commit 613807abd0e67efd5f3d50211091055caa52c512 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:32:24 2019 -0400 Package init diff --git a/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch b/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch new file mode 100644 index 0000000..04b6cb8 --- /dev/null +++ b/0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch @@ -0,0 +1,116 @@ +From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 27 Mar 2017 19:41:05 +0200 +Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst + +With the DynDB API changes, the ldap instance is acquired +differently. Previously, obtaining the instance could fail when +LDAP was disconnecting, thus the NULL check was necessary in the +cleanup part. + +Now, inst is obtained directly from the API. I'm not sure what is +the exact behaviour in edge cases such as LDAP disconnecting, so +I perform the NULL check a bit earlier, just to be safe. +--- + src/ldap_helper.c | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/src/ldap_helper.c b/src/ldap_helper.c +index 1fa0ec9adfa2b9ca589587244da03cc6f0584919..e0c4b76f0bd350eda2d81588e6efb67b5221d630 100644 +--- a/src/ldap_helper.c ++++ b/src/ldap_helper.c +@@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event) + mctx = pevent->mctx; + dns_name_init(&prevname, NULL); + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + + if (SYNCREPL_DEL(pevent->chgtype)) { +@@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event) + } + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- if (dns_name_dynamic(&prevname)) +- dns_name_free(&prevname, inst->mctx); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ if (dns_name_dynamic(&prevname)) ++ dns_name_free(&prevname, inst->mctx); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_zone (syncrepl) failed for %s. " + "Zones can be outdated, run `rndc reload`", +@@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event) + + mctx = pevent->mctx; + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + CHECK(ldap_parse_configentry(entry, inst)); + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_config (syncrepl) failed for %s. " + "Configuration can be outdated, run `rndc reload`", +@@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event) + + mctx = pevent->mctx; + ++ REQUIRE(inst != NULL); + INSIST(task == inst->task); /* For task-exclusive mode */ + CHECK(ldap_parse_serverconfigentry(entry, inst)); + + cleanup: +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- sync_event_signal(inst->sctx, pevent); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ sync_event_signal(inst->sctx, pevent); ++ + if (result != ISC_R_SUCCESS) + log_error_r("update_serverconfig (syncrepl) failed for %s. " + "Configuration can be outdated, run `rndc reload`", +@@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event) + dns_name_init(&prevname, NULL); + dns_name_init(&prevorigin, NULL); + ++ REQUIRE(inst != NULL); + CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure)); + zone_found = ISC_TRUE; + +@@ -4020,13 +4021,12 @@ cleanup: + ldap_entry_logname(entry), pevent->chgtype); + } + +- if (inst != NULL) { +- sync_concurr_limit_signal(inst->sctx); +- if (dns_name_dynamic(&prevname)) +- dns_name_free(&prevname, inst->mctx); +- if (dns_name_dynamic(&prevorigin)) +- dns_name_free(&prevorigin, inst->mctx); +- } ++ sync_concurr_limit_signal(inst->sctx); ++ if (dns_name_dynamic(&prevname)) ++ dns_name_free(&prevname, inst->mctx); ++ if (dns_name_dynamic(&prevorigin)) ++ dns_name_free(&prevorigin, inst->mctx); ++ + if (raw != NULL) + dns_zone_detach(&raw); + if (secure != NULL) +-- +2.9.3 + diff --git a/0002-Add-empty-callback-for-getsize.patch b/0002-Add-empty-callback-for-getsize.patch new file mode 100644 index 0000000..63f08b9 --- /dev/null +++ b/0002-Add-empty-callback-for-getsize.patch @@ -0,0 +1,30 @@ +From 107c5ed7247788a04a23d6c65fca50f96c944345 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Tue, 27 Jun 2017 10:41:03 +0200 +Subject: [PATCH] Add empty callback for getsize + +BIND introduced getsize method in db.h. This is related to +CVE-2016-6170 and allows to set restriction of zone size limit. + +Signed-off-by: Tomas Krizek +--- + src/ldap_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/ldap_driver.c b/src/ldap_driver.c +index 53ce1a9..38673b0 100644 +--- a/src/ldap_driver.c ++++ b/src/ldap_driver.c +@@ -867,7 +867,8 @@ static dns_dbmethods_t ldapdb_methods = { + findext, + setcachestats, + hashsize, +- nodefullname ++ nodefullname, ++ NULL, // getsize method not implemented (related BZ1353563) + }; + + isc_result_t ATTR_NONNULLS +-- +2.9.4 + diff --git a/0003-Support-for-BIND-9.11.3.patch b/0003-Support-for-BIND-9.11.3.patch new file mode 100644 index 0000000..092e3c2 --- /dev/null +++ b/0003-Support-for-BIND-9.11.3.patch @@ -0,0 +1,137 @@ +From b533d722fa62232955aedfdf1bbc0179f48497eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 1 Mar 2018 19:41:10 +0100 +Subject: [PATCH] Support for BIND 9.11.3. Include explicitly isc/util.h in + each file that uses REQUIRE(). Support stdatomic feature, do not use function + call in STATIC_ASSERT(). + +--- + src/bindcfg.c | 1 + + src/fwd_register.c | 1 + + src/ldap_entry.h | 11 +++++------ + src/mldap.c | 4 ++-- + src/rbt_helper.c | 1 + + src/types.h | 2 +- + 6 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/bindcfg.c b/src/bindcfg.c +index 9b429ba..5539dea 100644 +--- a/src/bindcfg.c ++++ b/src/bindcfg.c +@@ -6,6 +6,7 @@ + + #include "config.h" + ++#include + #include + #include + +diff --git a/src/fwd_register.c b/src/fwd_register.c +index 355d15f..7cc0c5a 100644 +--- a/src/fwd_register.c ++++ b/src/fwd_register.c +@@ -3,6 +3,7 @@ + */ + + #include ++#include + #include + + #include "rbt_helper.h" +diff --git a/src/ldap_entry.h b/src/ldap_entry.h +index 6498c79..88b1c42 100644 +--- a/src/ldap_entry.h ++++ b/src/ldap_entry.h +@@ -6,7 +6,6 @@ + #define _LD_LDAP_ENTRY_H_ + + #include +-#include + #include + + #include "fwd_register.h" +@@ -19,15 +18,15 @@ + + /* Represents values associated with LDAP attribute */ + typedef struct ldap_value ldap_value_t; +-typedef LIST(ldap_value_t) ldap_valuelist_t; ++typedef ISC_LIST(ldap_value_t) ldap_valuelist_t; + struct ldap_value { + char *value; +- LINK(ldap_value_t) link; ++ ISC_LINK(ldap_value_t) link; + }; + + /* Represents LDAP attribute and it's values */ + typedef struct ldap_attribute ldap_attribute_t; +-typedef LIST(ldap_attribute_t) ldap_attributelist_t; ++typedef ISC_LIST(ldap_attribute_t) ldap_attributelist_t; + + /* Represents LDAP entry and it's attributes */ + typedef unsigned char ldap_entryclass_t; +@@ -41,7 +40,7 @@ struct ldap_entry { + + ldap_attribute_t *lastattr; + ldap_attributelist_t attrs; +- LINK(ldap_entry_t) link; ++ ISC_LINK(ldap_entry_t) link; + + /* Parsing. */ + isc_lex_t *lex; +@@ -59,7 +58,7 @@ struct ldap_attribute { + char **ldap_values; + ldap_value_t *lastval; + ldap_valuelist_t values; +- LINK(ldap_attribute_t) link; ++ ISC_LINK(ldap_attribute_t) link; + }; + + #define LDAP_ENTRYCLASS_NONE 0x0 +diff --git a/src/mldap.c b/src/mldap.c +index 143abce..304ba36 100644 +--- a/src/mldap.c ++++ b/src/mldap.c +@@ -119,13 +119,13 @@ void mldap_cur_generation_bump(mldapdb_t *mldap) { + * reference counter value. + */ + STATIC_ASSERT((isc_uint32_t) +- (typeof(isc_refcount_current((isc_refcount_t *)0))) ++ (typeof(((isc_refcount_t *)0)->refs)) + -1 + == 0xFFFFFFFF, \ + "negative isc_refcount_t cannot be properly shortened to 32 bits"); + + STATIC_ASSERT((isc_uint32_t) +- (typeof(isc_refcount_current((isc_refcount_t *)0))) ++ (typeof(((isc_refcount_t *)0)->refs)) + 0x90ABCDEF12345678 + == 0x12345678, \ + "positive isc_refcount_t cannot be properly shortened to 32 bits"); +diff --git a/src/rbt_helper.c b/src/rbt_helper.c +index 2a7e6cb..f610b07 100644 +--- a/src/rbt_helper.c ++++ b/src/rbt_helper.c +@@ -2,6 +2,7 @@ + * Copyright (C) 2013-2014 bind-dyndb-ldap authors; see COPYING for license + */ + ++#include + #include + + #include "util.h" +diff --git a/src/types.h b/src/types.h +index 25ef3b9..01d627c 100644 +--- a/src/types.h ++++ b/src/types.h +@@ -24,7 +24,7 @@ + * rdata1 -> rdata2 -> rdata3 rdata4 -> rdata5 + * next_rdatalist -> next_rdatalist ... + */ +-typedef LIST(dns_rdatalist_t) ldapdb_rdatalist_t; ++typedef ISC_LIST(dns_rdatalist_t) ldapdb_rdatalist_t; + + typedef struct enum_txt_assoc { + int value; +-- +2.14.3 + diff --git a/bind-dyndb-ldap-11.1.tar.bz2 b/bind-dyndb-ldap-11.1.tar.bz2 new file mode 100644 index 0000000..48fc98d Binary files /dev/null and b/bind-dyndb-ldap-11.1.tar.bz2 differ diff --git a/bind-dyndb-ldap-11.1.tar.bz2.asc b/bind-dyndb-ldap-11.1.tar.bz2.asc new file mode 100644 index 0000000..3becbc4 --- /dev/null +++ b/bind-dyndb-ldap-11.1.tar.bz2.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQEcBAABCAAGBQJYwqX6AAoJECKiqUteSUFa2OkH/3NWkWc62TWaDkMN+EPUYSJ5 +Hf+hxQJdioATttopyuiCE+5q2iS/9n8DGgfQmdPXDalZwQfYWhX75WWlMIiWWy5F +FDZ29tWY41JqLCdV3xYMhR+Nd4OBegT+U3muIzsFcSS9el78kRmNJCu1yOur/Nc+ +r1v8o2J5PVmp1iYxvy5s77qcIC3cERGcLakDlRduZY00jCL5I5ysxG8sWQ8jJEIr +G1thN8cJeZ37pcOml943m0hLjzcJeNhmV/rgz7cMpH17r3yf5B600B+lGqrL9EtJ +lSTVRJQlZFosDPVrqKuNyMHi5iIroc8+TVZtw1aAyZ8KA39zG5wrMF5FphjVHm4= +=jtZI +-----END PGP SIGNATURE----- diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec new file mode 100644 index 0000000..3e77336 --- /dev/null +++ b/bind-dyndb-ldap.spec @@ -0,0 +1,78 @@ +%define bind_version 32:9.11.3-5 + +Name: bind-dyndb-ldap +Version: 11.1 +Release: 13 +Summary: LDAP back-end plug-in for BIND +License: GPLv2+ +URL: https://releases.pagure.org/bind-dyndb-ldap +Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.bz2 +Source1: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.bz2.asc +# These patches come from fedoraproject +Patch0001: 0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch +Patch0002: 0002-Add-empty-callback-for-getsize.patch +Patch0003: 0003-Support-for-BIND-9.11.3.patch +BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}, bind-pkcs11-devel >= %{bind_version} +BuildRequires: krb5-devel +BuildRequires: openldap-devel +BuildRequires: libuuid-devel +BuildRequires: automake, autoconf, libtool +BuildRequires: openssl-devel +Requires: bind-pkcs11 >= %{bind_version}, bind-pkcs11-utils >= %{bind_version} + +%description +This package provides an LDAP back-end, the dynamic LDAP back-end is +a plug-in for BIND that provides an LDAP database back-end capabilities. + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +autoreconf -fiv +%configure +%make_build + +%install +rm -rf %{buildroot} +%make_install +install -d -m 770 %{buildroot}/%{_localstatedir}/named/dyndb-ldap + +%post +# Transform named.conf if it still has old-style API. +PLATFORM=$(uname -m) + +if [ $PLATFORM == "x86_64" ] ; then + LIBPATH=/usr/lib64 +else + LIBPATH=/usr/lib +fi + +while read -r PATTERN +do + SEDSCRIPT+="$PATTERN" +done < - 11.1-13 +- Package init