diff --git a/abi_used_libs b/abi_used_libs --- a/abi_used_libs +++ b/abi_used_libs @@ -1,3 +1,5 @@ libc.so.6 +libdbus-1.so.3 libgmp.so.10 +libhogweed.so.4 libnettle.so.6 diff --git a/files/0001-Disable-ICMP-echo-address-checking.patch b/files/Disable-ICMP-echo-address-checking.patch rename from files/0001-Disable-ICMP-echo-address-checking.patch rename to files/Disable-ICMP-echo-address-checking.patch diff --git a/files/Do-not-rebuild-when-installing.patch b/files/Do-not-rebuild-when-installing.patch new file mode 100644 --- /dev/null +++ b/files/Do-not-rebuild-when-installing.patch @@ -0,0 +1,42 @@ +From ba469c043c9c6e664696b8aa27bbf35c8d33afc0 Mon Sep 17 00:00:00 2001 +From: Fabio Forni +Date: Thu, 12 Mar 2020 23:25:27 +0100 +Subject: [PATCH] Do not rebuild when installing + +--- + Makefile | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index e71cf86..fc28a24 100644 +--- a/Makefile ++++ b/Makefile +@@ -98,9 +98,7 @@ clean : mostly_clean + rm -f core */core + rm -f *~ contrib/*/*~ */*~ + +-install : all install-common +- +-install-common : ++install : + $(INSTALL) -d $(DESTDIR)$(BINDIR) + $(INSTALL) -d $(DESTDIR)$(MANDIR)/man8 + $(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 +@@ -117,7 +115,7 @@ all-i18n : $(BUILDDIR) + cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \ + done + +-install-i18n : all-i18n install-common ++install-i18n : install + cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL) + cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL) + +@@ -169,4 +167,4 @@ dnsmasq.pot : $(objs:.o=.c) $(hdrs) + %.mo : $(top)/$(PO)/%.po dnsmasq.pot + $(MSGMERGE) -o - $(top)/$(PO)/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo - + +-.PHONY : all clean mostly_clean install install-common all-i18n install-i18n merge baseline bloatcheck ++.PHONY : all clean mostly_clean install all-i18n install-i18n merge baseline bloatcheck +-- +2.25.1 + diff --git a/files/Make-it-stateless.patch b/files/Make-it-stateless.patch new file mode 100644 --- /dev/null +++ b/files/Make-it-stateless.patch @@ -0,0 +1,74 @@ +From c667e5778b2023e196f439e39b245cc60c18caf3 Mon Sep 17 00:00:00 2001 +From: Fabio Forni +Date: Tue, 11 Aug 2020 15:43:29 +0200 +Subject: [PATCH] Make it stateless + +--- + src/config.h | 8 ++++++++ + src/option.c | 16 ++++++++++++++-- + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/config.h b/src/config.h +index 7d08f7d..607e5e6 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -153,6 +153,12 @@ RESOLVFILE + the default locations of these files are determined below, but may be overridden + in a build command line using COPTS. + ++DEFAULTCONFFILE ++ define a fallback config file path in case CONFFILE does not exist ++ or is not readable. This default config file will make dnsmasq die ++ if, in turn, it is not readable. ++ This options is suitable for so-called stateless installations. ++ + */ + + /* Defining this builds a binary which handles time differently and works better on a system without a +@@ -226,6 +232,8 @@ RESOLVFILE + # endif + #endif + ++#define DEFAULTCONFFILE "/usr/share/defaults/dnsmasq/dnsmasq.conf" ++ + /* platform dependent options: these are determined automatically below + + HAVE_LINUX_NETWORK +diff --git a/src/option.c b/src/option.c +index 1f698da..ba26911 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -360,7 +360,11 @@ static struct { + { 'b', OPT_BOGUSPRIV, NULL, gettext_noop("Fake reverse lookups for RFC1918 private address ranges."), NULL }, + { 'B', ARG_DUP, "", gettext_noop("Treat ipaddr as NXDOMAIN (defeats Verisign