedname_init(&fqname); +- result = dns_name_copy( +- dns_fixedname_name(&dname), +- dns_fixedname_name(&fqname), +- NULL); +- if (result != ISC_R_SUCCESS) +- return (result); +- wanted_chaining = ISC_TRUE; +- name->attributes |= +- DNS_NAMEATTR_CHAINING; +- rdataset->attributes |= +- DNS_RDATASETATTR_CHAINING; +- qname = dns_fixedname_name( +- &fqname); + } ++ rdataset->attributes |= aflag; ++ if (aa) ++ rdataset->trust = ++ dns_trust_authanswer; ++ } else if (external) { ++ rdataset->attributes |= ++ DNS_RDATASETATTR_EXTERNAL; + } + } ++ ++ /* ++ * DNAME chaining. ++ */ ++ if (dnameset != NULL) { ++ /* ++ * Copy the dname into the qname fixed name. ++ * ++ * Although we check for failure of the copy ++ * operation, in practice it should never fail ++ * since we already know that the result fits ++ * in a fixedname. ++ */ ++ dns_fixedname_init(&fqname); ++ qname = dns_fixedname_name(&fqname); ++ result = dns_name_copy(dname, qname, NULL); ++ if (result != ISC_R_SUCCESS) ++ return (result); ++ wanted_chaining = ISC_TRUE; ++ name->attributes |= DNS_NAMEATTR_CHAINING; ++ dnameset->attributes |= ++ DNS_RDATASETATTR_CHAINING; ++ } + if (wanted_chaining) + chaining = ISC_TRUE; + } +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch new file mode 100644 index 000000000..1b84d46b7 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch @@ -0,0 +1,247 @@ +CVE-2016-2088 + +Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the +v9_10_3_patch branch. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088 +https://kb.isc.org/article/AA-01351 + +CVE: CVE-2016-2088 +Upstream-Status: Backport +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + + +Original commit message from Mark Andrews <marka@isc.org> below: + +4322. [security] Duplicate EDNS COOKIE options in a response could + trigger an assertion failure. (CVE-2016-2088) + [RT #41809] + +(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) +(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) +--- + CHANGES | 4 ++++ + bin/dig/dighost.c | 9 +++++++++ + bin/named/client.c | 33 +++++++++++++++++++++++---------- + doc/arm/notes.xml | 7 +++++++ + lib/dns/resolver.c | 14 +++++++++++++- + 5 files changed, 56 insertions(+), 11 deletions(-) + +diff --git a/CHANGES b/CHANGES +index c5b5d2b..d2e3360 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,7 @@ ++4322. [security] Duplicate EDNS COOKIE options in a response could ++ trigger an assertion failure. (CVE-2016-2088) ++ [RT #41809] ++ + 4319. [security] Fix resolver assertion failure due to improper + DNAME handling when parsing fetch reply messages. + (CVE-2016-1286) [RT #41753] +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index ca82f8e..340904f 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { + isc_buffer_t optbuf; + isc_uint16_t optcode, optlen; + dns_rdataset_t *opt = msg->opt; ++ isc_boolean_t seen_cookie = ISC_FALSE; + + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { +@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { + case DNS_OPT_COOKIE: ++ /* ++ * Only process the first cookie option. ++ */ ++ if (seen_cookie) { ++ isc_buffer_forward(&optbuf, optlen); ++ break; ++ } + process_sit(l, msg, &optbuf, optlen); ++ seen_cookie = ISC_TRUE; + break; + default: + isc_buffer_forward(&optbuf, optlen); +diff --git a/bin/named/client.c b/bin/named/client.c +index 683305c..0d7331a 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -120,7 +120,10 @@ + */ + #endif + +-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ ++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ ++ ++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) ++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) + + /*% nameserver client manager structure */ + struct ns_clientmgr { +@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, + { + char nsid[BUFSIZ], *nsidp; + #ifdef ISC_PLATFORM_USESIT +- unsigned char sit[SIT_SIZE]; ++ unsigned char sit[COOKIE_SIZE]; + #endif + isc_result_t result; + dns_view_t *view; +@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, + flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; + + /* Set