Hello community, here is the log from the commit of package libcares2.5898 for openSUSE:13.2:Update checked in at 2016-12-01 11:43:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/libcares2.5898 (Old) and /work/SRC/openSUSE:13.2:Update/.libcares2.5898.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libcares2.5898" Changes: -------- New Changes file: --- /dev/null 2016-10-27 01:54:32.792041256 +0200 +++ /work/SRC/openSUSE:13.2:Update/.libcares2.5898.new/libcares2.changes 2016-12-01 11:43:27.000000000 +0100 @@ -0,0 +1,224 @@ +------------------------------------------------------------------- +Mon Nov 21 08:37:47 UTC 2016 - tchvatal@suse.com + +- Add patch to fix CVE-2016-5180 bnc#1007728: + * c-ares-CVE-2016-5180.patch + +------------------------------------------------------------------- +Thu May 15 12:07:42 UTC 2014 - tchvatal@suse.com + +- Version bump to 1.10.0: + * Various small updates all around + * Cleanup of automake to build with latest tools + * For more see CHANGES +- Remove upstreamed patches: + * cares-autotools.diff +- Remove patch that needs quite work and was never acceted upstream: + * 0001-cares-1.9.1-add-symbol-versioning-support.patch +- Added patches: + * 0001-Use-RPM-compiler-options.patch + +------------------------------------------------------------------- +Fri May 3 07:12:14 UTC 2013 - mvyskocil@suse.com + +- Use the genuine upstream tarball +- Verify tarball using gpg-offline + +------------------------------------------------------------------- +Thu May 2 13:24:49 UTC 2013 - jengelh@inai.de + +- Get rid of outdated autotools construct to fix build with + new automake-1.13 + +------------------------------------------------------------------- +Sun Jan 6 21:14:16 UTC 2013 - p.drouand@gmail.com + +- Update to 1.9.1 version: + * include the ares_parse_soa_reply.* files in the tarball +- Removed patches (fixed and merged on upstream release) + * 0001-ares_destroy.c-fix-segfault-in-ares_destroy_options.patch + * 0002-ares_getnameinfo-fix-random-results-with-c-ares-1.7..patch + * 0003-ares_init.c-fix-segfault-triggered-in-ares_init_opti.patch +- Updated and versionned patchs for upstream release: + * 0001-add-symbol-versioning-support.patch + * cares-ocloexec.patch +------------------------------------------------------------------- +Fri Feb 3 20:27:55 UTC 2012 - crrodriguez@opensuse.org + +- Fix license +- provide symbol versioning support +- fix -debuginfo packages + +------------------------------------------------------------------- +Tue Nov 15 09:16:32 UTC 2011 - jengelh@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Mon Nov 14 23:42:39 UTC 2011 - crrodriguez@opensuse.org + +- Open all fds with O_CLOEXEC. + +------------------------------------------------------------------- +Mon Oct 17 03:29:31 UTC 2011 - crrodriguez@opensuse.org + +- Cherry-pick 3 patches from HEAD + * ares_destroy.c: fix segfault in ares_destroy_options() + * ares_getnameinfo: fix random results, memory corruption + * ares_init.c: fix segfault triggered in ares_init_options() + upon previous failure of init_by_defaults() + +------------------------------------------------------------------- +Wed Aug 17 21:17:44 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 1.7.4 +* Drop obsolete patch +* detection of semicolon comments in resolv.conf +* fixed ares_parse_*_reply memory leaks +* only fall back to AF_INET searches when looking for AF_UNSPEC addresses + +------------------------------------------------------------------- +Sat Mar 19 21:16:09 UTC 2011 - crrodriguez@opensuse.org + +- fix NULL ptr dereference + + +------------------------------------------------------------------- +Mon Dec 13 16:17:56 UTC 2010 - cristian.rodriguez@opensuse.org + +- c-ares version 1.7.4 + * local-bind: Support binding to local interface/IPs, see + ares_set_local_ip4, ares_set_local_ip6, ares_set_local_dev + + * memory leak in ares_getnameinfo + * add missing break that caused get_ares_servers to fail + * ares_parse_a_reply: fix CNAME response parsing + * init_by_options: don't copy an empty sortlist + * Replaced uint32_t with unsigned int to fix broken builds + on a couple of platforms + * Fix lookup with