This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 1cbc5ca0a4e0827ae5073ddf19c515e4492baa16 (commit) via eb7e5ec69ffcf35b1748b8fa2e5ed6fd07763014 (commit) via 30ca037fb35df6e60681201efe04e2cf17ffd305 (commit) via ffe32bf7ae117d9ce3c19f93db72058c9ba56c77 (commit) via 6ac0a1a38f8272038250445d7e05aca1870ad23d (commit) from f68ae02d39eb10fa949f07b1c4cfc68b224a1ee0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 1cbc5ca0a4e0827ae5073ddf19c515e4492baa16 Merge: eb7e5ec f68ae02 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 28 11:14:45 2015 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit eb7e5ec69ffcf35b1748b8fa2e5ed6fd07763014 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 28 11:13:03 2015 +0200
tzdata: Update to version 2015d
commit 30ca037fb35df6e60681201efe04e2cf17ffd305 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 27 21:17:17 2015 +0200
glibc: Fix CVE-2013-7423 and CVE-2015-1781
CVE-2013-7423: Fix invalid file descriptor reuse while sending DNS query CVE-2015-1781: Fix buffer overflow in gethostbyname_r with misaligned buffer
commit ffe32bf7ae117d9ce3c19f93db72058c9ba56c77 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 27 20:58:45 2015 +0200
strongswan: Increase stroke buffer size to 8k
commit 6ac0a1a38f8272038250445d7e05aca1870ad23d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 27 18:10:34 2015 +0200
dnsmasq: Import latest fixes from upstream
-----------------------------------------------------------------------
Summary of changes: .../87 => core/90}/filelists/armv5tel/glibc | 0 .../{oldcore/87 => core/90}/filelists/i586/glibc | 0 .../{oldcore/87 => core/90}/filelists/tzdata | 0 lfs/dnsmasq | 6 + lfs/glibc | 2 + lfs/strongswan | 1 + lfs/tzdata | 6 +- ...ddress-command-line-arg-in-dhcp_release.c.patch | 28 +++ ...38dd574c51d96fef100285a0d225824534f9-and-.patch | 53 +++++ ...-domain-names-with-.-or-000-within-labels.patch | 215 +++++++++++++++++++++ ...eaks-to-previous-DNS-label-charset-commit.patch | 136 +++++++++++++ ...s-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch | 46 +++++ ...version-work-when-repo-is-a-git-submodule.patch | 28 +++ src/patches/glibc/glibc-rh1207995.patch | 27 +++ src/patches/glibc/glibc-rh1209375.patch | 18 ++ ...-stroke-Increase-stroke-buffer-size-to-8k.patch | 34 ++++ 16 files changed, 597 insertions(+), 3 deletions(-) copy config/rootfiles/{oldcore/87 => core/90}/filelists/armv5tel/glibc (100%) copy config/rootfiles/{oldcore/87 => core/90}/filelists/i586/glibc (100%) copy config/rootfiles/{oldcore/87 => core/90}/filelists/tzdata (100%) create mode 100644 src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch create mode 100644 src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch create mode 100644 src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch create mode 100644 src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch create mode 100644 src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch create mode 100644 src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch create mode 100644 src/patches/glibc/glibc-rh1207995.patch create mode 100644 src/patches/glibc/glibc-rh1209375.patch create mode 100644 src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch
Difference in files: diff --git a/config/rootfiles/core/90/filelists/armv5tel/glibc b/config/rootfiles/core/90/filelists/armv5tel/glibc new file mode 120000 index 0000000..4c70d72 --- /dev/null +++ b/config/rootfiles/core/90/filelists/armv5tel/glibc @@ -0,0 +1 @@ +../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/core/90/filelists/i586/glibc b/config/rootfiles/core/90/filelists/i586/glibc new file mode 120000 index 0000000..943021f --- /dev/null +++ b/config/rootfiles/core/90/filelists/i586/glibc @@ -0,0 +1 @@ +../../../../common/i586/glibc \ No newline at end of file diff --git a/config/rootfiles/core/90/filelists/tzdata b/config/rootfiles/core/90/filelists/tzdata new file mode 120000 index 0000000..5a6e325 --- /dev/null +++ b/config/rootfiles/core/90/filelists/tzdata @@ -0,0 +1 @@ +../../../common/tzdata \ No newline at end of file diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 665f424..c4b2463 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -151,6 +151,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ -e 's|/* #define HAVE_IDN */|#define HAVE_IDN|g' \ diff --git a/lfs/glibc b/lfs/glibc index 11d374e..4ec71a7 100644 --- a/lfs/glibc +++ b/lfs/glibc @@ -283,6 +283,8 @@ endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1154563.