Subject: security/8782: pkgsrc module for BIND-8.2.2-P3 (security workaround for BIND)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <woods@mail.weird.com>
List: netbsd-bugs
Date: 11/12/1999 09:11:46
>Number: 8782
>Category: security
>Synopsis: pkgsrc module for BIND-8.2.2-P3 (security workaround for BIND)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: security-officer (NetBSD Security Officer)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Nov 12 09:06:00 1999
>Last-Modified:
>Originator: Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release: 1999/11/11
>Environment:
System: NetBSD
>Description:
There are several denial-of-service bugs in most releases of
BIND (with at least one apparently being actively exploited),
and one potential remote exploit in BIND-8.2, 8.2p1, and 8.2.1.
>How-To-Repeat:
<URL:http://www.isc.org/products/BIND/bind-security-19991108.html>
>Fix:
Add the following module to pkgsrc/net/bind8 as an interim
workaround to upgrading BIND directly in NetBSD (and as a fix
for older releases of NetBSD).
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# Makefile
# files/
# files/md5
# patches/
# patches/patch-aa
# patches/patch-ab
# patches/patch-ac
# pkg/
# pkg/COMMENT
# pkg/DESCR
# pkg/PLIST
#
echo x - Makefile
sed 's/^X//' >Makefile << 'END-of-Makefile'
X#
X#ident "$NetBSD$"
X#
X# From:
X# $FreeBSD: Makefile,v 1.12 1999/06/28 21:25:07 billf Exp $
X#
X# Adapted for NetBSD by Greg A. Woods <woods@planix.com>
X# July 28, 1999
X#
X# Upgraged to 8.2.2-P3 by Greg A. Woods <woods@planix.com>
X# November 11, 1999
X#
X
XDISTNAME= bind
X
XBIND_RELEASE= 8.2.2-P3
X
XPKGNAME= bind-${BIND_RELEASE}
XDIST_SUBDIR= bind/${BIND_RELEASE}
XCATEGORIES= net
XMASTER_SITES= ftp://ftp.isc.org/isc/bind/src/${BIND_RELEASE}/
XDISTFILES= ${DISTNAME}-src.tar.gz ${DISTNAME}-doc.tar.gz patch4
X
XMAINTAINER= packages@NetBSD.org
X
XHOMEPAGE= http://www.isc.org/products/BIND/
XY2K= http://www.isc.org/ISC/y2k.html
X
XWRKSRC= ${WRKDIR}/src
X
XEXTRACT_ONLY= ${DISTNAME}-src.tar.gz ${DISTNAME}-doc.tar.gz
X
XPATCH_ARGS= -d ${WRKDIR}
X
Xpre-patch:
X @${ECHO_MSG} "===> Applying distribution patches for ${PKGNAME}"
X @(cd ${_DISTDIR}; \
X if [ ${PATCH_DEBUG_TMP} = yes ]; then \
X ${ECHO_MSG} "===> Applying distribution patch 'patch4'" ; \
X fi; \
X ${PATCH} -d ${WRKDIR}/src/bin/named-xfer -p1 < 'patch4')
X
Xpost-build:
X @(cd ${WRKDIR}/doc/man && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} clean all)
X
Xpost-install:
X @(cd ${WRKDIR}/doc/man && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${INSTALL_TARGET})
X ${MKDIR} ${PREFIX}/share/doc/bind8
X ${INSTALL_DATA} ${WRKDIR}/doc/html/* ${PREFIX}/share/doc/bind8
X
X.include "../../mk/bsd.pkg.mk"
END-of-Makefile
echo c - files/
mkdir -p files/ > /dev/null 2>&1
echo x - files/md5
sed 's/^X//' >files/md5 << 'END-of-files/md5'
X$NetBSD$
X
XMD5 (bind/8.2.2-P3/bind-src.tar.gz) = c782af1a8058d6d2d3c95c1385a5c8c0
XMD5 (bind/8.2.2-P3/bind-doc.tar.gz) = 42025ab4bed0f13ab612ec5984abe2f0
XMD5 (bind/8.2.2-P3/patch4) = b9b05dca4b591ad73b17f7262afa6636
END-of-files/md5
echo c - patches/
mkdir -p patches/ > /dev/null 2>&1
echo x - patches/patch-aa
sed 's/^X//' >patches/patch-aa << 'END-of-patches/patch-aa'
X+++ src/port/netbsd/Makefile.set Wed Jul 28 20:02:07 1999
X@@ -1,11 +1,13 @@
X 'CC=cc'
X 'CDEBUG=-O2 -g'
X-'DESTBIN=/usr/bin'
X-'DESTSBIN=/usr/sbin'
X-'DESTEXEC=/usr/libexec'
X-'DESTMAN=/usr/share/man'
X-'DESTHELP=/usr/share/misc'
X-'DESTETC=/etc'
X+'DESTBIN=${PREFIX}/bin'
X+'DESTLIB=${PREFIX}/bind/lib'
X+'DESTINC=${PREFIX}/bind/include'
X+'DESTSBIN=${PREFIX}/sbin'
X+'DESTEXEC=${PREFIX}/libexec'
X+'DESTMAN=${PREFIX}/share/man'
X+'DESTHELP=${PREFIX}/share/misc'
X+'DESTETC=${PREFIX}/etc'
X 'DESTRUN=/var/run'
X 'LEX=lex -I'
X 'YACC=yacc -d'
END-of-patches/patch-aa
echo x - patches/patch-ab
sed 's/^X//' >patches/patch-ab << 'END-of-patches/patch-ab'
X*** doc/man/Makefile.orig Sat Sep 18 02:23:44 1999
X***************
X*** 52,63 ****
X # Target directory for the manual directory tree. Eg., may be used to
X # specify the path of an NFS-mounted directory for common files.