HOSTALIASES set + * adig: fix NAPTR parsing + * compiler warning cleanups + +------------------------------------------------------------------- +Fri Oct 29 16:51:25 UTC 2010 - cristian.rodriguez@opensuse.org + +- Fix aliasing warning in gcc +- Add missing break that caused get_ares_servers to fail + +------------------------------------------------------------------- +Sun Jul 25 19:02:16 UTC 2010 - cristian.rodriguez@opensuse.org + +- update to version 1.7.3 + * ares_init: Last, not first instance of domain or search should win + * Added ares_parse_mx_reply() + * Fix memory leak + +------------------------------------------------------------------- +Sat Apr 24 11:38:19 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Wed Mar 24 18:26:05 UTC 2010 - crrodriguez@opensuse.org + +- update to version 1.7.1, includes IPV6 nameservers support + +------------------------------------------------------------------- +Wed Mar 10 14:25:32 UTC 2010 - crrodriguez@opensuse.org + +- remove invalid configure options + +------------------------------------------------------------------- +Mon Feb 22 21:53:18 UTC 2010 - crrodriguez@opensuse.org + +- fix build +- update to version 1.7.0, see RELEASE_NOTES for detail + +------------------------------------------------------------------- +Mon Feb 1 11:14:59 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Sep 30 20:54:42 UTC 2009 - crrodriguez@opensuse.org + +- add gcc visibility support + +------------------------------------------------------------------- +Mon Jan 5 21:03:53 CET 2009 - crrodriguez@suse.de + +- update to version 1.6.0 + * Added support for the glibc "rotate" resolv.conf option (or ARES_OPT_ROTATE) + * Added ares_gethostbyname_file() + * Added ares_dup() + * Added ares_set_socket_callback() + * improved configure detection of several functions + * improved source code portability + * adig supports a regular numerical dotted IP address for the -s option + * handling of EINPROGRESS for UDP connects + * ares_parse_ptr_reply() would cause a buffer to shrink instead of expand if a + reply contained 8 or more records + * buildconf works on OS X + + +------------------------------------------------------------------- +Wed Sep 3 16:37:43 CEST 2008 - crrodriguez@suse.de + +- update to c-ares 1.5.3 final + * address an issue in which a response could be sent back to the + source port of a client from a different address than the request was made to. + This is one form of a DNS cache poisoning attack. + Only necessary on UDP sockets as they are connection-less, TCP + is unaffected. + + +------------------------------------------------------------------- +Sat Aug 9 23:56:49 CEST 2008 - crrodriguez@suse.de + +- update to c-ares 1.5.3+20080809 + * users found that the second and subsequent DNS lookups from + fresh processes using c-ares to resolve the same + address would randomly cause the process to never see a reply. + +------------------------------------------------------------------- +Sun Jun 15 20:44:19 CEST 2008 - crrodriguez@suse.de + +- update to version 1.5.2 final + * code refactoring in ares_gethostbyaddr + * improved checking of /dev/urandom in configure script + * new sample application, acountry + * improved MSVC6 dsp files + * adig sample application supports NAPTR records + * improved file seeding randomizer + * improved parsing of resolver configuration files + * updated configure script to remove autoconf 2.62 warnings + * use monotonic time source if available + * return all PTR-records when doing reverse lookups ++++ 27 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.libcares2.5898.new/libcares2.changes New: ---- 0001-Use-RPM-compiler-options.patch baselibs.conf c-ares-1.10.0.tar.gz c-ares-1.10.0.tar.gz.asc c-ares-CVE-2016-5180.patch cares-1.9.1-ocloexec.patch libcares2.changes libcares2.keyring libcares2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcares2.spec ++++++ # # spec file for package libcares2 # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define pkg_name c-ares Name: libcares2 Version: 1.10.0 Release: 0 Summary: Library for asynchronous name resolves License: MIT Group: Development/Libraries/C and C++ Url: http://c-ares.haxx.se/ Source0: http://c-ares.haxx.se/download/%{pkg_name}-%{version}.tar.gz Source1: http://c-ares.haxx.se/download/%{pkg_name}-%{version}.tar.gz.asc Source3: libcares2.keyring Source4: baselibs.conf Patch0: cares-1.9.1-ocloexec.patch Patch1: 0001-Use-RPM-compiler-options.patch Patch2: c-ares-CVE-2016-5180.