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1170121.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1183533.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1207995.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1209375.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-resolv-stack_chk_fail.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-remove-ctors-dtors-output-sections.patch diff --git a/lfs/strongswan b/lfs/strongswan index 1de4320..f227bba 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -78,6 +78,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh diff --git a/lfs/tzdata b/lfs/tzdata index 11dc03f..dfb54e6 100644 --- a/lfs/tzdata +++ b/lfs/tzdata @@ -24,7 +24,7 @@
include Config
-VER = 2015a +VER = 2015d TZDATA_VER = $(VER) TZCODE_VER = $(VER)
@@ -45,8 +45,8 @@ objects = tzdata$(TZDATA_VER).tar.gz tzcode$(TZCODE_VER).tar.gz tzdata$(TZDATA_VER).tar.gz = $(DL_FROM)/tzdata$(TZDATA_VER).tar.gz tzcode$(TZCODE_VER).tar.gz = $(DL_FROM)/tzcode$(TZCODE_VER).tar.gz
-tzdata$(TZDATA_VER).tar.gz_MD5 = 4ed11c894a74a5ea64201b1c6dbb8831 -tzcode$(TZCODE_VER).tar.gz_MD5 = 8f375ede46ae137fbac047ac431bda37 +tzdata$(TZDATA_VER).tar.gz_MD5 = b595bdc4474b8fc1a15cffc67c66025b +tzcode$(TZCODE_VER).tar.gz_MD5 = 4008a3abc025a398697b2587c48258b9
install : $(TARGET)
diff --git a/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch b/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch new file mode 100644 index 0000000..7209bcf --- /dev/null +++ b/src/patches/dnsmasq/0079-Check-IP-address-command-line-arg-in-dhcp_release.c.patch @@ -0,0 +1,28 @@ +From a006eb7e1486023480ea40244720ef7aab51de71 Mon Sep 17 00:00:00 2001 +From: Moshe Levi moshele@mellanox.com +Date: Sun, 19 Apr 2015 22:10:40 +0100 +Subject: [PATCH 79/84] Check IP address command line arg in dhcp_release.c + +--- + contrib/wrt/dhcp_release.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/wrt/dhcp_release.c b/contrib/wrt/dhcp_release.c +index 53f47dda3aec..a51f04b30cab 100644 +--- a/contrib/wrt/dhcp_release.c ++++ b/contrib/wrt/dhcp_release.c +@@ -277,6 +277,11 @@ int main(int argc, char **argv) + exit(1); + } + ++ if (inet_addr(argv[2]) == INADDR_NONE) ++ { ++ perror("invalid ip address"); ++ exit(1); ++ } + + lease.s_addr = inet_addr(argv[2]); + server = find_interface(lease, nl, if_nametoindex(argv[1])); +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch b/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch new file mode 100644 index 0000000..8a6afc6 --- /dev/null +++ b/src/patches/dnsmasq/0080-Revert-61b838dd574c51d96fef100285a0d225824534f9-and-.patch @@ -0,0 +1,53 @@ +From 338b340be9e7198f5c0f68133d070d6598a0814c Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Mon, 20 Apr 2015 21:34:05 +0100 +Subject: [PATCH 80/84] Revert 61b838dd574c51d96fef100285a0d225824534f9 and + just quieten log instead. + +--- + src/rfc3315.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/src/rfc3315.c b/src/rfc3315.c +index c1ddc805988d..c45116a40a09 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -824,25 +824,21 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + else + { +- /* Windows 8 always requests an address even if the Managed bit +- in RA is 0 and it keeps retrying if it receives a reply +- stating that no addresses are available. We solve this +- by not replying at all if we're not configured to give any +- addresses by DHCPv6. RFC 3315 17.2.1. appears to allow this. */ +- +- for (c = state->context; c; c = c->current) +- if (!(c->flags & CONTEXT_RA_STATELESS)) +- break; +- +- if (!c) +- return 0; +- + /* no address, return error */ + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6NOADDRS); + put_opt6_string(_("no addresses available")); + end_opt6(o1); +- log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available")); ++ ++ /* Some clients will ask repeatedly when we're not giving ++ out addresses because we're in stateless mode. Avoid spamming ++ the log in that case. */ ++ for (c = state->context; c; c = c->current) ++ if (!