EDNS options if applicable */ +- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && ++ if (WANTNSID(client) && + (ns_g_server->server_id != NULL || + ns_g_server->server_usehostname)) { + if (ns_g_server->server_usehostname) { +@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, + + INSIST(count < DNS_EDNSOPTIONS); + ednsopts[count].code = DNS_OPT_COOKIE; +- ednsopts[count].length = SIT_SIZE; ++ ednsopts[count].length = COOKIE_SIZE; + ednsopts[count].value = sit; + count++; + } +@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, + + static void + process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { +- unsigned char dbuf[SIT_SIZE]; ++ unsigned char dbuf[COOKIE_SIZE]; + unsigned char *old; + isc_stdtime_t now; + isc_uint32_t when; + isc_uint32_t nonce; + isc_buffer_t db; + ++ /* ++ * If we have already seen a ECS option skip this ECS option. ++ */ ++ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { ++ isc_buffer_forward(buf, optlen); ++ return; ++ } + client->attributes |= NS_CLIENTATTR_WANTSIT; + + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sitopt); + +- if (optlen != SIT_SIZE) { ++ if (optlen != COOKIE_SIZE) { + /* + * Not our token. + */ +@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + isc_buffer_init(&db, dbuf, sizeof(dbuf)); + compute_sit(client, when, nonce, &db); + +- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) { ++ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sitnomatch); + return; + } + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sitmatch); +- + client->attributes |= NS_CLIENTATTR_HAVESIT; + } + #endif +@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { + case DNS_OPT_NSID: +- isc_stats_increment(ns_g_server->nsstats, ++ if (!WANTNSID(client)) ++ isc_stats_increment( ++ ns_g_server->nsstats, + dns_nsstatscounter_nsidopt); + client->attributes |= NS_CLIENTATTR_WANTNSID; + isc_buffer_forward(&optbuf, optlen); +@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { + break; + #endif + case DNS_OPT_EXPIRE: +- isc_stats_increment(ns_g_server->nsstats, ++ if (!WANTEXPIRE(client)) ++ isc_stats_increment( ++ ns_g_server->nsstats, + dns_nsstatscounter_expireopt); + client->attributes |= NS_CLIENTATTR_WANTEXPIRE; + isc_buffer_forward(&optbuf, optlen); +diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml +index ebf4f55..095eb5b 100644 +--- a/doc/arm/notes.xml ++++ b/doc/arm/notes.xml +@@ -51,6 +51,13 @@ + <title>Security Fixes</title> + <itemizedlist> + <listitem> ++ <para> ++ Duplicate EDNS COOKIE options in a response could trigger ++ an assertion failure. This flaw is disclosed in CVE-2016-2088. ++ [RT #41809] ++ </para> ++ </listitem> ++ <listitem> + <para> + Specific APL data could trigger an INSIST. This flaw + was discovered by Brian Mitchell and is disclosed in +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a797e3f..ba1ae23 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { + unsigned char *sit; + dns_adbaddrinfo_t *addrinfo; + unsigned char cookie[8]; ++ isc_boolean_t seen_cookie = ISC_FALSE; + #endif ++ isc_boolean_t seen_nsid = ISC_FALSE; + + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { +@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { + INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); + switch (optcode) { + case DNS_OPT_NSID: +- if (query->options & DNS_FETCHOPT_WANTNSID) ++ if (!seen_nsid && ++ query->options & DNS_FETCHOPT_WANTNSID) + log_nsid(&optbuf, optlen, query, + ISC_LOG_DEBUG(3), + query->fctx->res->mctx); + isc_buffer_forward(&optbuf, optlen); ++ seen_nsid = ISC_TRUE; + break; + #ifdef ISC_PLATFORM_USESIT + case DNS_OPT_COOKIE: ++ /* ++ * Only process the first cookie option. ++ */ ++ if (seen_cookie) { ++ isc_buffer_forward(&optbuf, optlen); ++ break; ++ } + sit = isc_buffer_current(&optbuf); + compute_cc(query, cookie, sizeof(cookie)); + INSIST(query->fctx->rmessage->sitbad == 0 && +@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { + isc_buffer_forward(&optbuf, optlen); + inc_stats(query->fctx->res, + dns_resstatscounter_sitin); ++ seen_cookie = ISC_TRUE; + break; + #endif + default: +-- +2.1.