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gpg-offline BuildRequires: libtool BuildRequires: pkg-config BuildRoot: %{_tmppath}/%{name}-%{version}-build %description c-ares is a C library that performs DNS requests and name resolves asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT. %package -n libcares-devel Summary: Library for asynchronous name resolves Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: glibc-devel %description -n libcares-devel c-ares is a C library that performs DNS requests and name resolves asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT. %prep %setup -q -n %{pkg_name}-%{version} %patch0 -p1 %patch1 -p1 %patch2 -p1 # Remove bogus cflags checking sed -i -e '/XC_CHECK_BUILD_FLAGS/d' configure.ac sed -i -e '/XC_CHECK_USER_FLAGS/d' m4/xc-cc-check.m4 %build autoreconf -fiv %configure \ --enable-symbol-hiding \ --enable-nonblocking \ --enable-shared \ --disable-static \ --with-pic make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install %{?_smp_mflags} find %{buildroot} -type f -name "*.la" -delete -print %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files %defattr(-,root,root) %{_libdir}/libcares.so.2* %files -n libcares-devel %defattr(-,root,root) %{_libdir}/libcares.so %{_includedir}/*.h %{_mandir}/man3/ares_* %{_libdir}/pkgconfig/libcares.pc %changelog ++++++ 0001-Use-RPM-compiler-options.patch ++++++
From 7dada62a77e061c752123e672e844386ff3b01ea Mon Sep 17 00:00:00 2001 From: Stephen Gallagher
Date: Wed, 10 Apr 2013 12:32:44 -0400 Subject: [PATCH] Use RPM compiler options
--- m4/cares-compilers.m4 | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/m4/cares-compilers.m4 b/m4/cares-compilers.m4 index 7ee8e0dbe741c1a64149a0d20b826f507b3ec620..d7708230fb5628ae80fbf1052da0d2c78ebbc160 100644 --- a/m4/cares-compilers.m4 +++ b/m4/cares-compilers.m4 @@ -143,19 +143,12 @@ AC_DEFUN([CARES_CHECK_COMPILER_GNU_C], [ gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` - flags_dbg_all="-g -g0 -g1 -g2 -g3" - flags_dbg_all="$flags_dbg_all -ggdb" - flags_dbg_all="$flags_dbg_all -gstabs" - flags_dbg_all="$flags_dbg_all -gstabs+" - flags_dbg_all="$flags_dbg_all -gcoff" - flags_dbg_all="$flags_dbg_all -gxcoff" - flags_dbg_all="$flags_dbg_all -gdwarf-2" - flags_dbg_all="$flags_dbg_all -gvms" - flags_dbg_yes="-g" - flags_dbg_off="-g0" - flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" - flags_opt_yes="-O2" - flags_opt_off="-O0" + flags_dbg_all="" + flags_dbg_yes="" + flags_dbg_off="" + flags_opt_all="" + flags_opt_yes="" + flags_opt_off="" CURL_CHECK_DEF([_WIN32], [], [silent]) else AC_MSG_RESULT([no]) -- 1.8.1.4 ++++++ baselibs.conf ++++++ libcares2 ++++++ c-ares-CVE-2016-5180.patch ++++++
From 65c71be1cbe587f290432bef2f669ee6cb8ac137 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg
Date: Fri, 23 Sep 2016 14:44:11 +0200 Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
... when the name ends with an escaped dot.
CVE-2016-5180
Bug: https://c-ares.haxx.se/adv_20160929.html
---
ares_create_query.c | 84 +++++++++++++++++++++++++----------------------------
1 file changed, 39 insertions(+), 45 deletions(-)
Index: c-ares-1.10.0/ares_create_query.c
===================================================================
--- c-ares-1.10.0.orig/ares_create_query.c
+++ c-ares-1.10.0/ares_create_query.c
@@ -85,57 +85,31 @@
*/
int ares_create_query(const char *name, int dnsclass, int type,
- unsigned short id, int rd, unsigned char **buf,
- int *buflen, int max_udp_size)
+ unsigned short id, int rd, unsigned char **bufp,
+ int *buflenp, int max_udp_size)
{
- int len;
+ size_t len;
unsigned char *q;
const char *p;
+ size_t buflen;
+ unsigned char *buf;
/* Set our results early, in case we bail out early with an error. */
- *buflen = 0;
- *buf = NULL;
+ *buflenp = 0;
+ *bufp = NULL;
- /* Compute the length of the encoded name so we can check buflen.
- * Start counting at 1 for the zero-length label at the end. */
- len = 1;
- for (p = name; *p; p++)
- {
- if (*p == '\\' && *(p + 1) != 0)
- p++;
- len++;
- }
- /* If there are n periods in the name, there are n + 1 labels, and
- * thus n + 1 length fields, unless the name is empty or ends with a
- * period. So add 1 unless name is empty or ends with a period.
+ /* Allocate a memory area for the maximum size this packet might need. +2
+ * is for the length byte and zero termination if no dots or ecscaping is
+ * used.
*/
- if (*name && *(p - 1) != '.')
- len++;
-
- /* Immediately reject names that are longer than the maximum of 255
- * bytes that's specified in RFC 1035 ("To simplify implementations,
- * the total length of a domain name (i.e., label octets and label
- * length octets) is restricted to 255 octets or less."). We aren't
- * doing this just to be a stickler about RFCs. For names that are
- * too long, 'dnscache' closes its TCP connection to us immediately
- * (when using TCP) and ignores the request when using UDP, and
- * BIND's named returns ServFail (TCP or UDP). Sending a request
- * that we know will cause 'dnscache' to close the TCP connection is
- * painful, since that makes any other outstanding requests on that
- * connection fail. And sending a UDP request that we know
- * 'dnscache' will ignore is bad because resources will be tied up
- * until we time-out the request.
- */
- if (len > MAXCDNAME)
- return ARES_EBADNAME;
-
- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
- *buf = malloc(*buflen);
- if (!*buf)
- return ARES_ENOMEM;
+ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
+ (max_udp_size ? EDNSFIXEDSZ : 0);
+ buf = malloc(len);
+ if (!buf)
+ return ARES_ENOMEM;
/* Set up the header. */
- q = *buf;
+ q = buf;
memset(q, 0, HFIXEDSZ);
DNS_HEADER_SET_QID(q, id);
DNS_HEADER_SET_OPCODE(q, QUERY);
@@ -159,8 +133,10 @@ int ares_create_query(const char *name,
q += HFIXEDSZ;
while (*name)
{
- if (*name == '.')
+ if (*name == '.') {
+ free (buf);
return ARES_EBADNAME;
+ }
/* Count the number of bytes in this label. */
len = 0;
@@ -170,8 +146,10 @@ int ares_create_query(const char *name,
p++;
len++;
}
- if (len > MAXLABEL)
+ if (len > MAXLABEL) {
+ free (buf);
return ARES_EBADNAME;
+ }
/* Encode the length and copy the data. */
*q++ = (unsigned char)len;
@@ -195,14 +173,30 @@ int ares_create_query(const char *name,
DNS_QUESTION_SET_TYPE(q, type);
DNS_QUESTION_SET_CLASS(q, dnsclass);
+ q += QFIXEDSZ;
if (max_udp_size)
{
- q += QFIXEDSZ;
memset(q, 0, EDNSFIXEDSZ);
q++;
DNS_RR_SET_TYPE(q, T_OPT);
DNS_RR_SET_CLASS(q, max_udp_size);
+ q += (EDNSFIXEDSZ-1);
}
+ buflen = (q - buf);
+
+ /* Reject names that are longer than the maximum of 255 bytes that's
+ * specified in RFC 1035 ("To simplify implementations, the total length of
+ * a domain name (i.e., label octets and label length octets) is restricted
+ * to 255 octets or less."). */
+ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
+ (max_udp_size ? EDNSFIXEDSZ : 0))) {
+ free (buf);
+ return ARES_EBADNAME;
+ }
+
+ /* we know this fits in an int at this point */
+ *buflenp = (int) buflen;
+ *bufp = buf;
return ARES_SUCCESS;
}
++++++ cares-1.9.1-ocloexec.patch ++++++
diff --git a/ares_gethostbyaddr.c b/ares_gethostbyaddr.c
index 4b4c8a7..6896a91 100644