(c->flags & CONTEXT_RA_STATELESS)) ++ { ++ log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available")); ++ break; ++ } + } + + break; +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch b/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch new file mode 100644 index 0000000..56c6196 --- /dev/null +++ b/src/patches/dnsmasq/0081-Handle-domain-names-with-.-or-000-within-labels.patch @@ -0,0 +1,215 @@ +From cbe379ad6b52a538a4416a7cd992817e5637ccf9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 21 Apr 2015 22:57:06 +0100 +Subject: [PATCH 81/84] Handle domain names with '.' or /000 within labels. + +Only in DNSSEC mode, where we might need to validate or store +such names. In none-DNSSEC mode, simply don't cache these, as before. +--- + src/dns-protocol.h | 4 ++++ + src/dnsmasq.c | 15 +++++++++++++-- + src/dnssec.c | 40 +++++++++++++++++++++++++++++++--------- + src/rfc1035.c | 16 +++++++++++++++- + src/util.c | 9 ++++++++- + 5 files changed, 71 insertions(+), 13 deletions(-) + +diff --git a/src/dns-protocol.h b/src/dns-protocol.h +index 16fade33d98c..7f5d686bb150 100644 +--- a/src/dns-protocol.h ++++ b/src/dns-protocol.h +@@ -142,3 +142,7 @@ struct dns_header { + + #define ADD_RDLEN(header, pp, plen, len) \ + (!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1)) ++ ++/* Escape character in our presentation format for names. ++ Cannot be '.' or /000 and must be !isprint() */ ++#define NAME_ESCAPE 1 +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 20b15c05103a..19a6428b09e8 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -102,8 +102,19 @@ int main (int argc, char **argv) + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { +- daemon->keyname = safe_malloc(MAXDNAME); +- daemon->workspacename = safe_malloc(MAXDNAME); ++ /* Note that both /000 and '.' are allowed within labels. These get ++ represented in presentation format using NAME_ESCAPE as an escape ++ character when in DNSSEC mode. ++ In theory, if all the characters in a name were /000 or ++ '.' or NAME_ESCAPE then all would have to be escaped, so the ++ presentation format would be twice as long as the spec. ++ ++ daemon->namebuff was previously allocated by the option-reading ++ code before we knew if we're in DNSSEC mode, so reallocate here. */ ++ free(daemon->namebuff); ++ daemon->namebuff = safe_malloc(MAXDNAME * 2); ++ daemon->keyname = safe_malloc(MAXDNAME * 2); ++ daemon->workspacename = safe_malloc(MAXDNAME * 2); + } + #endif + +diff --git a/src/dnssec.c b/src/dnssec.c +index 05e0983cb251..c116a7b5f6f4 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -321,10 +321,18 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha + thus generating names in canonical form. + Calling to_wire followed by from_wire is almost an identity, + except that the UC remains mapped to LC. ++ ++ Note that both /000 and '.' are allowed within labels. These get ++ represented in presentation format using NAME_ESCAPE as an escape ++ character. In theory, if all the characters in a name were /000 or ++ '.' or NAME_ESCAPE then all would have to be escaped, so the ++ presentation format would be twice as long as the spec (1024). ++ The buffers are all delcared as 2049 (allowing for the trailing zero) ++ for this reason. + */ + static int to_wire(char *name) + { +- unsigned char *l, *p, term; ++ unsigned char *l, *p, *q, term; + int len; + + for (l = (unsigned char*)name; *l != 0; l = p) +@@ -332,7 +340,10 @@ static int to_wire(char *name) + for (p = l; *p != '.' && *p != 0; p++) + if (*p >= 'A' && *p <= 'Z') + *p = *p - 'A' + 'a'; +- ++ else if (*p == NAME_ESCAPE) ++ for (q = p; *q; q++) ++ *q = *(q+1); ++ + term = *p; + + if ((len = p - l) != 0) +@@ -351,13 +362,23 @@ static int to_wire(char *name) + /* Note: no compression allowed in input. */ + static void from_wire(char *name) + { +- unsigned char *l; ++ unsigned char *l, *p, *last; + int len; +- ++ ++ for (last = (unsigned char *)name; *last != 0; last += *last+1); ++ + for (l = (unsigned char *)name; *l != 0; l += len+1) + { + len = *l; + memmove(l, l+1, len); ++ for (p = l; p < l + len; p++) ++ if (*p == '.' || *p == 0 || *p == NAME_ESCAPE) ++ { ++ memmove(p+1, p, 1 + last - p); ++ len++; ++ *p++ = NAME_ESCAPE; ++ } ++ + l[len] = '.'; + } + +@@ -645,7 +666,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + if (left1 != 0) + memmove(buff1, buff1 + len1 - left1, left1); + +- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, MAXDNAME - left1, &p1, &dp1)) == 0) ++ if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0) + { + quit = 1; + len1 = end1 - p1; +@@ -656,7 +677,7 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + if (left2 != 0) + memmove(buff2, buff2 + len2 - left2, left2); + +- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, MAXDNAME - left2, &p2, &dp2)) == 0) ++ if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0) + { + quit = 1; + len2 = end2 - p2; +@@ -902,10 +923,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + + end = p + rdlen; + +- /* canonicalise rdata and calculate length of same, use name buffer as workspace */ ++ /* canonicalise rdata and calculate length of same, use name buffer as workspace. ++ Note that name buffer is twice MAXDNAME long in DNSSEC mode. */ + cp = p; + dp = rr_desc; +- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp)) != 0; len += seg); ++ for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg); + len += end - cp; + len = htons(len); + hash->update(ctx, 2, (unsigned char *)&len); +@@ -913,7 +935,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + /* Now canonicalise again and digest. */ + cp = p; + dp = rr_desc; +- while ((seg = get_rdata(header, plen, end, name, MAXDNAME, &cp, &dp))) ++ while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp))) + hash->update(ctx, seg, (unsigned char *)name); + if (cp != end) + hash->update(ctx, end - cp, cp); +diff --git a/src/rfc1035.c b/src/rfc1035.c +index a995ab50d74a..19fecc818c06 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -128,6 +128,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + if (isExtract) + { + unsigned char c = *p; ++#ifdef HAVE_DNSSEC ++ if (option_bool(OPT_DNSSEC_VALID)) ++ { ++ if (c == 0 || c == '.' || c == NAME_ESCAPE) ++ *cp++ = NAME_ESCAPE; ++ *cp++ = c; ++ } ++ else ++#endif + if (c != 0 && c != '.') + *cp++ = c; + else +@@ -144,9 +153,14 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + cp++; + if (c1 >= 'A' && c1 <= 'Z') + c1 += 'a' - 'A'; ++#ifdef HAVE_DNSSEC ++ if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE) ++ c1 = *cp++; ++#endif ++ + if (c2 >= 'A' && c2 <= 'Z') + c2 += 'a' - 'A'; +- ++ + if (c1 != c2) + retvalue = 2; + } +diff --git a/src/util.c b/src/util.c +index 648bc4d4b428..0c1a48b4700a 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -226,7 +226,14 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) + { + unsigned char *cp = p++; + for (j = 0; *sval && (*sval != '.'); sval++, j++) +- *p++ = *sval; ++ { ++#ifdef HAVE_DNSSEC ++ if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) ++ *p++ = *(++sval); ++ else ++#endif ++ *p++ = *sval; ++ } + *cp = j; + if (*sval) + sval++; +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch b/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch new file mode 100644 index 0000000..5f6fc4a --- /dev/null +++ b/src/patches/dnsmasq/0082-Tweaks-to-previous-DNS-label-charset-commit.patch @@ -0,0 +1,136 @@ +From b8f16556d36924cd8dc7663cb4129d7b1f3fc2be Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 22 Apr 2015 21:14:31 +0100 +Subject: [PATCH 82/84] Tweaks to previous, DNS label charset commit. + +--- + src/dns-protocol.h | 6 +++++- + src/dnssec.c | 9 ++++++--- + src/rfc1035.c | 25 ++++++++++++++++++------- + src/util.c | 2 +- + 4 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/src/dns-protocol.h b/src/dns-protocol.h +index 7f5d686bb150..4b71746f8d26 100644 +--- a/src/dns-protocol.h ++++ b/src/dns-protocol.h +@@ -144,5 +144,9 @@ struct dns_header { + (!