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch new file mode 100644 index 000000000..096d5d84f --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch @@ -0,0 +1,44 @@ +From 9b40619ff6fddfef2758ba797789f8487f412df3 Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Mon, 16 Feb 2015 00:50:01 -0800 +Subject: [PATCH] confgen: don't build unix.o twice + +Fixed: +unix/os.o: file not recognized: File truncated +collect2: error: ld returned 1 exit status + +This is because os.o was built twice: +* The implicity rule (depends on unix/os.o) +* The "make all" in unix subdir (depends on unix/os.o) + +Depend on subdirs which is unix only rather than unix/os.o will fix the +problem. + +Upstream-Status: Pending + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + bin/confgen/Makefile.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 8b3e5aa..4868a24 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c + ddns-confgen.@O@: ddns-confgen.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c + +-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} ++rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) + export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ + ${FINALBUILDCMD} + +-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} ++ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) + export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ + ${FINALBUILDCMD} + +-- +1.7.9.5 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch new file mode 100644 index 000000000..13df3bb0e --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch @@ -0,0 +1,49 @@ +From 9473d29843579802e96b0293a3e953fed93de82c Mon Sep 17 00:00:00 2001 +From: Paul Gortmaker <paul.gortmaker@windriver.com> +Date: Tue, 9 Jun 2015 11:22:00 -0400 +Subject: [PATCH] bind: ensure searching for json headers searches sysroot + +Bind can fail configure by detecting headers w/o libs[1], or +it can fail the host contamination check as per below: + +ERROR: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. +Rerun configure task after fixing this. The path was 'build/tmp/work/core2-64-poky-linux/bind/9.10.2-r1/build' +ERROR: Function failed: do_qa_configure +ERROR: Logfile of failure stored in: build/tmp/work/core2-64-poky-linux/bind/9.10.2-r1/temp/log.do_configure.5242 +ERROR: Task 5 (meta/recipes-connectivity/bind/bind_9.10.2.bb, do_configure) failed with exit code '1' +NOTE: Tasks Summary: Attempted 773 tasks of which 768 didn't need to be rerun and 1 failed. +No currently running tasks (773 of 781) + +Summary: 1 task failed: + /meta/recipes-connectivity/bind/bind_9.10.2.bb, do_configure + +One way to fix it would be to unconditionally disable json in bind +configure[2] but here we fix it by using the path to where we would +put the header if we had json in the sysroot, in case someone wants +to make use of the combination some day. + +[1] https://trac.macports.org/ticket/45305 +[2] https://trac.macports.org/changeset/126406 + +Upstream-Status: Inappropriate [OE Specific] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + configure.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.in b/configure.in +index c9ef3a601343..17a1f613e9ac 100644 +--- a/configure.in ++++ b/configure.in +@@ -2139,7 +2139,7 @@ case "$use_libjson" in + libjson_libs="" + ;; + auto|yes) +- for d in /usr /usr/local /opt/local ++ for d in "${STAGING_INCDIR}" + do + if test -f "${d}/include/json/json.h" + then +-- +2.4.2 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9 b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9 new file mode 100644 index 000000000..968679ff7 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9 @@ -0,0 +1,2 @@ +# startup options for the server +OPTIONS="-u bind" diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch new file mode 100644 index 000000000..aad345f9f --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch @@ -0,0 +1,330 @@ +Upstream-Status: Inappropriate [configuration] + +the patch is imported from openembedded project + +11/30/2010 - Qing He <qing.he@intel.com> + +diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0 +--- bind-9.3.1.orig/conf/db.0 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.0 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,12 @@ ++; ++; BIND reverse data file for broadcast zone ++; ++$TTL 604800 ++@ IN SOA localhost. root.localhost. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 604800 ) ; Negative Cache TTL ++; ++@ IN NS localhost. +diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127 +--- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.127 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,13 @@ ++; ++; BIND reverse data file for local loopback interface ++; ++$TTL 604800 ++@ IN SOA localhost. root.localhost. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 604800 ) ; Negative Cache TTL ++; ++@ IN NS localhost. ++1.0.0 IN PTR localhost. +diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty +--- bind-9.3.1.orig/conf/db.empty 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.empty 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,14 @@ ++; BIND reverse data file for empty rfc1918 zone ++; ++; DO NOT EDIT THIS FILE - it is used for multiple zones. ++; Instead, copy it, edit named.conf, and use that copy. ++; ++$TTL 86400 ++@ IN SOA localhost. root.localhost. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++; ++@ IN NS localhost. +diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255 +--- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.255 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,12 @@ ++; ++; BIND reserve data file for broadcast zone ++; ++$TTL 604800 ++@ IN SOA localhost. root.localhost. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 604800 ) ; Negative Cache TTL ++; ++@ IN NS localhost. +diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local +--- bind-9.3.1.orig/conf/db.local 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.local 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,13 @@ ++; ++; BIND data file for local loopback interface ++; ++$TTL 604800 ++@ IN SOA localhost. root.localhost. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 604800 ) ; Negative Cache TTL ++; ++@ IN NS localhost. ++@ IN A 127.0.0.1 +diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root +--- bind-9.3.1.orig/conf/db.root 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/db.root 2005-07-10 22:14:00.000000000 +0200 +@@ -0,0 +1,45 @@ ++ ++; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net. ++;; global options: printcmd ++;; Got answer: ++;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944 ++;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ++ ++;; QUESTION SECTION: ++;. IN NS ++ ++;; ANSWER SECTION: ++. 518400 IN NS A.ROOT-SERVERS.NET. ++. 518400 IN NS B.ROOT-SERVERS.NET. ++. 518400 IN NS C.ROOT-SERVERS.NET. ++. 518400 IN NS D.ROOT-SERVERS.NET. ++. 518400 IN NS E.ROOT-SERVERS.NET. ++. 518400 IN NS F.ROOT-SERVERS.NET. ++. 518400 IN NS G.ROOT-SERVERS.NET. ++. 518400 IN NS H.ROOT-SERVERS.NET. ++. 518400 IN NS I.ROOT-SERVERS.NET. ++. 518400 IN NS J.ROOT-SERVERS.NET. ++. 518400 IN NS K.ROOT-SERVERS.NET. ++. 518400 IN NS L.ROOT-SERVERS.NET. ++. 518400 IN NS M.ROOT-SERVERS.NET. ++ ++;; ADDITIONAL SECTION: ++A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 ++B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 ++C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 ++D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 ++E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 ++F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 ++G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 ++H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 ++I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 ++J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 ++K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 ++L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12 ++M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 ++ ++;; Query time: 81 msec ++;; SERVER: 198.41.0.4#53(a.root-servers.net.) ++;; WHEN: Sun Feb 1 11:27:14 2004 ++;; MSG SIZE rcvd: 436 ++ +diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf +--- bind-9.3.1.orig/conf/named.conf 