X #
X! DESTDIR=
X
X #
X # Default location for manual section directories.
X #
X! DESTMAN= /usr/share/man
X
X #
X # Install manuals in ${MANDIR}N. For systems that generate catable manual
X--- 52,63 ----
X # Target directory for the manual directory tree. Eg., may be used to
X # specify the path of an NFS-mounted directory for common files.
X #
X! DESTDIR= ${PREFIX}
X
X #
X # Default location for manual section directories.
X #
X! DESTMAN= /share/man
X
X #
X # Install manuals in ${MANDIR}N. For systems that generate catable manual
X***************
X*** 228,241 ****
X #
X # User command manual entries
X #
X! CMD_BASE = dig host dnsquery dnskeygen
X CMD_SRC_EXT = 1
X CMD_SRC = dig.${CMD_SRC_EXT} \
X- host.${CMD_SRC_EXT} \
X dnsquery.${CMD_SRC_EXT} \
X dnskeygen.${CMD_SRC_EXT}
X CMD_OUT = dig.${CMD_OUT_EXT} \
X- host.${CMD_OUT_EXT} \
X dnsquery.${CMD_OUT_EXT} \
X dnskeygen.${CMD_OUT_EXT}
X
X--- 228,239 ----
X #
X # User command manual entries
X #
X! CMD_BASE = dig dnsquery dnskeygen
X CMD_SRC_EXT = 1
X CMD_SRC = dig.${CMD_SRC_EXT} \
X dnsquery.${CMD_SRC_EXT} \
X dnskeygen.${CMD_SRC_EXT}
X CMD_OUT = dig.${CMD_OUT_EXT} \
X dnsquery.${CMD_OUT_EXT} \
X dnskeygen.${CMD_OUT_EXT}
X
X***************
X*** 279,285 ****
X # Network library routines manual entries
X #
X LIB_NETWORK_BASE = gethostbyname inet_cidr resolver hesiod getnetent \
X! tsig getaddrinfo inet_cidr getipnodebyname
X LIB_NETWORK_SRC_EXT = 3
X LIB_NETWORK_SRC = gethostbyname.${LIB_NETWORK_SRC_EXT} \
X inet_cidr.${LIB_NETWORK_SRC_EXT} \
X--- 277,283 ----
X # Network library routines manual entries
X #
X LIB_NETWORK_BASE = gethostbyname inet_cidr resolver hesiod getnetent \
X! tsig getaddrinfo getipnodebyname
X LIB_NETWORK_SRC_EXT = 3
X LIB_NETWORK_SRC = gethostbyname.${LIB_NETWORK_SRC_EXT} \
X inet_cidr.${LIB_NETWORK_SRC_EXT} \
X***************
X*** 303,309 ****
X #
X # File format manual entries
X #
X! FORMAT_BASE = resolver irs.conf named.conf
X FORMAT_SRC_EXT = 5
X FORMAT_SRC = resolver.${FORMAT_SRC_EXT} \
X irs.conf.${FORMAT_SRC_EXT} \
X--- 301,308 ----
X #
X # File format manual entries
X #
X! FORMAT_MAIN_BASE = named.conf
X! FORMAT_BASE = resolver irs.conf
X FORMAT_SRC_EXT = 5
X FORMAT_SRC = resolver.${FORMAT_SRC_EXT} \
X irs.conf.${FORMAT_SRC_EXT} \
X***************
X*** 355,363 ****
X install: ${OUTFILES} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${CMD_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${SYS_OPS_EXT_DIR} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${DESC_EXT_DIR}
X @set -x; N=${CMD_EXT}; for f in ${CMD_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${CMD_OUT_EXT} \
X--- 354,363 ----
X install: ${OUTFILES} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${CMD_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${SYS_OPS_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${DESC_EXT_DIR}
X @set -x; N=${CMD_EXT}; for f in ${CMD_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${CMD_OUT_EXT} \
X***************
X*** 391,415 ****
X @set -x; N=${LIB_NETWORK_EXT}; for f in ${LIB_NETWORK_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${LIB_NETWORK_OUT_EXT} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR}/$${f}.${CATEXT}; \
X done
X @set -x; N=${FORMAT_EXT}; for f in ${FORMAT_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${FORMAT_OUT_EXT} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR}/$${f}.${CATEXT}; \
X done
X @set -x; N=${DESC_EXT}; for f in ${DESC_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${DESC_OUT_EXT} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${DESC_EXT_DIR}/$${f}.${CATEXT}; \
X done
X
X ${DESTDIR}${DESTMAN}/${MANDIR}${CMD_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${SYS_OPS_EXT_DIR} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${DESC_EXT_DIR}:
X! mkdir $@
X
X links: FRC
X @set -ex; ln -s SRC/*.[0-9] .
