net-dns/bind-tools: backport FORTIFY_SOURCE=3 named-checkconf crash fix

Closes: https://bugs.gentoo.org/847295
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 191 insertions, 0 deletions

diff --git a/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
new file mode 100644
index 000000000000..6ab46c310694
--- /dev/null
+++ b/net-dns/bind-tools/bind-tools-9.16.29-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools flag-o-matic toolchain-funcs
+
+MY_PN=${PN//-tools}
+MY_PV=${PV/_p/-P}
+MY_PV=${MY_PV/_rc/rc}
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"
+HOMEPAGE="https://www.isc.org/software/bind"
+SRC_URI="https://downloads.isc.org/isc/bind9/${PV}/${MY_P}.tar.xz"
+
+LICENSE="Apache-2.0 BSD BSD-2 GPL-2 HPND ISC MPL-2.0"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+caps doc gssapi idn ipv6 libedit readline xml"
+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687
+
+COMMON_DEPEND="
+	dev-libs/libuv:=
+	caps? ( sys-libs/libcap )
+	dev-libs/openssl:=
+	xml? ( dev-libs/libxml2 )
+	idn? ( net-dns/libidn2:= )
+	gssapi? ( virtual/krb5 )
+	libedit? ( dev-libs/libedit )
+	!libedit? (
+		readline? ( sys-libs/readline:= )
+	)
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+# sphinx required for man-page and html creation
+BDEPEND="
+	doc? ( dev-python/sphinx )
+	virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+# bug 479092, requires networking
+RESTRICT="test"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-fortify-source-3.patch
+)
+
+src_prepare() {
+	default
+
+	export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir)"
+
+	# Disable tests for now, bug 406399
+	sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die
+
+	# Do not disable thread local storage on Solaris, it works with our
+	# toolchain, and it breaks further configure checks
+	sed -i -e '/LDFLAGS=/s/-zrelax=transtls//' configure.ac configure || die
+
+	# bug #220361
+	rm aclocal.m4 || die
+	rm -rf libtool.m4/ || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--localstatedir="${EPREFIX}"/var
+		--without-python
+		--without-libjson
+		--without-zlib
+		--without-lmdb
+		--without-maxminddb
+		--disable-geoip
+		--with-openssl="${ESYSROOT}"/usr
+		$(use_with idn libidn2 "${ESYSROOT}"/usr)
+		$(use_with xml libxml2)
+		$(use_with gssapi)
+		$(use_with readline)
+		$(use_enable caps linux-caps)
+		AR="$(type -P $(tc-getAR))"
+	)
+
+	# bug 607400
+	if use libedit ; then
+		myeconfargs+=( --with-readline=-ledit )
+	elif use readline ; then
+		myeconfargs+=( --with-readline=-lreadline )
+	else
+		myeconfargs+=( --without-readline )
+	fi
+
+	# bug 344029
+	append-cflags "-DDIG_SIGCHASE"
+
+	# to expose CMSG_* macros from sys/sockets.h
+	[[ ${CHOST} == *-solaris* ]] && append-cflags "-D_XOPEN_SOURCE=600"
+
+	# localstatedir for nsupdate -l, bug 395785
+	tc-export BUILD_CC
+	econf "${myeconfargs[@]}"
+
+	# bug #151839
+	echo '#undef SO_BSDCOMPAT' >> config.h
+}
+
+src_compile() {
+	local AR=$(tc-getAR)
+
+	emake AR="${AR}" -C lib/
+	emake AR="${AR}" -C bin/delv/
+	emake AR="${AR}" -C bin/dig/
+	emake AR="${AR}" -C bin/nsupdate/
+	emake AR="${AR}" -C bin/dnssec/
+	emake -C doc/man/ man $(usev doc)
+}
+
+src_install() {
+	local man_dir="${S}/doc/man"
+	local html_dir="${man_dir}/_build/html"
+
+	dodoc README CHANGES
+
+	cd "${S}"/bin/delv || die
+	dobin delv
+	doman ${man_dir}/delv.1
+
+	cd "${S}"/bin/dig || die
+	dobin dig host nslookup
+	doman ${man_dir}/{dig,host,nslookup}.1
+
+	cd "${S}"/bin/nsupdate || die
+	dobin nsupdate
+	doman ${man_dir}/nsupdate.1
+	if use doc; then
+		docinto html
+		dodoc ${html_dir}/nsupdate.html
+	fi
+
+	cd "${S}"/bin/dnssec || die
+	for tool in dsfromkey importkey keyfromlabel keygen \
+		revoke settime signzone verify; do
+		dobin dnssec-"${tool}"
+		doman ${man_dir}/dnssec-"${tool}".8
+		if use doc; then
+			docinto html
+			dodoc ${html_dir}/dnssec-"${tool}".html
+		fi
+	done
+}
diff --git a/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
new file mode 100644
index 000000000000..d084d6e62ce8
--- /dev/null
+++ b/net-dns/bind-tools/files/bind-tools-9.16.29-fortify-source-3.patch
@@ -0,0 +1,35 @@
+https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d
+https://gitlab.isc.org/isc-projects/bind9/-/issues/3351
+https://bugs.gentoo.org/847295
+
+From: Evan Hunt <each@isc.org>
+Date: Fri, 13 May 2022 19:59:58 -0700
+Subject: [PATCH] prevent a possible buffer overflow in configuration check
+
+corrected code that could have allowed a buffer overfow while
+parsing named.conf.
+
+(cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ 		} else if (dns_name_isula(zname)) {
+ 			ula = true;
+ 		}
+-		tmp += strlen(tmp);
+ 		len -= strlen(tmp);
++		tmp += strlen(tmp);
+ 		(void)snprintf(tmp, len, "%u/%s", zclass,
+ 			       (ztype == CFG_ZONE_INVIEW) ? target
+ 			       : (viewname != NULL)	  ? viewname
+@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ 		char *tmp = keydirbuf;
+ 		size_t len = sizeof(keydirbuf);
+ 		dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
+-		tmp += strlen(tmp);
+ 		len -= strlen(tmp);
++		tmp += strlen(tmp);
+ 		(void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
+ 		tresult = keydirexist(zconfig, (const char *)keydirbuf,
+ 				      kaspname, keydirs, logctx, mctx);
+GitLab