svn commit: r379318 - in head/dns: bind910 bind910/files bind99 bind99/files

Wed Feb 18 21:56:10 UTC 2015

Author: mat
Date: Wed Feb 18 21:56:08 2015
New Revision: 379318
URL: https://svnweb.freebsd.org/changeset/ports/379318
QAT: https://qat.redports.org/buildarchive/r379318/

Log:
  Add a patch for CVE-2015-1349 while I work on updating both ports to the new version.
  
  Security:	CVE-2015-1349
  Sponsored by:	Absolight

Added:
  head/dns/bind910/files/patch-CVE-2015-1349   (contents, props changed)
  head/dns/bind99/files/patch-CVE-2015-1349   (contents, props changed)
Modified:
  head/dns/bind910/Makefile
  head/dns/bind99/Makefile

Modified: head/dns/bind910/Makefile
==============================================================================

--- head/dns/bind910/Makefile	Wed Feb 18 21:52:22 2015	(r379317)
+++ head/dns/bind910/Makefile	Wed Feb 18 21:56:08 2015	(r379318)
@@ -7,7 +7,7 @@ PORTVERSION=	${ISCVERSION:S/-P/P/}
 PORTREVISION=	1
 .else
 # dns/bind910 here
-PORTREVISION=	1
+PORTREVISION=	2
 .endif
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}

Added: head/dns/bind910/files/patch-CVE-2015-1349
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/dns/bind910/files/patch-CVE-2015-1349	Wed Feb 18 21:56:08 2015	(r379318)
@@ -0,0 +1,52 @@
+commit 12df718c23e29b16fcb5c12eace4b4a924de104d
+Author: Evan Hunt <each at isc.org>
+Date:   Tue Feb 3 18:32:05 2015 -0800
+
+    [v9_10_1_patch] avoid crash due to managed-key rollover
+    
+    4053.	[security]	Revoking a managed trust anchor and supplying
+    			an untrusted replacement could cause named
+    			to crash with an assertion failure.
+    			(CVE-2015-1349) [RT #38344]
+
+diff --git a/CHANGES b/CHANGES
+index 1234469..fc58de7 100644
+--- CHANGES
++++ CHANGES
+@@ -1,3 +1,10 @@
++	--- 9.10.1-P2 released ---
++
++4053.	[security]	Revoking a managed trust anchor and supplying
++			an untrusted replacement could cause named
++			to crash with an assertion failure.
++			(CVE-2015-1349) [RT #38344]
++
+ 	--- 9.10.1-P1 released ---
+ 
+ 4006.	[security]	A flaw in delegation handling could be exploited
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index ef60454..2c4558e 100644
+--- lib/dns/zone.c
++++ lib/dns/zone.c
+@@ -8946,6 +8946,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+ 					     namebuf, tag);
+ 				trustkey = ISC_TRUE;
+ 			}
++		} else {
++			/*
++			 * No previously known key, and the key is not
++			 * secure, so skip it.
++			 */
++			continue;
+ 		}
+ 
+ 		/* Delete old version */
+@@ -8994,7 +9000,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+ 			trust_key(zone, keyname, &dnskey, mctx);
+ 		}
+ 
+-		if (!deletekey) {
++		if (secure && !deletekey) {
+ 			INSIST(newkey || updatekey);
+ 			set_refreshkeytimer(zone, &keydata, now);
+ 		}

Modified: head/dns/bind99/Makefile
==============================================================================
--- head/dns/bind99/Makefile	Wed Feb 18 21:52:22 2015	(r379317)
+++ head/dns/bind99/Makefile	Wed Feb 18 21:56:08 2015	(r379318)
@@ -2,7 +2,7 @@
 
 PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/}
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
 PKGNAMESUFFIX=	99

Added: head/dns/bind99/files/patch-CVE-2015-1349
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/dns/bind99/files/patch-CVE-2015-1349	Wed Feb 18 21:56:08 2015	(r379318)
@@ -0,0 +1,52 @@
+commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
+Author: Evan Hunt <each at isc.org>
+Date:   Tue Feb 3 18:30:38 2015 -0800
+
+    [v9_9_6_patch] avoid crash due to managed-key rollover
+    
+    4053.	[security]	Revoking a managed trust anchor and supplying
+    			an untrusted replacement could cause named
+    			to crash with an assertion failure.
+    			(CVE-2015-1349) [RT #38344]
+
+diff --git a/CHANGES b/CHANGES
+index e8d75ea..b45be6d 100644
+--- CHANGES
++++ CHANGES
+@@ -1,3 +1,10 @@
++	--- 9.9.6-P2 released ---
++
++4053.	[security]	Revoking a managed trust anchor and supplying
++			an untrusted replacement could cause named
++			to crash with an assertion failure.
++			(CVE-2015-1349) [RT #38344]
++
+ 	--- 9.9.6-P1 released ---
+ 
+ 4006.	[security]	A flaw in delegation handling could be exploited
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 7a9825b..5db2844 100644
+--- lib/dns/zone.c
++++ lib/dns/zone.c
+@@ -8508,6 +8508,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+ 					     namebuf, tag);
+ 				trustkey = ISC_TRUE;
+ 			}
++		} else {
++			/*
++			 * No previously known key, and the key is not
++			 * secure, so skip it.
++			 */
++			continue;
+ 		}
+ 
+ 		/* Delete old version */
+@@ -8556,7 +8562,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+ 			trust_key(zone, keyname, &dnskey, mctx);
+ 		}
+ 
+-		if (!deletekey) {
++		if (secure && !deletekey) {
+ 			INSIST(newkey || updatekey);
+ 			set_refreshkeytimer(zone, &keydata, now);
+ 		}
