diff --git a/bind.spec b/bind.spec index cd20228..de951c4 100644 --- a/bind.spec +++ b/bind.spec @@ -26,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.3 -Release: 12.%{?PATCHVER}%{?dist} +Release: 13.%{?PATCHVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -86,6 +86,8 @@ Patch138:bind-9.9.3-include-update-h.patch Patch139:bind99-ISC-Bugs-34738.patch # upstream patch [ISC-Bugs #34870] Patch140:bind99-ISC-Bugs-34870-v3.patch +# upstream applied patch for [ISC-Bugs #35073] +Patch141:bind99-ISC-Bugs-35073.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -287,6 +289,7 @@ popd %patch138 -p1 -b .update %patch139 -p1 -b .journal %patch140 -p1 -b .send_buffer +%patch141 -p1 -b .leak_35073 %if %{SDB} %patch101 -p1 -b .old-api @@ -796,6 +799,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Thu Nov 28 2013 Tomas Hozza 32:9.9.3-13.P2 +- Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687) + * Thu Oct 31 2013 Tomas Hozza 32:9.9.3-12.P2 - Correct the upstream patch for #794940 diff --git a/bind99-ISC-Bugs-35073.patch b/bind99-ISC-Bugs-35073.patch new file mode 100644 index 0000000..c8be3ed --- /dev/null +++ b/bind99-ISC-Bugs-35073.patch @@ -0,0 +1,31 @@ +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 486c102..dc12a85 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -1566,16 +1566,20 @@ evaluate_realm(char *cmdline) { + #ifdef GSSAPI + char *word; + char buf[1024]; ++ int n; + +- word = nsu_strsep(&cmdline, " \t\r\n"); +- if (word == NULL || *word == 0) { +- if (realm != NULL) +- isc_mem_free(mctx, realm); ++ if (realm != NULL) { ++ isc_mem_free(mctx, realm); + realm = NULL; +- return (STATUS_MORE); + } + +- snprintf(buf, sizeof(buf), "@%s", word); ++ word = nsu_strsep(&cmdline, " \t\r\n"); ++ if (word == NULL || *word == 0) ++ return (STATUS_MORE); ++ ++ n = snprintf(buf, sizeof(buf), "@%s", word); ++ if (n < 0 || (size_t)n >= sizeof(buf)) ++ fatal("realm is too long"); + realm = isc_mem_strdup(mctx, buf); + if (realm == NULL) + fatal("out of memory");