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1)) + + /* Escape character in our presentation format for names. +- Cannot be '.' or /000 and must be !isprint() */ ++ Cannot be '.' or /000 and must be !isprint(). ++ Note that escaped chars are stored as ++ <NAME_ESCAPE> <orig-char+1> ++ to ensure that the escaped form of /000 doesn't include /000 ++*/ + #define NAME_ESCAPE 1 +diff --git a/src/dnssec.c b/src/dnssec.c +index c116a7b5f6f4..a9e12153ccf2 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -341,9 +341,11 @@ static int to_wire(char *name) + if (*p >= 'A' && *p <= 'Z') + *p = *p - 'A' + 'a'; + else if (*p == NAME_ESCAPE) +- for (q = p; *q; q++) ++ { ++ for (q = p; *q; q++) + *q = *(q+1); +- ++ (*p)--; ++ } + term = *p; + + if ((len = p - l) != 0) +@@ -376,7 +378,8 @@ static void from_wire(char *name) + { + memmove(p+1, p, 1 + last - p); + len++; +- *p++ = NAME_ESCAPE; ++ *p++ = NAME_ESCAPE; ++ (*p)++; + } + + l[len] = '.'; +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 19fecc818c06..32df31ad603c 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -20,7 +20,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + char *name, int isExtract, int extrabytes) + { + unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL; +- unsigned int j, l, hops = 0; ++ unsigned int j, l, namelen = 0, hops = 0; + int retvalue = 1; + + if (isExtract) +@@ -94,9 +94,15 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + count = 256; + digs = ((count-1)>>2)+1; + +- /* output is [x<hex>/siz]. which is digs+9 chars */ +- if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME) ++ /* output is [x<hex>/siz]. which is digs+6/7/8 chars */ ++ namelen += digs+6; ++ if (count > 9) ++ namelen++; ++ if (count > 99) ++ namelen++; ++ if (namelen+1 >= MAXDNAME) + return 0; ++ + if (!CHECK_LEN(header, p, plen, (count-1)>>3)) + return 0; + +@@ -119,7 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + } + else + { /* label_type = 0 -> label. */ +- if (cp - (unsigned char *)name + l + 1 >= MAXDNAME) ++ namelen += l; ++ if (namelen+1 >= MAXDNAME) + return 0; + if (!CHECK_LEN(header, p, plen, l)) + return 0; +@@ -132,8 +139,12 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + if (option_bool(OPT_DNSSEC_VALID)) + { + if (c == 0 || c == '.' || c == NAME_ESCAPE) +- *cp++ = NAME_ESCAPE; +- *cp++ = c; ++ { ++ *cp++ = NAME_ESCAPE; ++ *cp++ = c+1; ++ } ++ else ++ *cp++ = c; + } + else + #endif +@@ -155,7 +166,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, + c1 += 'a' - 'A'; + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE) +- c1 = *cp++; ++ c1 = (*cp++)-1; + #endif + + if (c2 >= 'A' && c2 <= 'Z') +diff --git a/src/util.c b/src/util.c +index 0c1a48b4700a..9299703c6d30 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -229,7 +229,7 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) + { + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) +- *p++ = *(++sval); ++ *p++ = (*(++sval))-1; + else + #endif + *p++ = *sval; +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch b/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch new file mode 100644 index 0000000..b39848f --- /dev/null +++ b/src/patches/dnsmasq/0083-Logs-in-DHCPv6-not-suppressed-by-dhcp6-quiet.patch @@ -0,0 +1,46 @@ +From a5ae1f85873829efe473075ad77806cc02792622 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 25 Apr 2015 21:46:10 +0100 +Subject: [PATCH 83/84] Logs in DHCPv6 not suppressed by dhcp6-quiet. + +--- + CHANGELOG | 6 +++++- + src/rfc3315.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 7f2b1e002e9e..af2b22cf8f73 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -103,7 +103,11 @@ version 2.73 + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for +- pointing out the problem. ++ pointing out the problem. ++ ++ Fix logging of DHCPREPLY which should be suppressed ++ by quiet-dhcp6. Thanks to J. Pablo Abonia for ++ spotting the problem. + + + version 2.72 +diff --git a/src/rfc3315.c b/src/rfc3315.c +index c45116a40a09..b4f5dd2db61f 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1047,9 +1047,9 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + { + preferred_time = valid_time = 0; + message = _("address invalid"); +- } ++ } + +- if (message) ++ if (message && (message != state->hostname)) + log6_packet(state, "DHCPREPLY", req_addr, message); + else + log6_quiet(state, "DHCPREPLY", req_addr, message); +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch b/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch new file mode 100644 index 0000000..2bb8a43 --- /dev/null +++ b/src/patches/dnsmasq/0084-Make-get-version-work-when-repo-is-a-git-submodule.patch @@ -0,0 +1,28 @@ +From 8efd731cc4ed2baa42aa69d0a9d336392e9987cb Mon Sep 17 00:00:00 2001 +From: "Johnny S. Lee" _@jsl.io +Date: Sun, 26 Apr 2015 22:23:57 +0100 +Subject: [PATCH 84/84] Make get-version work when repo is a git submodule. + +--- + bld/get-version | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bld/get-version b/bld/get-version +index 7ab75db729ac..5372869c0852 100755 +--- a/bld/get-version ++++ b/bld/get-version +@@ -11,8 +11,9 @@ + # If there is more than one v[0-9].* tag, sort them and use the + # first. This favours, eg v2.63 over 2.63rc6. + +-if which git >/dev/null 2>&1 && [ -d $1/.git ]; then +- cd $1; git describe | sed 's/^v//' ++if which git >/dev/null 2>&1 && \ ++ ([ -d $1/.git ] || grep '^gitdir:' $1/.git >/dev/null 2>&1); then ++ cd $1; git describe | sed 's/^v//' + elif grep '$Format:%d$' $1/VERSION >/dev/null 2>&1; then + # unsubstituted VERSION, but no git available. + echo UNKNOWN +-- +2.1.0 + diff --git a/src/patches/glibc/glibc-rh1207995.patch b/src/patches/glibc/glibc-rh1207995.patch new file mode 100644 index 0000000..1732de6 --- /dev/null +++ b/src/patches/glibc/glibc-rh1207995.patch @@ -0,0 +1,27 @@ +# +# Based on the following commit: +# +# commit f9d2d03254a58d92635a311a42253eeed5a40a47 +# Author: Andreas Schwab schwab@suse.de +# Date: Mon May 26 18:01:31 2014 +0200 +# +# Fix invalid file descriptor reuse while sending DNS query (BZ #15946) +# +# 2014-06-03 Andreas Schwab schwab@suse.de +# +# [BZ #15946] +# * resolv/res_send.c (send_dg): Reload file descriptor after +# calling reopen. +# +diff --git a/resolv/res_send.c b/resolv/res_send.c +index 3273d55..af42b8a 100644 +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -1410,6 +1410,7 @@ send_dg(res_state statp, + retval = reopen (statp, terrno, ns); + if (retval <= 0) + return retval; ++ pfd[0].fd = EXT(statp).nssocks[ns]; + } + } + goto wait; diff --git a/src/patches/glibc/glibc-rh1209375.patch b/src/patches/glibc/glibc-rh1209375.patch new file mode 100644 index 0000000..74393f0 --- /dev/null +++ b/src/patches/glibc/glibc-rh1209375.patch @@ -0,0 +1,18 @@ +@@ -, +, @@ + resolv/nss_dns/dns-host.c:getanswer_r. +--- + resolv/nss_dns/dns-host.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) +--- a/resolv/nss_dns/dns-host.c ++++ a/resolv/nss_dns/dns-host.c +@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, + int have_to_map = 0; + uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); + buffer += pad; +- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0)) ++ buflen = buflen > pad ? buflen - pad : 0; ++ if (__builtin_expect (buflen < sizeof (struct host_data), 0)) + { + /* The buffer is too small. */ + too_small: +-- diff --git a/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch b/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch new file mode 100644 index 0000000..2252e31 --- /dev/null +++ b/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch @@ -0,0 +1,34 @@ +From 4b59d129fd1026bab37256af0df9ae7ace39e7ba Mon Sep 17 00:00:00 2001 +From: Michael Tremer michael.tremer@ipfire.org +Date: Mon, 27 Apr 2015 18:49:45 +0200 +Subject: [PATCH] stroke: Increase stroke buffer size to 8k + +Complicated connections can have lots of arguments +for the ike= and esp= directives in the ipsec.conf +configuration file. strongSwan wouldn't import those +because the size of the message that is send from +stroke to charon exceeded the limit of 4k. + +This patch increases the size of the buffer that +can be passed to charon to 8k which should be enough +even for connections with longer configurations. +--- + src/stroke/stroke_msg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h +index c2b923f6db9a..c391efa00105 100644 +--- a/src/stroke/stroke_msg.h ++++ b/src/stroke/stroke_msg.h +@@ -32,7 +32,7 @@ + */ + #define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl" + +-#define STROKE_BUF_LEN 4096 ++#define STROKE_BUF_LEN 8192 + + typedef enum list_flag_t list_flag_t; + +-- +2.1.0 +
hooks/post-receive -- IPFire 2.x development tree