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/named.conf 2005-07-10 22:33:46.000000000 +0200 +@@ -0,0 +1,49 @@ ++// This is the primary configuration file for the BIND DNS server named. ++// ++// If you are just adding zones, please do that in /etc/bind/named.conf.local ++ ++include "/etc/bind/named.conf.options"; ++ ++// prime the server with knowledge of the root servers ++zone "." { ++ type hint; ++ file "/etc/bind/db.root"; ++}; ++ ++// be authoritative for the localhost forward and reverse zones, and for ++// broadcast zones as per RFC 1912 ++ ++zone "localhost" { ++ type master; ++ file "/etc/bind/db.local"; ++}; ++ ++zone "127.in-addr.arpa" { ++ type master; ++ file "/etc/bind/db.127"; ++}; ++ ++zone "0.in-addr.arpa" { ++ type master; ++ file "/etc/bind/db.0"; ++}; ++ ++zone "255.in-addr.arpa" { ++ type master; ++ file "/etc/bind/db.255"; ++}; ++ ++// zone "com" { type delegation-only; }; ++// zone "net" { type delegation-only; }; ++ ++// From the release notes: ++// Because many of our users are uncomfortable receiving undelegated answers ++// from root or top level domains, other than a few for whom that behaviour ++// has been trusted and expected for quite some length of time, we have now ++// introduced the "root-delegations-only" feature which applies delegation-only ++// logic to all top level domains, and to the root domain. An exception list ++// should be specified, including "MUSEUM" and "DE", and any other top level ++// domains from whom undelegated responses are expected and trusted. ++// root-delegation-only exclude { "DE"; "MUSEUM"; }; ++ ++include "/etc/bind/named.conf.local"; +diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local +--- bind-9.3.1.orig/conf/named.conf.local 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/named.conf.local 2005-07-10 22:14:06.000000000 +0200 +@@ -0,0 +1,8 @@ ++// ++// Do any local configuration here ++// ++ ++// Consider adding the 1918 zones here, if they are not used in your ++// organization ++//include "/etc/bind/zones.rfc1918"; ++ +diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options +--- bind-9.3.1.orig/conf/named.conf.options 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/named.conf.options 2005-07-10 22:14:06.000000000 +0200 +@@ -0,0 +1,24 @@ ++options { ++ directory "/var/cache/bind"; ++ ++ // If there is a firewall between you and nameservers you want ++ // to talk to, you might need to uncomment the query-source ++ // directive below. Previous versions of BIND always asked ++ // questions using port 53, but BIND 8.1 and later use an unprivileged ++ // port by default. ++ ++ // query-source address * port 53; ++ ++ // If your ISP provided one or more IP addresses for stable ++ // nameservers, you probably want to use them as forwarders. ++ // Uncomment the following block, and insert the addresses replacing ++ // the all-0's placeholder. ++ ++ // forwarders { ++ // 0.0.0.0; ++ // }; ++ ++ auth-nxdomain no; # conform to RFC1035 ++ ++}; ++ +diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918 +--- bind-9.3.1.orig/conf/zones.rfc1918 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/conf/zones.rfc1918 2005-07-10 22:14:10.000000000 +0200 +@@ -0,0 +1,20 @@ ++zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++ ++zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; ++ ++zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d +--- bind-9.3.1.orig/init.d 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.3.1/init.d 2005-07-10 23:09:58.000000000 +0200 +@@ -0,0 +1,70 @@ ++#!/bin/sh ++ ++PATH=/sbin:/bin:/usr/sbin:/usr/bin ++ ++# for a chrooted server: "-u bind -t /var/lib/named" ++# Don't modify this line, change or create /etc/default/bind9. ++OPTIONS="" ++ ++test -f /etc/default/bind9 && . /etc/default/bind9 ++ ++test -x /usr/sbin/rndc || exit 0 ++ ++case "$1" in ++ start) ++ echo -n "Starting domain name service: named" ++ ++ modprobe capability >/dev/null 2>&1 || true ++ if [ ! -f /etc/bind/rndc.key ]; then ++ /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom ++ chmod 0640 /etc/bind/rndc.key ++ fi ++ if [ -f /var/run/named/named.pid ]; then ++ ps `cat /var/run/named/named.pid` > /dev/null && exit 1 ++ fi ++ ++ # dirs under /var/run can go away on reboots. ++ mkdir -p /var/run/named ++ mkdir -p /var/cache/bind ++ chmod 775 /var/run/named ++ chown root:bind /var/run/named >/dev/null 2>&1 || true ++ ++ if [ ! -x /usr/sbin/named ]; then ++ echo "named binary missing - not starting" ++ exit 1 ++ fi ++ if start-stop-daemon --start --quiet --exec /usr/sbin/named \ ++ --pidfile /var/run/named/named.pid -- $OPTIONS; then ++ if [ -x /sbin/resolvconf ] ; then ++ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo ++ fi ++ fi ++ echo "." ++ ;; ++ ++ stop) ++ echo -n "Stopping domain name service: named" ++ if [ -x /sbin/resolvconf ]; then ++ /sbin/resolvconf -d lo ++ fi ++ /usr/sbin/rndc stop >/dev/null 2>&1 ++ echo "." ++ ;; ++ ++ reload) ++ /usr/sbin/rndc reload ++ ;; ++ ++ restart|force-reload) ++ $0 stop ++ sleep 2 ++ $0 start ++ ;; ++ ++ *) ++ echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2 ++ exit 1 ++ ;; ++esac ++ ++exit 0 diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch new file mode 100644 index 000000000..6989d6d4b --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch @@ -0,0 +1,17 @@ +Upstream-Status: Pending + +Signed-off-by Saul Wold <sgw@linux.intel.com> + +Index: bind-9.9.5/bin/Makefile.in +=================================================================== +--- bind-9.9.5.orig/bin/Makefile.in ++++ bind-9.9.5/bin/Makefile.in +@@ -19,7 +19,7 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ ++SUBDIRS = named rndc dig delv dnssec tools nsupdate \ + check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ + TARGETS = + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh new file mode 100644 index 000000000..db201270f --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ ! -s /etc/bind/rndc.key ]; then + echo -n "Generating /etc/bind/rndc.key:" + /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom + chmod 0640 /etc/bind/rndc.key +fi diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch new file mode 100644 index 000000000..11db95ede --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch @@ -0,0 +1,65 @@ +Subject: init.d: add support for read-only rootfs + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + init.d | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/init.d b/init.d +index 0111ed4..24677c8 100644 +--- a/init.d ++++ b/init.d +@@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin + # Don't modify this line, change or create /etc/default/bind9. + OPTIONS="" + ++test -f /etc/default/rcS && . /etc/default/rcS + test -f /etc/default/bind9 && . /etc/default/bind9 + ++# This function is here because it's possible that /var and / are on different partitions. ++is_on_read_only_partition () { ++ DIRECTORY=$1 ++ dir=`readlink -f $DIRECTORY` ++ while true; do ++ if [ ! -d "$dir" ]; then ++ echo "ERROR: $dir is not a directory" ++ exit 1 ++ else ++ for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \ ++ END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do ++ [ "$flag" = "FOUND" ] && partition="read-write" ++ [ "$flag" = "ro" ] && { partition="read-only"; break; } ++ done ++ if [ "$dir" = "/" -o -n "$partition" ]; then ++ break ++ else ++ dir=`dirname $dir` ++ fi ++ fi ++ done ++ [ "$partition" = "read-only" ] && echo "yes" || echo "no" ++} ++ ++bind_mount () { ++ olddir=$1 ++ newdir=$2 ++ mkdir -p $olddir ++ cp -a $newdir/* $olddir ++ mount --bind $olddir $newdir ++} ++ ++# Deal with read-only rootfs ++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then ++ [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs" ++ [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind ++ [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named ++fi ++ + test -x /usr/sbin/rndc || exit 0 + + case "$1" in +-- +1.7.9.5 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch new file mode 100644 index 000000000..146f3e35d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch @@ -0,0 +1,42 @@ +bind: make "/etc/init.d/bind stop" work + +Upstream-Status: Inappropriate [configuration] + +Add some configurations, make rndc command be able to controls +the named daemon. + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + conf/named.conf | 5 +++++ + conf/rndc.conf | 5 +++++ + 2 files changed, 10 insertions(+), 0 deletions(-) + create mode 100644 conf/rndc.conf + +diff --git a/conf/named.conf b/conf/named.conf +index 95829cf..c8899e7 100644 +--- a/conf/named.conf ++++ b/conf/named.conf +@@ -47,3 +47,8 @@ zone "255.in-addr.arpa" { + // root-delegation-only exclude { "DE"; "MUSEUM"; }; + + include "/etc/bind/named.conf.local"; ++include "/etc/bind/rndc.key" ; ++controls { ++ inet 127.0.0.1 allow { localhost; } ++ keys { rndc-key; }; ++}; +diff --git a/conf/rndc.conf b/conf/rndc.conf +new file mode 100644 +index 0000000..a0b481d +--- /dev/null ++++ b/conf/rndc.conf +@@ -0,0 +1,5 @@ ++include "/etc/bind/rndc.key"; ++options { ++ default-server localhost; ++ default-key rndc-key; ++}; + +-- +1.7.5.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff new file mode 100644 index 000000000..2930796b6 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff @@ -0,0 +1,104 @@ +bind: port a patch to fix a build failure + +mips1 does not support ll and sc instructions, and lead to below error, now +we port a patch from debian to fix it +[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz] + +| {standard input}: Assembler messages: +| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)' +| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)' + +Upstream-Status: Pending + +Signed-off-by: Roy Li <rongqing.li@windriver.com> + +--- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h ++++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h +@@ -31,18 +31,20 @@ + isc_atomic_xadd(isc_int32_t *p, int val) { + isc_int32_t orig; + +- /* add is a cheat, since MIPS has no mov instruction */ +- __asm__ volatile ( +- "1:" +- "ll $3, %1\n" +- "add %0, $0, $3\n" +- "add $3, $3, %2\n" +- "sc $3, %1\n" +- "beq $3, 0, 1b" +- : "=&r"(orig) +- : "m"(*p), "r"(val) +- : "memory", "$3" +- ); ++ __asm__ __volatile__ ( ++ " .set push \n" ++ " .set mips2 \n" ++ " .set noreorder \n" ++ " .set noat \n" ++ "1: ll $1, %1 \n" ++ " addu %0, $1, %2 \n" ++ " sc %0, %1 \n" ++ " beqz %0, 1b \n" ++ " move %0, $1 \n" ++ " .set pop \n" ++ : "=&r" (orig), "+R" (*p) ++ : "r" (val) ++ : "memory"); + + return (orig); + } +@@ -52,16 +54,7 @@ + */ + static inline void + isc_atomic_store(isc_int32_t *p, isc_int32_t val) { +- __asm__ volatile ( +- "1:" +- "ll $3, %0\n" +- "add $3, $0, %1\n" +- "sc $3, %0\n" +- "beq $3, 0, 1b" +- : +- : "m"(*p), "r"(val) +- : "memory", "$3" +- ); ++ *p = val; + } + + /* +@@ -72,20 +65,23 @@ + static inline isc_int32_t + isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { + isc_int32_t orig; ++ isc_int32_t tmp; + +- __asm__ volatile( +- "1:" +- "ll $3, %1\n" +- "add %0, $0, $3\n" +- "bne $3, %2, 2f\n" +- "add $3, $0, %3\n" +- "sc $3, %1\n" +- "beq $3, 0, 1b\n" +- "2:" +- : "=&r"(orig) +- : "m"(*p), "r"(cmpval), "r"(val) +- : "memory", "$3" +- ); ++ __asm__ __volatile__ ( ++ " .set push \n" ++ " .set mips2 \n" ++ " .set noreorder \n" ++ " .set noat \n" ++ "1: ll $1, %1 \n" ++ " bne $1, %3, 2f \n" ++ " move %2, %4 \n" ++ " sc %2, %1 \n" ++ " beqz %2, 1b \n" ++ "2: move %0, $1 \n" ++ " .set pop \n" ++ : "=&r"(orig), "+R" (*p), "=r" (tmp) ++ : "r"(cmpval), "r"(val) ++ : "memory"); + + return (orig); + } diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service new file mode 100644 index 000000000..cda56ef01 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service @@ -0,0 +1,22 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Before=nss-lookup.target +After=network.target + +[Service] +Type=forking +EnvironmentFile=-/etc/default/bind9 +PIDFile=/run/named/named.pid + +ExecStartPre=@SBINDIR@/generate-rndc-key.sh +ExecStart=@SBINDIR@/named $OPTIONS + +ExecReload=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc reload > /dev/null 2>&1 || @BASE_BINDIR@/kill -HUP $MAINPID' + +ExecStop=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc stop > /dev/null 2>&1 || @BASE_BINDIR@/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target |