--- a/ares_gethostbyaddr.c
+++ b/ares_gethostbyaddr.c
@@ -222,7 +222,7 @@ static int file_lookup(struct ares_addr *addr, struct hostent **host)
return ARES_ENOTFOUND;
#endif
- fp = fopen(PATH_HOSTS, "r");
+ fp = fopen(PATH_HOSTS, "re");
if (!fp)
{
error = ERRNO;
diff --git a/ares_gethostbyname.c b/ares_gethostbyname.c
index 4869402..bfc54b6 100644
--- a/ares_gethostbyname.c
+++ b/ares_gethostbyname.c
@@ -380,7 +380,7 @@ static int file_lookup(const char *name, int family, struct hostent **host)
return ARES_ENOTFOUND;
#endif
- fp = fopen(PATH_HOSTS, "r");
+ fp = fopen(PATH_HOSTS, "re");
if (!fp)
{
error = ERRNO;
diff --git a/ares_init.c b/ares_init.c
index 0c1d545..b9b9508 100644
--- a/ares_init.c
+++ b/ares_init.c
@@ -1173,7 +1173,7 @@
if (ARES_CONFIG_CHECK(channel))
return ARES_SUCCESS;
- fp = fopen(PATH_RESOLV_CONF, "r");
+ fp = fopen(PATH_RESOLV_CONF, "re");
if (fp) {
while ((status = ares__read_line(fp, &line, &linesize)) == ARES_SUCCESS)
{
@@ -1215,7 +1215,7 @@
if ((status == ARES_EOF) && (!channel->lookups)) {
/* Many systems (Solaris, Linux, BSD's) use nsswitch.conf */
- fp = fopen("/etc/nsswitch.conf", "r");
+ fp = fopen("/etc/nsswitch.conf", "re");
if (fp) {
while ((status = ares__read_line(fp, &line, &linesize)) ==
ARES_SUCCESS)
@@ -1245,7 +1245,7 @@
if ((status == ARES_EOF) && (!channel->lookups)) {
/* Linux / GNU libc 2.x and possibly others have host.conf */
- fp = fopen("/etc/host.conf", "r");
+ fp = fopen("/etc/host.conf", "re");
if (fp) {
while ((status = ares__read_line(fp, &line, &linesize)) ==
ARES_SUCCESS)
@@ -1275,7 +1275,7 @@
if ((status == ARES_EOF) && (!channel->lookups)) {
/* Tru64 uses /etc/svc.conf */
- fp = fopen("/etc/svc.conf", "r");
+ fp = fopen("/etc/svc.conf", "re");
if (fp) {
while ((status = ares__read_line(fp, &line, &linesize)) ==
ARES_SUCCESS)
@@ -1908,7 +1908,7 @@
}
#else /* !WIN32 */
#ifdef RANDOM_FILE
- FILE *f = fopen(RANDOM_FILE, "rb");
+ FILE *f = fopen(RANDOM_FILE, "rbe");
if(f) {
counter = aresx_uztosi(fread(key, 1, key_data_len, f));
fclose(f);
diff --git a/ares_process.c b/ares_process.c
index 5de1ae6..1b85640 100644
--- a/ares_process.c
+++ b/ares_process.c
@@ -877,7 +877,7 @@
setsocknonblock(s, TRUE);
-#if defined(FD_CLOEXEC) && !defined(MSDOS)
+#if !defined(SOCK_CLOEXEC) && defined(FD_CLOEXEC) && !defined(MSDOS)
/* Configure the socket fd as close-on-exec. */
if (fcntl(s, F_SETFD, FD_CLOEXEC) == -1)
return -1;
@@ -964,7 +964,7 @@
}
/* Acquire a socket. */
- s = socket(server->addr.family, SOCK_STREAM, 0);
+ s = socket(server->addr.family, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (s == ARES_SOCKET_BAD)
return -1;
@@ -1056,7 +1056,7 @@
}
/* Acquire a socket. */
- s = socket(server->addr.family, SOCK_DGRAM, 0);
+ s = socket(server->addr.family, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (s == ARES_SOCKET_BAD)
return -1;
diff --git a/ares_search.c b/ares_search.c
index 1877c19..387a16f 100644
--- a/ares_search.c
+++ b/ares_search.c
@@ -256,7 +256,7 @@ static int single_domain(ares_channel channel, const char *name, char **s)
hostaliases = getenv("HOSTALIASES");
if (hostaliases)
{
- fp = fopen(hostaliases, "r");
+ fp = fopen(hostaliases, "re");
if (fp)
{
while ((status = ares__read_line(fp, &line, &linesize))
++++++ libcares2.keyring ++++++
pub 1024D/279D5C91 2003-04-28
uid Daniel Stenberg (Haxx)