commit: 901358f7b67d6b7e98192dbcaa7e18f0fafef5a7 Author: Nicolas PARLANT <nicolas.parlant <AT> parhuet <DOT> fr> AuthorDate: Fri May 30 20:56:17 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jun 2 21:39:15 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=901358f7
net-dns/knot-resolver: add 6.0.13 DoS - fix more rare crashes with `requirement` failing : https://gitlab.nic.cz/knot/knot-resolver/-/issues/930 include a patch from upstream to fix a regression Bug: https://bugs.gentoo.org/954555 Signed-off-by: Nicolas PARLANT <nicolas.parlant <AT> parhuet.fr> Part-of: https://github.com/gentoo/gentoo/pull/42367 Signed-off-by: Sam James <sam <AT> gentoo.org> net-dns/knot-resolver/Manifest | 2 + ...knot-resolver-6.0.13-fix_template_regress.patch | 52 ++++++ net-dns/knot-resolver/knot-resolver-6.0.13.ebuild | 184 +++++++++++++++++++++ 3 files changed, 238 insertions(+) diff --git a/net-dns/knot-resolver/Manifest b/net-dns/knot-resolver/Manifest index 5416174e8d70..4fcfa6eb0e62 100644 --- a/net-dns/knot-resolver/Manifest +++ b/net-dns/knot-resolver/Manifest @@ -2,3 +2,5 @@ DIST knot-resolver-5.7.5.tar.xz 1924960 BLAKE2B cad47756832b34399ea0437ef041ddbf DIST knot-resolver-5.7.5.tar.xz.asc 833 BLAKE2B 675b91253c5ae72db9e1ef6513a681538967f72b6b7a91f2159b42e7581b398a0a90df7e75da0e6818f1a20549a23677ab34722bbcf762cad019d4c211221f1e SHA512 df06eb244fa051a5f71385424b2da2479203019c6824344ec2226bc4851a3eb12eb3bb0f6f5a3e5ccce8c5875b6867924fa46b6939545cb35b24ef799f9ef6b0 DIST knot-resolver-6.0.12.tar.xz 2144940 BLAKE2B 72a8592591ba7ca8ee8b57eae105096125a71f7d4a7e1b096962683f66cc608f65ad5743ee2213b0b898983c52cf9b7d651088929b56db952871bb8b03607283 SHA512 2941de1d05258a627fa859de826487e940cd0c90befa5d2a678e0bf3111c048cb558cfe1258711417bec71a6f0d6e38aa40c1ba6743f3279862684109634d6dc DIST knot-resolver-6.0.12.tar.xz.asc 833 BLAKE2B ffb7758c151485fe65e8ad636767943b1280d4a02d5889fbc22247fcfe1d3d53969e369cff6d0d2a438ed241f96ec2c97d792fc7d07af3f51ec252eb20357c42 SHA512 1adafdb6ffcf8d2bcb0a6b6ed2a39eb8be237954280f8845fef62dc32dfa64f5101400db94d8ecad30c27c8ca21945414b8c4c4ec0db88ba8be679e99c60947e +DIST knot-resolver-6.0.13.tar.xz 2147116 BLAKE2B 0a5521fb0b33dd0122b4b7139f60b549517e3091beb3a196489fee8d7b9fbc5400166a900aa1cf2fbe9543862b21de9c02985ccbd71f04bb3950c27f5496ef9f SHA512 200219b6156e76bdb10a679dadd3de076df4d59ca2090b80fd59328ab343b403ae68a625e7f4e47ed92d041938176013bc142404571678bd44976b6a84c3ec95 +DIST knot-resolver-6.0.13.tar.xz.asc 833 BLAKE2B 2f91962a0c8f0bfc4b68b5a66212dfac45d3060a6132aeaa945b4badc1fb32a22552f5451f8ba35c61f2c3c8edf6444dc407633dc63f37b5b0f042bf256321ef SHA512 2d34ea2a67644082f9017166df855bcfc13b41ce09ec49e9317e4806c3ea7affa143571877dca0c7244763aeee64a3c5b8d34743616fb600d350a8a9c1465c88 diff --git a/net-dns/knot-resolver/files/knot-resolver-6.0.13-fix_template_regress.patch b/net-dns/knot-resolver/files/knot-resolver-6.0.13-fix_template_regress.patch new file mode 100644 index 000000000000..54171b1443c1 --- /dev/null +++ b/net-dns/knot-resolver/files/knot-resolver-6.0.13-fix_template_regress.patch @@ -0,0 +1,52 @@ +https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1697/ +From 00929c0b0af776b4a5e344b6f3a0541fefe93db2 Mon Sep 17 00:00:00 2001 +From: Brad Cowie <[email protected]> +Date: Fri, 30 May 2025 13:57:25 +1200 +Subject: [PATCH 1/2] datamodel/templates: fix kr_rule_local_* macros + +commit a782e9c3 broke the jinja2 generation of the +kr_rule_local_* macro functions. C.KR_RULE_OPTS_DEFAULT +was provided as an argument to the assert() function call +instead of the call to the corresponding C.kr_rule_local_* function +--- + .../templates/macros/local_data_macros.lua.j2 | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/knot_resolver/datamodel/templates/macros/local_data_macros.lua.j2 b/python/knot_resolver/datamodel/templates/macros/local_data_macros.lua.j2 +index e91b82685..39029b3c7 100644 +--- a/python/knot_resolver/datamodel/templates/macros/local_data_macros.lua.j2 ++++ b/python/knot_resolver/datamodel/templates/macros/local_data_macros.lua.j2 +@@ -28,8 +28,8 @@ hints.root_file('{{ file }}') + + {% macro kr_rule_local_address(name, address, nodata, ttl, tags=none) -%} + assert(C.kr_rule_local_address('{{ name }}', '{{ address }}', +- {{ boolean(nodata) }}, {{ local_data_ttl(ttl)}}, {{ policy_get_tagset(tags) }}) == 0, +- C.KR_RULE_OPTS_DEFAULT) ++ {{ boolean(nodata) }}, {{ local_data_ttl(ttl)}}, {{ policy_get_tagset(tags) }}, ++ C.KR_RULE_OPTS_DEFAULT) == 0) + {%- endmacro -%} + + +@@ -44,7 +44,7 @@ assert(C.kr_rule_local_address('{{ name }}', '{{ address }}', + + {% macro kr_rule_local_hosts(file, nodata, ttl, tags=none) -%} + assert(C.kr_rule_local_hosts('{{ file }}', {{ boolean(nodata) }}, +- {{ local_data_ttl(ttl)}}, {{ policy_get_tagset(tags) }}) == 0, C.KR_RULE_OPTS_DEFAULT) ++ {{ local_data_ttl(ttl)}}, {{ policy_get_tagset(tags) }}, C.KR_RULE_OPTS_DEFAULT) == 0) + {%- endmacro %} + + +@@ -92,8 +92,8 @@ assert(C.kr_rule_zonefile({{ id }})==0) + + {% macro kr_rule_local_subtree(name, type, ttl, tags=none) -%} + assert(C.kr_rule_local_subtree(todname('{{ name }}'), +- C.KR_RULE_SUB_{{ type.upper() }}, {{ local_data_ttl(ttl) }}, {{ policy_get_tagset(tags) }}) == 0, +- C.KR_RULE_OPTS_DEFAULT) ++ C.KR_RULE_SUB_{{ type.upper() }}, {{ local_data_ttl(ttl) }}, {{ policy_get_tagset(tags) }}, ++ C.KR_RULE_OPTS_DEFAULT) == 0) + {%- endmacro %} + + +-- +GitLab + diff --git a/net-dns/knot-resolver/knot-resolver-6.0.13.ebuild b/net-dns/knot-resolver/knot-resolver-6.0.13.ebuild new file mode 100644 index 000000000000..7762c00dda49 --- /dev/null +++ b/net-dns/knot-resolver/knot-resolver-6.0.13.ebuild @@ -0,0 +1,184 @@ +# Copyright 2024-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +LUA_COMPAT=( luajit ) +DISTUTILS_EXT=1 +DISTUTILS_OPTIONAL=1 +DISTUTILS_SINGLE_IMPL=1 +DISTUTILS_USE_PEP517=poetry +PYTHON_COMPAT=( python3_{11..13} ) + +inherit distutils-r1 lua-single meson optfeature tmpfiles verify-sig + +DESCRIPTION="A scaleable caching DNS resolver" +HOMEPAGE="https://www.knot-resolver.cz https://gitlab.nic.cz/knot/knot-resolver"; +SRC_URI=" + https://knot-resolver.nic.cz/release/${P}.tar.xz + verify-sig? ( https://knot-resolver.nic.cz/release/${P}.tar.xz.asc ) +" + +LICENSE="Apache-2.0 BSD CC0-1.0 GPL-3+ LGPL-2.1+ MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm64" + +IUSE="caps dnstap jemalloc +manager nghttp2 selinux systemd test xdp" +RESTRICT="!test? ( test )" +REQUIRED_USE=" + ${LUA_REQUIRED_USE} + manager? ( ${PYTHON_REQUIRED_USE} ) +" + +RDEPEND=" + ${LUA_DEPS} + acct-group/knot-resolver + acct-user/knot-resolver + dev-db/lmdb:= + dev-libs/libuv:= + >=net-dns/knot-3.3:=[xdp?] + net-libs/gnutls:= + caps? ( sys-libs/libcap-ng ) + dnstap? ( + dev-libs/fstrm + dev-libs/protobuf-c:= + ) + jemalloc? ( dev-libs/jemalloc:= ) + manager? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep ' + app-admin/supervisor[${PYTHON_USEDEP}] + dev-python/aiohttp[${PYTHON_USEDEP}] + dev-python/jinja2[${PYTHON_USEDEP}] + dev-python/pyyaml[${PYTHON_USEDEP}] + dev-python/typing-extensions[${PYTHON_USEDEP}] + ') + ) + nghttp2? ( net-libs/nghttp2:= ) + selinux? ( sec-policy/selinux-knot ) + systemd? ( sys-apps/systemd:= ) +" +DEPEND=" + ${RDEPEND} + test? ( + dev-util/cmocka + manager? ( + $(python_gen_cond_dep ' + dev-python/pyparsing[${PYTHON_USEDEP}] + dev-python/pytest-asyncio[${PYTHON_USEDEP}] + ') + ) + ) +" +BDEPEND=" + virtual/pkgconfig + manager? ( + ${DISTUTILS_DEPS} + ${PYTHON_DEPS} + ) + verify-sig? ( >=sec-keys/openpgp-keys-knot-resolver-20240304 ) +" + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/${PN}.gpg + +PATCHES=( + "${FILESDIR}"/${PN}-5.5.3-docdir.patch + "${FILESDIR}"/${PN}-5.5.3-nghttp-openssl.patch + "${FILESDIR}"/${PN}-6.0.9-libsystemd.patch + "${FILESDIR}"/${PN}-6.0.9-config-example.patch + "${FILESDIR}"/${PN}-6.0.12-pytest_tomllib.patch + # Regression fix merged, to be removed with release 6.0.14 + "${FILESDIR}"/${PN}-6.0.13-fix_template_regress.patch +) + +pkg_setup() { + lua-single_pkg_setup + use manager && python-single-r1_pkg_setup +} + +src_prepare() { + default + use manager && distutils-r1_src_prepare +} + +src_configure() { + local emesonargs=( + --localstatedir "${EPREFIX}"/var # double lib + # https://bugs.gentoo.org/870019 + -Dauto_features=disabled + # post-install tests + -Dconfig_tests=disabled + -Ddoc=disabled + -Ddocdir="${EPREFIX}"/usr/share/doc/${PF} + -Dinstall_kresd_conf=enabled + -Dopenssl=disabled + -Dmalloc=$(usex jemalloc jemalloc disabled) + -Dsystemd_files=enabled + $(meson_feature caps capng) + $(meson_feature dnstap) + $(meson_feature nghttp2) + $(meson_feature systemd) + $(meson_feature systemd systemd_legacy_units) + $(meson_feature test unit_tests) + ) + meson_src_configure +} + +src_compile() { + meson_src_compile + use manager && distutils-r1_src_compile +} + +src_test() { + meson_src_test + use manager && distutils-r1_src_test +} + +python_test() { + epytest tests/manager +} + +src_install() { + meson_src_install + if use manager; then + distutils-r1_src_install + newinitd "${FILESDIR}"/knot-resolver.initd knot-resolver + newconfd "${FILESDIR}"/knot-resolver.confd knot-resolver + else + rm "${ED}"/usr/lib/systemd/system/knot-resolver.service || die + fi + fowners -R ${PN}: /etc/${PN} + newinitd "${FILESDIR}"/kresd.initd-r2 kresd + newconfd "${FILESDIR}"/kresd.confd-r1 kresd + newinitd "${FILESDIR}"/kres-cache-gc.initd kres-cache-gc +} + +pkg_postinst() { + tmpfiles_process knot-resolver.conf + if use manager; then + elog "You choose the new way, called the manager, to start Knot Resolver:" + use systemd && elog " systemctl start knot-resolver.service" + use !systemd && elog " /etc/init.d/knot-resolver start" + elog "Configuration file: /etc/knot-resolver/config.yaml" + elog "" + elog "The older way, without the manager, is still available:" + else + elog "You choose the older way, without the manager, to start Knot Resolver:" + fi + use systemd && elog " systemctl start [email protected]" + use !systemd && elog " /etc/init.d/kresd start" + elog "Configuration file: /etc/knot-resolver/kresd.conf" + elog "Optional garbage collector: /etc/init.d/kres-cache-gc" + elog "" + use !manager && elog "The new way is available with the useflag manager." + elog "" + + optfeature_header "This package is recommended with Knot Resolver:" + optfeature "asynchronous execution, especially with policy module" dev-lua/cqueues + elog "" + optfeature_header "Other packages may also be useful:" + use manager && optfeature "Prometheus metrics (need manager)" dev-python/prometheus-client + use manager && optfeature "auto-reload TLS certificate files and RPZ files (need manager)" dev-python/watchdog + optfeature "legacy doh and webmgmt (metrics, tracking)" dev-lua/lua-http + optfeature "server map with geoIP database (webmgmt)" dev-lua/lua-mmdb +}
