bind-dyndb-ldap

#233 build failure against bind 9.18.28
Closed: fixed by abbra. Opened by slev.

Closed: fixed
Reopen Issue

bind 9.18.28 fixes quite a few CVEs,
one of them is CVE-2024-1737 (https://kb.isc.org/docs/cve-2024-1737).

The change added two more fields to dns_dbmethods structure
setmaxrrperset:
https://gitlab.isc.org/isc-projects/bind9/-/commit/e699ef939e68c51eb3c50ecaaf0eb122216fc488?page=2#a4ca629b906c5f6a77176308d21c16679f8d84e5_188_188

and setmaxtypepername:
https://gitlab.isc.org/isc-projects/bind9/-/commit/39d3e2a8ecc1cb4dccefa3ddea477a2887989485#a4ca629b906c5f6a77176308d21c16679f8d84e5_189_189

this leads to build failure:

ldap_driver.c:987:1: error: missing initializer for field 'setmaxrrperset' of 'dns_dbm
ethods_t' {aka 'struct dns_dbmethods'} [-Werror=missing-field-initializers]
  987 | };
      | ^
In file included from ldap_driver.c:22:
/usr/include/bind9/dns/db.h:188:16: note: 'setmaxrrperset' declared here
  188 |         void (*setmaxrrperset)(dns_db_t *db, uint32_t value);
      |                ^~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:599: ldap_la-ldap_driver.lo] Error 1

Tho issue affects 9.11 and 9.16 branches too it seems bind upstream doesn't plan to add those fields to that structure and made compile time limits:

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9169
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9170

Simple patch that fixes the issue for me:

diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 2205ea1..5358372 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -981,6 +981,10 @@ static dns_dbmethods_t ldapdb_methods = {
 #if LIBDNS_VERSION_MAJOR >= 1600
        NULL, /* setgluecachestats */
 #endif
+#if LIBDNS_VERSION_MAJOR >= 1828
+       NULL, /* setmaxrrperset */
+       NULL, /* setmaxtypepername */
+#endif
 #if LIBDNS_VERSION_MAJOR >= 1606 && LIBDNS_VERSION_MAJOR < 1720
        adjusthashsize, /* adjusthashsize */
 #endif

Ah great, I wanted to try compilation with a new bind today. But since this actually fixes CVE, I think we may want to implement that limit check for bind-dyndb-ldap. Otherwise freeipa backed zones would be vulnerable.

It seems we should do proxy function similar to setservestalettl and HAVE_DNS_SERVESTALE define. Since we are going to backport the fix into older versions also, it should have build-time detection for setmaxrrperset and setmaxtypepername members. Version based define will not work well for us.

And for backport fixed 9.16 versions, it should be AFTER adjusthashsize member. To keep previous offsets unchanged.

Okay, upstream has prepared different version in their bind-9.16 and bind9.11 branches, which does not need this kind of change in database structure. Meaning it will not require bind-dyndb-ldap rebuilds with such fix.

Since I need fast fix to correct bind rebase, this version should be enough for now.

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

Log in to comment on this ticket.

Metadata
None
None
None
None
None
Related Pull Requests
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.