wildcard)."), NULL }, + { 'c', ARG_ONE, "", gettext_noop("Specify the size of the cache in entries (defaults to %s)."), "$" }, ++ #ifdef DEFAULTCONFFILE ++ { 'C', ARG_DUP, "", gettext_noop("Specify config file (defaults to %s, then "DEFAULTCONFFILE")."), CONFFILE }, ++ #else + { 'C', ARG_DUP, "", gettext_noop("Specify configuration file (defaults to %s)."), CONFFILE }, ++ #endif + { 'd', OPT_DEBUG, NULL, gettext_noop("Do NOT fork into the background: run in debug mode."), NULL }, + { 'D', OPT_NODOTS_LOCAL, NULL, gettext_noop("Do NOT forward queries with no domain part."), NULL }, + { 'e', OPT_SELFMX, NULL, gettext_noop("Return self-pointing MX records for local hosts."), NULL }, +@@ -5121,8 +5125,16 @@ void read_opts(int argc, char **argv, char *compile_opts) + one_file(conffile, 0); + free(conffile); + } +- else +- one_file(CONFFILE, '7'); ++ else ++ { ++ one_file(CONFFILE, '7'); ++ #ifdef DEFAULTCONFFILE ++ if (errno == ENOENT) ++ { ++ one_file(DEFAULTCONFFILE, 0); ++ } ++ #endif ++ } + + /* port might not be known when the address is parsed - fill in here */ + if (daemon->servers) +-- +2.27.0 + diff --git a/files/dnsmasq.service b/files/dnsmasq.service new file mode 100644 --- /dev/null +++ b/files/dnsmasq.service @@ -0,0 +1,13 @@ +[Unit] +Description=DNS cache and forwarder +After=network.target + +[Service] +Type=dbus +BusName=uk.org.thekelleys.dnsmasq +ExecStartPre=/usr/bin/dnsmasq --test +ExecStart=/usr/bin/dnsmasq -k --enable-dbus +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/files/dnsmasq.sysusers b/files/dnsmasq.sysusers new file mode 100644 --- /dev/null +++ b/files/dnsmasq.sysusers @@ -0,0 +1 @@ +u dnsmasq - "the dnsmasq resolver" diff --git a/files/security/cve-2017-15107.patch b/files/security/cve-2017-15107.patch deleted file mode 100644 --- a/files/security/cve-2017-15107.patch +++ /dev/null @@ -1,188 +0,0 @@ -diff --git a/src/dnssec.c b/src/dnssec.c -index eb6c11c..a54a0b4 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -103,15 +103,17 @@ static void from_wire(char *name) - static int count_labels(char *name) - { - int i; -- -+ char *p; -+ - if (*name == 0) - return 0; - -- for (i = 0; *name; name++) -- if (*name == '.') -+ for (p = name, i = 0; *p; p++) -+ if (*p == '.') - i++; - -- return i+1; -+ /* Don't count empty first label. */ -+ return *name == '.' ? i : i+1; - } - - /* Implement RFC1982 wrapped compare for 32-bit numbers */ -@@ -1094,8 +1096,8 @@ static int hostname_cmp(const char *a, const char *b) - } - } - --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, -- char *workspace1, char *workspace2, char *name, int type, int *nons) -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, -+ char *workspace1_in, char *workspace2, char *name, int type, int *nons) - { - int i, rc, rdlen; - unsigned char *p, *psave; -@@ -1108,6 +1110,9 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - /* Find NSEC record that proves name doesn't exist */ - for (i = 0; i < nsec_count; i++) - { -+ char *workspace1 = workspace1_in; -+ int sig_labels, name_labels; -+ - p = nsecs[i]; - if (!extract_name(header, plen, &p, workspace1, 1, 10)) - return 0; -@@ -1116,7 +1121,27 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - psave = p; - if (!extract_name(header, plen, &p, workspace2, 1, 10)) - return 0; -- -+ -+ /* If NSEC comes from wildcard expansion, use original wildcard -+ as name for computation. */ -+ sig_labels = *labels[i]; -+ name_labels = count_labels(workspace1); -+ -+ if (sig_labels < name_labels) -+ { -+ int k; -+ for (k = name_labels - sig_labels; k != 0; k--) -+ { -+ while (*workspace1 != '.' && *workspace1 != 0) -+ workspace1++; -+ if (k != 1 && *workspace1 == '.') -+ workspace1++; -+ } -+ -+ workspace1--; -+ *workspace1 = '*'; -+ } -+ - rc = hostname_cmp(workspace1, name); - - if (rc == 0) -@@ -1514,24 +1539,26 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) - { -- static unsigned char **nsecset = NULL; -- static int nsecset_sz = 0; -+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; -+ static int nsecset_sz = 0, rrsig_labels_sz = 0; - - int type_found = 0; -- unsigned char *p = skip_questions(header, plen); -+ unsigned char *auth_start, *p = skip_questions(header, plen); - int type, class, rdlen, i, nsecs_found; - - /* Move to NS section */ - if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) - return 0; -+ -+ auth_start = p; - - for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) - { - unsigned char *pstart = p; - -- if (!(p = skip_name(p, header, plen, 10))) -+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) - return 0; -- -+ - GETSHORT(type, p); - GETSHORT(class, p); - p += 4; /* TTL */ -@@ -1548,7 +1575,69 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) - return 0; - -- nsecset[nsecs_found++] = pstart; -+ if (type == T_NSEC) -+ { -+ /* If we're looking for NSECs, find the corresponding SIGs, to -+ extract the labels value, which we need in case the NSECs -+ are the result of wildcard expansion. -+ Note that the NSEC may not have been validated yet -+ so if there are multiple SIGs, make sure the label value -+ is the same in all, to avoid be duped by a rogue one. -+ If there are no SIGs, that's an error */ -+ unsigned char *p1 = auth_start; -+ int res, j, rdlen1, type1, class1; -+ -+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) -+ return 0; -+ -+ rrsig_labels[nsecs_found] = NULL; -+ -+ for (j = ntohs(header->nscount); j != 0; j--) -+ { -+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) -+ return 0; -+ -+ GETSHORT(type1, p1); -+ GETSHORT(class1, p1); -+ p1 += 4; /* TTL */ -+ GETSHORT(rdlen1, p1); -+ -+ if (!CHECK_LEN(header, p1, plen, rdlen1)) -+ return 0; -+ -+ if (res == 1 && class1 == qclass && type1 == T_RRSIG) -+ { -+ int type_covered; -+ unsigned char *psav = p1; -+ -+ if (rdlen < 18) -+ return 0; /* bad packet */ -+ -+ GETSHORT(type_covered, p1); -+ -+ if (type_covered == T_NSEC) -+ { -+ p1++; /* algo */ -+ -+ /* labels field must be the same in every SIG we find. */ -+ if (!rrsig_labels[nsecs_found]) -+ rrsig_labels[nsecs_found] = p1; -+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ -+ return 0; -+ } -+ p1 = psav; -+ } -+ -+ if (!ADD_RDLEN(header, p1, plen, rdlen1)) -+ return 0; -+ } -+ -+ /* Must have found at least one sig. */ -+ if (!rrsig_labels[nsecs_found]) -+ return 0; -+ } -+ -+ nsecset[nsecs_found++] = pstart; - } - - if (!ADD_RDLEN(header, p, plen, rdlen)) -@@ -1556,7 +1645,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - } - - if (type_found == T_NSEC) -- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); -+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); - else if (type_found == T_NSEC3) - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); - else diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,24 +1,36 @@ name : dnsmasq -version : '2.78' -release : 9 +version : '2.82' +release : 10 source : - - http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.78.tar.xz : 89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b -license : GPL-2.0 -summary : DNS forwarder + - http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.82.tar.xz : 84523646f3116bb5e1151efb66e645030f6e6a8256f29aab444777a343ebc132 +license : GPL-2.0-or-later +summary : DNS cache and forwarder component : network.base description: | - DNS forwarder + dnsmasq in Solus is used to forward and cache DNS queries. builddeps : - pkgconfig(nettle) setup : | # Causes severe delays otherwise - %patch -p1 < $pkgfiles/0001-Disable-ICMP-echo-address-checking.patch + %patch -p1 < $pkgfiles/Disable-ICMP-echo-address-checking.patch - %patch -p1 < $pkgfiles/security/cve-2017-15107.patch + %patch -p1 < $pkgfiles/Do-not-rebuild-when-installing.patch + %patch -p1 < $pkgfiles/Make-it-stateless.patch + + sed 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' -i src/config.h + sed 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' -i src/config.h build : | - %make COPTS="-DHAVE_DNSSEC" CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" + %make all-i18n \ + CFLAGS="$CFLAGS" \ + COPTS='-DHAVE_DBUS -DHAVE_DNSSEC' \ + LDFLAGS="$LDFLAGS" install : | - %make_install COPTS="-DHAVE_DNSSEC" PREFIX=/usr BINDIR=/usr/bin - install -D -m 00644 "dnsmasq.conf.example" $installdir/etc/dnsmasq.conf - sed -i 's@%%PREFIX%%@/usr@' $installdir/etc/dnsmasq.conf - install -D -m 00644 trust-anchors.conf $installdir/usr/share/dnsmasq/trust-anchors.conf + %make install-i18n DESTDIR=$installdir PREFIX=/usr BINDIR=/usr/bin + sed -i 's|%%PREFIX%%|/usr|' dnsmasq.conf.example + + install -Dm00644 dnsmasq.conf.example $installdir/usr/share/defaults/dnsmasq/dnsmasq.conf + install -Dm00644 trust-anchors.conf -t $installdir/usr/share/dnsmasq + + install -Dm00644 dbus/dnsmasq.conf $installdir/usr/share/dbus-1/system.d/uk.org.thekelleys.dnsmasq.conf + install -Dm00644 $pkgfiles/dnsmasq.service -t $installdir/usr/lib64/systemd/system + install -Dm00644 $pkgfiles/dnsmasq.sysusers $installdir/%libdir%/sysusers.d/dnsmasq.conf diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,36 +2,51 @@ dnsmasq - Peter O'Connor - peter@solus-project.com + Fabio Forni + livingsilver94.solus@redaril.me - GPL-2.0 + GPL-2.0-or-later network.base - DNS forwarder - DNS forwarder + DNS cache and forwarder + dnsmasq in Solus is used to forward and cache DNS queries. - https://solus-project.com/sources/README.Solus + https://getsol.us/sources/README.Solus dnsmasq - DNS forwarder - DNS forwarder + DNS cache and forwarder + dnsmasq in Solus is used to forward and cache DNS queries. network.base - /etc/dnsmasq.conf - /usr/bin - /usr/share/dnsmasq - /usr/share/man + /usr/bin/dnsmasq + /usr/lib64/systemd/system/dnsmasq.service + /usr/lib64/sysusers.d/dnsmasq.conf + /usr/share/dbus-1/system.d/uk.org.thekelleys.dnsmasq.conf + /usr/share/defaults/dnsmasq/dnsmasq.conf + /usr/share/dnsmasq/trust-anchors.conf + /usr/share/locale/de/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/es/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/fi/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/fr/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/id/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/it/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/no/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/pl/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/pt_BR/LC_MESSAGES/dnsmasq.mo + /usr/share/locale/ro/LC_MESSAGES/dnsmasq.mo + /usr/share/man/es/man8/dnsmasq.8 + /usr/share/man/fr/man8/dnsmasq.8 + /usr/share/man/man8/dnsmasq.8 - - 2018-01-31 - 2.78 + + 2020-08-11 + 2.82 Packaging update - Peter O'Connor - peter@solus-project.com + Fabio Forni + livingsilver94.solus@redaril.me \ No newline at end of file