X--- 391,420 ----
X @set -x; N=${LIB_NETWORK_EXT}; for f in ${LIB_NETWORK_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${LIB_NETWORK_OUT_EXT} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR}/$${f}.${CATEXT}; \
X! done
X! @set -x; N=${FORMAT_EXT}; for f in ${FORMAT_MAIN_BASE}; do \
X! ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} $${f}.${FORMAT_OUT_EXT} \
X! ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR}/$${f}.${CATEXT}; \
X done
X @set -x; N=${FORMAT_EXT}; for f in ${FORMAT_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${FORMAT_OUT_EXT} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR}/$${f}.${CATEXT}; \
X done
X @set -x; N=${DESC_EXT}; for f in ${DESC_BASE}; do \
X ${INSTALL} -c -m 444 ${MAN_OWNER} ${MAN_GROUP} \
X $${f}.${DESC_OUT_EXT} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${DESC_EXT_DIR}/$${f}.${CATEXT}; \
X done
X
X ${DESTDIR}${DESTMAN}/${MANDIR}${CMD_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${SYS_OPS_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${LIB_NETWORK_EXT_DIR} \
X ${DESTDIR}${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${FORMAT_EXT_DIR} \
X! ${DESTDIR}/bind${DESTMAN}/${MANDIR}${DESC_EXT_DIR}:
X! mkdir -p $@
X
X links: FRC
X @set -ex; ln -s SRC/*.[0-9] .
END-of-patches/patch-ab
echo x - patches/patch-ac
sed 's/^X//' >patches/patch-ac << 'END-of-patches/patch-ac'
X*** src/bin/Makefile.orig Sun Aug 8 13:13:24 1999
X***************
X*** 60,66 ****
X
X CFLAGS= ${CDEBUG} -I${PORTINCL} -I${INCL}
X
X! SUBDIRS = addr nslookup dig dnsquery host named named-xfer ndc nsupdate \
X mkservdb irpd dnskeygen named-bootconf
X
X all: ${SUBDIRS}
X--- 60,66 ----
X
X CFLAGS= ${CDEBUG} -I${PORTINCL} -I${INCL}
X
X! SUBDIRS = addr nslookup dig dnsquery named named-xfer ndc nsupdate \
X mkservdb irpd dnskeygen named-bootconf
X
X all: ${SUBDIRS}
END-of-patches/patch-ac
echo c - pkg/
mkdir -p pkg/ > /dev/null 2>&1
echo x - pkg/COMMENT
sed 's/^X//' >pkg/COMMENT << 'END-of-pkg/COMMENT'
XThe Berkeley Internet Name Daemon, an implementation of DNS.
END-of-pkg/COMMENT
echo x - pkg/DESCR
sed 's/^X//' >pkg/DESCR << 'END-of-pkg/DESCR'
XThe Berkeley Internet Name Daemon, an implementation of a DNS server and
Xresolver library.
X
XBIND Version 8.2.2 patchlevel 3 (Released November 8th, 1999)
X
X If you are running any version of BIND prior to 8.2.2 patchlevel 3,
X we recommend you upgrade to the current version for security reasons.
X There is one potential remote access exploit fixed in this release,
X and there are several fixes for various denial-of-service bugs.
