From 608412023383863fc339df3c222025a1d6b90d15 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mar 05 2014 13:46:35 +0000
Subject: Fix two issues


- dlz_dlopen driver could return the wrong error leading to a segfault (#1052781)
- Fix race condition when freeing fetch object (ISC-Bugs #35385)

Signed-off-by: Tomas Hozza <thozza@redhat.com>

---

diff --git a/bind-99-ISC-Bugs-35385.patch b/bind-99-ISC-Bugs-35385.patch
new file mode 100644
index 0000000..a8795fb
--- /dev/null
+++ b/bind-99-ISC-Bugs-35385.patch
@@ -0,0 +1,39 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 7023a82..d7f817c 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -351,6 +351,7 @@ typedef struct {
+ 
+ struct dns_fetch {
+ 	unsigned int			magic;
++	isc_mem_t *			mctx;
+ 	fetchctx_t *			private;
+ };
+ 
+@@ -8416,6 +8417,8 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
+ 	if (fetch == NULL)
+ 		return (ISC_R_NOMEMORY);
++	fetch->mctx = NULL;
++	isc_mem_attach(res->mctx, &fetch->mctx);
+ 
+ 	bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
+ 
+@@ -8506,7 +8509,7 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 		FTRACE("created");
+ 		*fetchp = fetch;
+ 	} else
+-		isc_mem_put(res->mctx, fetch, sizeof(*fetch));
++		isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+ 
+ 	return (result);
+ }
+@@ -8597,7 +8600,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
+ 
+ 	UNLOCK(&res->buckets[bucketnum].lock);
+ 
+-	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
++	isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+ 	*fetchp = NULL;
+ 
+ 	if (bucket_empty)
diff --git a/bind-99-ISC-Bugs-35495.patch b/bind-99-ISC-Bugs-35495.patch
new file mode 100644
index 0000000..6b98e51
--- /dev/null
+++ b/bind-99-ISC-Bugs-35495.patch
@@ -0,0 +1,38 @@
+From 576f2f19067c0c974d1d39f92c51e5f3a08fc17f Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza@redhat.com>
+Date: Tue, 4 Mar 2014 16:34:21 +0100
+Subject: [PATCH] Return ISC_R_FAILURE if the API version check fails
+
+Signed-off-by: Tomas Hozza <thozza@redhat.com>
+---
+ bin/named/unix/dlz_dlopen_driver.c  | 1 +
+ bin/named/win32/dlz_dlopen_driver.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/bin/named/unix/dlz_dlopen_driver.c b/bin/named/unix/dlz_dlopen_driver.c
+index 2ba8a02..62b6614 100644
+--- a/bin/named/unix/dlz_dlopen_driver.c
++++ b/bin/named/unix/dlz_dlopen_driver.c
+@@ -330,6 +330,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+ 			   "dlz_dlopen: incorrect version %d "
+ 			   "should be %d in '%s'",
+ 			   cd->version, DLZ_DLOPEN_VERSION, cd->dl_path);
++		result = ISC_R_FAILURE;
+ 		goto failed;
+ 	}
+ 
+diff --git a/bin/named/win32/dlz_dlopen_driver.c b/bin/named/win32/dlz_dlopen_driver.c
+index 0c192b4..62008c0 100644
+--- a/bin/named/win32/dlz_dlopen_driver.c
++++ b/bin/named/win32/dlz_dlopen_driver.c
+@@ -314,6 +314,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+ 			   "dlz_dlopen: incorrect version %d "
+ 			   "should be %d in '%s'",
+ 			   cd->version, DLZ_DLOPEN_VERSION, cd->dl_path);
++		result = ISC_R_FAILURE;
+ 		goto failed;
+ 	}
+ 
+-- 
+1.8.5.3
+
diff --git a/bind.spec b/bind.spec
index d7a8a05..49d3850 100644
--- a/bind.spec
+++ b/bind.spec
@@ -27,7 +27,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  11.%{?PATCHVER}%{?PREVER}%{?dist}
+Release:  12.%{?PATCHVER}%{?PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -89,6 +89,10 @@ Patch140:bind99-ISC-Bugs-34870-v3.patch
 # upstream applied patch for [ISC-Bugs #35073]
 Patch141:bind99-ISC-Bugs-35073.patch
 Patch142:bind99-ISC-Bugs-35080.patch
+# [ISC-Bugs #35495]
+Patch143:bind-99-ISC-Bugs-35495.patch
+# [ISC-Bugs #35385]
+Patch144:bind-99-ISC-Bugs-35385.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -291,6 +295,8 @@ popd
 %patch140 -p1 -b .send_buffer
 %patch141 -p1 -b .leak_35073
 %patch142 -p1 -b .rbtdb_crash
+%patch143 -p1 -b .dlz_segfault
+%patch144 -p1 -b .fetch_race_cond
 
 %if %{SDB}
 %patch101 -p1 -b .old-api
@@ -581,7 +587,7 @@ if [ "$1" -gt 0 ]; then
 fi
 :;
 
-%triggerun -- bind < bind-9.9.0-0.6.rc1
+%triggerun -- bind < 32:9.9.0-0.6.rc1
 /sbin/chkconfig --del named >/dev/null 2>&1 || :
 /bin/systemctl try-restart named.service >/dev/null 2>&1 || :
 
@@ -809,6 +815,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Wed Mar 05 2014 Tomas Hozza <thozza@redhat.tom> 32:9.9.4-12.P2
+- dlz_dlopen driver could return the wrong error leading to a segfault (#1052781)
+- Fix race condition when freeing fetch object (ISC-Bugs #35385)
+
 * Tue Jan 14 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.4-11.P2
 - Update to 9.9.4-P2 due to CVE-2014-0591