From 71c29a33d9df629fd2c7e9401667a97ff91d3c2a Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Sep 10 2013 08:07:58 +0000 Subject: Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack Signed-off-by: Tomas Hozza --- diff --git a/bind.spec b/bind.spec index ffd1964..05b9405 100644 --- a/bind.spec +++ b/bind.spec @@ -26,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.3 -Release: 7.%{?PATCHVER}%{?dist} +Release: 8.%{?PATCHVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -83,6 +83,7 @@ Patch136:rl-9.9.3-P2.patch Patch137:bind99-rrl.patch # Install dns/update.h header for bind-dyndb-ldap plugin Patch138:bind-9.9.3-include-update-h.patch +Patch139:bind99-ISC-Bugs-34738.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -282,6 +283,7 @@ popd %patch136 -p0 -b .rl %patch137 -p1 -b .rrl %patch138 -p1 -b .update +%patch139 -p1 -b .journal %if %{SDB} %patch101 -p1 -b .old-api @@ -781,6 +783,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Tue Sep 10 2013 Tomas Hozza 32:9.9.3-8.P2 +- Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack + * Fri Aug 16 2013 Tomas Hozza 32:9.9.3-7.P2 - Don't generate rndc.key if there exists rndc.conf diff --git a/bind99-ISC-Bugs-34738.patch b/bind99-ISC-Bugs-34738.patch new file mode 100644 index 0000000..c866ac4 --- /dev/null +++ b/bind99-ISC-Bugs-34738.patch @@ -0,0 +1,61 @@ +From 18df9e628ea10c7d607f43fcfd935e7924731f24 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Mon, 9 Sep 2013 22:12:47 -0700 +Subject: [PATCH] [master] strdup journal filename + +3646. [bug] Journal filename string could be set incorrectly, + causing garbage in log messages. [RT #34738] +--- + lib/dns/journal.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/journal.c b/lib/dns/journal.c +index 08aabd5..46a52e1 100644 +--- a/lib/dns/journal.c ++++ b/lib/dns/journal.c +@@ -307,7 +307,7 @@ struct dns_journal { + unsigned int magic; /*%< JOUR */ + isc_mem_t *mctx; /*%< Memory context */ + journal_state_t state; +- const char *filename; /*%< Journal file name */ ++ char *filename; /*%< Journal file name */ + FILE * fp; /*%< File handle */ + isc_offset_t offset; /*%< Current file offset */ + journal_header_t header; /*%< In-core journal header */ +@@ -573,10 +573,13 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, + isc_mem_attach(mctx, &j->mctx); + j->state = JOURNAL_STATE_INVALID; + j->fp = NULL; +- j->filename = filename; ++ j->filename = isc_mem_strdup(mctx, filename); + j->index = NULL; + j->rawindex = NULL; + ++ if (j->filename == NULL) ++ FAIL(ISC_R_NOMEMORY); ++ + result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp); + + if (result == ISC_R_FILENOTFOUND) { +@@ -679,6 +682,8 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, + sizeof(journal_rawpos_t)); + j->index = NULL; + } ++ if (j->filename != NULL) ++ isc_mem_free(j->mctx, j->filename); + if (j->fp != NULL) + (void)isc_stdio_close(j->fp); + isc_mem_putanddetach(&j->mctx, j, sizeof(*j)); +@@ -1242,7 +1247,8 @@ dns_journal_destroy(dns_journal_t **journalp) { + isc_mem_put(j->mctx, j->it.target.base, j->it.target.length); + if (j->it.source.base != NULL) + isc_mem_put(j->mctx, j->it.source.base, j->it.source.length); +- ++ if (j->filename != NULL) ++ isc_mem_free(j->mctx, j->filename); + if (j->fp != NULL) + (void)isc_stdio_close(j->fp); + j->magic = 0; +-- +1.8.3.1 +