X
XBIND Version 8.2.2 features include:
X
X -> DNS Dynamic Updates (RFC 2136)
X -> DNS Change Notification (RFC 1996)
X -> RFC 2308 (Negative Caching)
X -> RFC 2181 (DNS Clarifications)
X -> RFC 2065 (DNS Security)
X -> Completely new configuration syntax
X -> IP-address-based access control for queries, zone transfers, and
X updates that may be specified on a zone-by-zone basis
X -> More efficient zone transfers
X -> Improved performance for servers with thousands of zones
X (including single-zone reloads)
X -> The server no longer forks for outbound zone transfers
X -> Many many many *important* (i.e. security), and minor, bug fixes
X -> Much improved event and error logging facilities (including
X flexible categorized logging to different types of destinations)
X -> TSIG (Transaction SIGnatures)
X -> support for multiple virtual name servers
X -> "Split DNS" via zone type "forward"
X -> Portability to IPv6 versions of FreeBSD, OpenBSD, NetBSD
X -> Documentation improvements
X -> Much improved named controller program (ndc)
X -> New zone file syntax features (eg. $TTL and $GENERATE)
END-of-pkg/DESCR
echo x - pkg/PLIST
sed 's/^X//' >pkg/PLIST << 'END-of-pkg/PLIST'
Xbin/addr
Xbin/dig
Xbin/dnsquery
Xbin/mkservdb
Xbin/nslookup
Xbin/nsupdate
Xbind/include/arpa/inet.h
Xbind/include/arpa/nameser.h
Xbind/include/arpa/nameser_compat.h
Xbind/include/hesiod.h
Xbind/include/irp.h
Xbind/include/irs.h
Xbind/include/isc/assertions.h
Xbind/include/isc/dst.h
Xbind/include/isc/eventlib.h
Xbind/include/isc/heap.h
Xbind/include/isc/irpmarshall.h
Xbind/include/isc/list.h
Xbind/include/isc/logging.h
Xbind/include/isc/memcluster.h
Xbind/include/isc/misc.h
Xbind/include/isc/tree.h
Xbind/include/netdb.h
Xbind/include/res_update.h
Xbind/include/resolv.h
Xbind/include/sys/bitypes.h
Xbind/lib/libbind.a
Xbind/lib/libbind_r.a
Xbind/share/man/cat3/getaddrinfo.0
Xbind/share/man/cat3/gethostbyname.0
Xbind/share/man/cat3/getnetent.0
Xbind/share/man/cat3/hesiod.0
Xbind/share/man/cat3/inet_cidr.0
Xbind/share/man/cat3/resolver.0
Xbind/share/man/cat3/tsig.0
Xbind/share/man/cat5/irs.conf.0
Xbind/share/man/cat5/resolver.0
Xbind/share/man/cat7/hostname.0
Xbind/share/man/cat7/mailaddr.0
Xlibexec/dnskeygen
Xlibexec/named-xfer
Xsbin/irpd
Xsbin/named
Xsbin/named-bootconf
Xsbin/ndc
Xshare/doc/bind8/acl.html
Xshare/doc/bind8/address_list.html
Xshare/doc/bind8/comments.html
Xshare/doc/bind8/config.html
Xshare/doc/bind8/controls.html
Xshare/doc/bind8/docdef.html
Xshare/doc/bind8/example.html
Xshare/doc/bind8/include.html
Xshare/doc/bind8/index.html
Xshare/doc/bind8/key.html
Xshare/doc/bind8/logging.html
Xshare/doc/bind8/master.html
Xshare/doc/bind8/options.html
Xshare/doc/bind8/server.html
Xshare/doc/bind8/trusted-keys.html
Xshare/doc/bind8/zone.html
Xshare/man/cat1/dig.0
Xshare/man/cat1/dnsquery.0
Xshare/man/cat1/dnskeygen.0
Xshare/man/cat5/named.conf.0
Xshare/man/cat8/named.0
Xshare/man/cat8/named-bootconf.0
Xshare/man/cat8/named-xfer.0
Xshare/man/cat8/ndc.0
Xshare/man/cat8/nslookup.0
Xshare/man/cat8/nsupdate.0
Xshare/misc/nslookup.help
X@dirrm bind/include/arpa
X@dirrm bind/include/isc
X@dirrm bind/include/sys
X@dirrm bind/include
X@dirrm bind/lib
X@dirrm bind/share/man/cat3
X@dirrm bind/share/man/cat5
X@dirrm bind/share/man/cat7
X@dirrm bind/share/man
X@dirrm bind/share
X@dirrm bind
X@dirrm share/doc/bind8
END-of-pkg/PLIST
exit
>Audit-Trail:
>Unformatted: