upgrade from BIND 9.16.12 to 9.16.11 plus backported patch for

CVE-2020-8625. also add more recently committed "Rollback setting IP_DONTFRAG option on the UDP sockets" patch fixing https://gitlab.isc.org/isc-projects/bind9/-/issues/2466 https://gitlab.isc.org/isc-projects/bind9/-/issues/2487 re https://kb.isc.org/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination https://kb.isc.org/docs/operational-notification-zone-journal-jnl-file-incompatibility-after-upgrading-to-bind-91612-and-917
2021-02-20 15:49:52 +00:00 · 2021-02-20 15:49:52 +00:00 · 7948330fd4
commit 7948330fd4
parent 64442dc460
6 changed files with 122 additions and 17 deletions
--- a/net/isc-bind/Makefile
+++ b/net/isc-bind/Makefile
@ -1,17 +1,26 @@
-# $OpenBSD: Makefile,v 1.130 2021/02/17 20:40:16 sthen Exp $
+# $OpenBSD: Makefile,v 1.131 2021/02/20 15:49:52 sthen Exp $

 COMMENT=	Berkeley Internet Name Daemon: DNS server and tools

 # Second digits: odd numbers devel, even numbers stable,
 # ESV branched occasionally.  9.16.x is ESV.
-V=		9.16.12
+V=		9.16.11
 PORTROACH=	limitw:1,even
 EXTRACT_SUFX=	.tar.xz
-EPOCH=		0
+EPOCH=		1

 DISTNAME=	bind-$V
 PKGNAME=	isc-bind-${V:S/-P/pl/}

+# in shared_libs.log but not installed: isc-nosymtbl, t_api
+SHARED_LIBS +=  isc                  9.0
+SHARED_LIBS +=  isccc                3.0
+SHARED_LIBS +=  dns                  10.2
+SHARED_LIBS +=  isccfg               4.2
+SHARED_LIBS +=  bind9                1.0
+SHARED_LIBS +=  irs                  3.0
+SHARED_LIBS +=	ns                   0.0
+
 CATEGORIES=	net

 HOMEPAGE=	https://www.isc.org/bind/
@ -93,6 +102,5 @@ post-install:
 	ln -fs $i ${PREFIX}/bin/e$i; ln -fs $i.1 ${PREFIX}/man/man1/e$i.1
 .endfor
 	${INSTALL_DATA} ${FILESDIR}/[a-z]* ${PREFIX}/share/examples/bind9/
-	rm ${PREFIX}/lib/lib{bind9,dns,irs,isc,isccc,isccfg,ns}.so

 .include <bsd.port.mk>
--- a/net/isc-bind/distinfo
+++ b/net/isc-bind/distinfo
@ -1,2 +1,2 @@
-SHA256 (bind-9.16.12.tar.xz) = mRSvkxH9NJyrRBCXiY2U+yjQv9m/btBP4fl/BCZE2n8=
-SIZE (bind-9.16.12.tar.xz) = 5017756
+SHA256 (bind-9.16.11.tar.xz) = ARH2TdfY9RXPoSnhgczpb/ggcNGyfxGiH2hWEQ0GmcE=
+SIZE (bind-9.16.11.tar.xz) = 5007520
--- a/net/isc-bind/patches/patch-bin_dig_dig_c
+++ b/net/isc-bind/patches/patch-bin_dig_dig_c
@ -1,4 +1,4 @@
-$OpenBSD: patch-bin_dig_dig_c,v 1.21 2021/02/17 20:40:16 sthen Exp $
+$OpenBSD: patch-bin_dig_dig_c,v 1.22 2021/02/20 15:49:52 sthen Exp $

 Index: bin/dig/dig.c
 --- bin/dig/dig.c.orig
@ -11,7 +11,7 @@ Index: bin/dig/dig.c
 
 #include <isc/app.h>
 #include <isc/netaddr.h>
-@@ -2639,6 +2640,15 @@ dig_setup(int argc, char **argv) {
+@@ -2635,6 +2636,15 @@ dig_setup(int argc, char **argv) {
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
@ -27,7 +27,7 @@ Index: bin/dig/dig.c
 	debug("dig_setup()");
 
 	/* setup dighost callbacks */
-@@ -2670,6 +2680,16 @@ dig_query_setup(bool is_batchfile, bool config_only, i
+@@ -2666,6 +2676,16 @@ dig_query_setup(bool is_batchfile, bool config_only, i
 	} else if (keysecret[0] != 0) {
 		setup_text_key();
 	}
--- a/net/isc-bind/patches/patch-lib_dns_spnego_c
+++ b/net/isc-bind/patches/patch-lib_dns_spnego_c
@ -0,0 +1,16 @@
+$OpenBSD: patch-lib_dns_spnego_c,v 1.1 2021/02/20 15:49:52 sthen Exp $
+
+https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch
+
+Index: lib/dns/spnego.c
+--- lib/dns/spnego.c.orig
+++ lib/dns/spnego.c
+@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *d
+ 		return (ASN1_OVERRUN);
+ 	}
+ 
+-	data->components = malloc(len * sizeof(*data->components));
+	data->components = malloc((len + 1) * sizeof(*data->components));
+ 	if (data->components == NULL) {
+ 		return (ENOMEM);
+ 	}
--- a/net/isc-bind/patches/patch-lib_isc_netmgr_netmgr_c
+++ b/net/isc-bind/patches/patch-lib_isc_netmgr_netmgr_c
@ -0,0 +1,81 @@
+$OpenBSD: patch-lib_isc_netmgr_netmgr_c,v 1.1 2021/02/20 15:49:52 sthen Exp $
+
+From 66eefac78c92b64b6689a1655cc677a2b1d13496 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Thu, 11 Feb 2021 08:37:52 +0100
+Subject: [PATCH 1/2] Rollback setting IP_DONTFRAG option on the UDP sockets
+
+In DNS Flag Day 2020, the development branch started setting the
+IP_DONTFRAG option on the UDP sockets.  It turned out, that this
+code was incomplete leading to dropping the outgoing UDP packets.
+Henceforth this commit rolls back this setting until we have a
+proper fix that would send back empty response with TC flag set.
+
+Index: lib/isc/netmgr/netmgr.c
+--- lib/isc/netmgr/netmgr.c.orig
+++ lib/isc/netmgr/netmgr.c
+@@ -2101,6 +2101,9 @@ isc__nm_closesocket(uv_os_sock_t sock) {
+ #define setsockopt_on(socket, level, name) \
+ 	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
+ 
+#define setsockopt_off(socket, level, name) \
+	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
+
+ isc_result_t
+ isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family) {
+ 	/*
+@@ -2226,32 +2229,48 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t s
+ 	 */
+ 	if (sa_family == AF_INET6) {
+ #if defined(IPV6_DONTFRAG)
+-		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+ 			return (ISC_R_FAILURE);
+ 		} else {
+ 			return (ISC_R_SUCCESS);
+ 		}
+-#elif defined(IPV6_MTU_DISCOVER)
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+ 		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+ 		{
+ 			return (ISC_R_FAILURE);
+ 		} else {
+ 			return (ISC_R_SUCCESS);
+ 		}
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+ #else
+ 		UNUSED(fd);
+ #endif
+ 	} else if (sa_family == AF_INET) {
+ #if defined(IP_DONTFRAG)
+-		if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+ 			return (ISC_R_FAILURE);
+ 		} else {
+ 			return (ISC_R_SUCCESS);
+ 		}
+-#elif defined(IP_MTU_DISCOVER)
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+ 		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
+-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
+ 		{
+ 			return (ISC_R_FAILURE);
+ 		} else {
--- a/net/isc-bind/pkg/PLIST
+++ b/net/isc-bind/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.27 2021/02/17 20:40:16 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.28 2021/02/20 15:49:52 sthen Exp $
@pkgpath net/isc-bind,ratelimit
@newgroup _bind:741
@newuser _bind:741:_bind:daemon:bind user:/nonexistent:/sbin/nologin
@ -284,20 +284,20 @@ include/pk11/result.h
 include/pk11/site.h
 include/pkcs11/
 include/pkcs11/pkcs11.h
-@so lib/libbind9-9.16.12.so
 lib/libbind9.la
-@so lib/libdns-9.16.12.so
+@lib lib/libbind9.so.${LIBbind9_VERSION}
 lib/libdns.la
-@so lib/libirs-9.16.12.so
+@lib lib/libdns.so.${LIBdns_VERSION}
 lib/libirs.la
-@so lib/libisc-9.16.12.so
+@lib lib/libirs.so.${LIBirs_VERSION}
 lib/libisc.la
-@so lib/libisccc-9.16.12.so
+@lib lib/libisc.so.${LIBisc_VERSION}
 lib/libisccc.la
-@so lib/libisccfg-9.16.12.so
+@lib lib/libisccc.so.${LIBisccc_VERSION}
 lib/libisccfg.la
-@so lib/libns-9.16.12.so
+@lib lib/libisccfg.so.${LIBisccfg_VERSION}
 lib/libns.la
+@lib lib/libns.so.${LIBns_VERSION}
 lib/named/
@so lib/named/filter-aaaa.so
 lib/python${MODPY_VERSION}/