Debian Bug report logs - #496954
bind9: Fails to start due to SIGSEGV

version graph

Package: bind9; Maintainer for bind9 is LaMont Jones <lamont@debian.org>; Source for bind9 is src:bind9.

Reported by: Maykel Moya <moya@latertulia.org>

Date: Thu, 28 Aug 2008 18:54:01 UTC

Severity: grave

Tags: fixed-upstream, patch, upstream

Merged with 501800

Found in versions bind9/1:9.5.0.dfsg.P2-1, bind9/1:9.5.0.dfsg.P2-4

Fixed in version bind9/1:9.5.0.dfsg.P2-5.1

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@mx1.sld.cu>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@mx1.sld.cu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9: Fails to start due to SIGSEGV
Date: Thu, 28 Aug 2008 14:51:13 -0400
Package: bind9
Version: 1:9.5.0.dfsg.P2-1
Severity: grave
Justification: renders package unusable


I recently upgrade a system from etch to lenny. After that, bind9
refused to start.

mx1:/etc/bind# named -u bind -f
Segmentation fault (core dumped)

# gdb named
(gdb) run -u bind -f
Starting program: /usr/sbin/named -u bind -f
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
(no debugging symbols found)
[New Thread 0xb757c6d0 (LWP 30142)]
[New Thread 0xb74d0b90 (LWP 30261)]
[New Thread 0xb6cd0b90 (LWP 30262)]
[New Thread 0xb64d0b90 (LWP 30263)]
[New Thread 0xb5cd0b90 (LWP 30265)]
[New Thread 0xb54d0b90 (LWP 30269)]
[New Thread 0xb4cd0b90 (LWP 30271)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb74d0b90 (LWP 30261)]
0xb7e04c7f in dns_acl_match () from /usr/lib/libdns.so.43
(gdb) bt
#0  0xb7e04c7f in dns_acl_match () from /usr/lib/libdns.so.43
#1  0x0805d3e8 in ?? ()
#2  0xb74d0238 in ?? ()
#3  0x00000000 in ?? ()


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages bind9 depends on:
ii  adduser             3.110                add and remove users and groups
ii  bind9utils          1:9.5.0.dfsg.P2-1    Utilities for BIND
ii  debconf [debconf-2. 1.5.22               Debian configuration management sy
ii  libbind9-40         1:9.5.0.dfsg.P2-1    BIND9 Shared Library used by BIND
ii  libc6               2.7-13               GNU C Library: Shared libraries
ii  libcap2             2.11-2               support for getting/setting POSIX.
ii  libdb4.6            4.6.21-8             Berkeley v4.6 Database Libraries [
ii  libdns43            1:9.5.0.dfsg.P2-1    DNS Shared Library used by BIND
ii  libisc44            1:9.5.0.dfsg.P2-1    ISC Shared Library used by BIND
ii  libisccc40          1:9.5.0.dfsg.P2-1    Command Channel Library used by BI
ii  libisccfg40         1:9.5.0.dfsg.P2-1    Config File Handling Library used 
ii  libkrb53            1.6.dfsg.4~beta1-3   MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.10-3             OpenLDAP libraries
ii  liblwres40          1:9.5.0.dfsg.P2-1    Lightweight Resolver Library used 
ii  libssl0.9.8         0.9.8g-13            SSL shared libraries
ii  libxml2             2.6.32.dfsg-2+lenny1 GNOME XML library
ii  lsb-base            3.2-19               Linux Standard Base 3.2 init scrip
ii  netbase             4.32                 Basic TCP/IP networking system

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc              <none>            (no description available)
ii  dnsutils               1:9.5.0.dfsg.P2-1 Clients provided with BIND
pn  resolvconf             <none>            (no description available)

-- debconf information:
  bind9/different-configuration-file:
  bind9/run-resolvconf: true
  bind9/start-as-user: bind




Changed Bug submitter from Maykel Moya <moya@mx1.sld.cu> to Maykel Moya <moya@latertulia.org>. Request was from Maykel Moya <moya@latertulia.org> to control@bugs.debian.org. (Thu, 28 Aug 2008 19:18:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Steve Cotton <steve0001@s.cotton.clara.co.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #12 received at 496954@bugs.debian.org (full text, mbox):

From: Steve Cotton <steve0001@s.cotton.clara.co.uk>
To: 496954@bugs.debian.org
Subject: Another libxml2 breakage?
Date: Fri, 29 Aug 2008 01:25:14 +0100
> ii  libxml2             2.6.32.dfsg-2+lenny1 GNOME XML library

That's been causing segfaults all over the place.  Please would
you upgrade to 2.6.32.dfsg-3 and retest?

Cheers,
Steve




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #17 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: 496954@bugs.debian.org
Cc: Steve Cotton <steve0001@s.cotton.clara.co.uk>
Subject: Re: bind9: Fails to start due to SIGSEGV - Another libxml2 breakage?
Date: Fri, 29 Aug 2008 10:44:06 -0400
On vie, 2008-08-29 at 03:51 +0100, Steve Cotton wrote:

> > ii  libxml2             2.6.32.dfsg-2+lenny1 GNOME XML library
> 
> That's been causing segfaults all over the place.  Please would
> you upgrade to 2.6.32.dfsg-3 and retest?
> 
> Cheers,
> Steve

I tried with libxml2 2.6.32.dfsg-3 and still crash, with same backtrace.

Cheers,
maykel






Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sun, 21 Sep 2008 10:57:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 21 Sep 2008 10:57:01 GMT) Full text and rfc822 format available.

Message #22 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 496954@bugs.debian.org, Maykel Moya <moya@latertulia.org>
Subject: bind9: 496954: more info needed
Date: Sun, 21 Sep 2008 18:53:49 +0800
[Message part 1 (text/plain, inline)]
I can't reproduce this on my laptop.

What happens if you move the /etc/bind directory out the way?

Are you able to recompile bind9 with debugging info?

These commands should do this:

apt-get install devscripts
apt-get build-dep bind9
apt-get source bind9
cd bind9-*
DEB_BUILD_OPTIONS="debug noopt" debuild
debi
gdb --args named -u bind -f
> run
> bt full

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 24 Sep 2008 15:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 24 Sep 2008 15:21:06 GMT) Full text and rfc822 format available.

Message #27 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: Paul Wise <pabs@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Wed, 24 Sep 2008 11:17:57 -0400
On dom, 2008-09-21 at 18:53 +0800, Paul Wise wrote:

> I can't reproduce this on my laptop.
> 
> What happens if you move the /etc/bind directory out the way?

Well, I purged everything related to bind and it started without
problem.

bind in etch is working fine with my config, that's why I tend to
discard any syntactic error in it.

> Are you able to recompile bind9 with debugging info?
> 
> These commands should do this:
> 
> apt-get install devscripts
> apt-get build-dep bind9
> apt-get source bind9
> cd bind9-*
> DEB_BUILD_OPTIONS="debug noopt" debuild
> debi
> gdb --args named -u bind -f
> > run
> > bt full

This is the back trace of running bind9 built with debugging info and
using my current config:

$ gdb
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb753cb90 (LWP 27185)]
0xb7e45fc5 in dns_acl_match () from /usr/lib/libdns.so.43
(gdb) bt full
#0  0xb7e45fc5 in dns_acl_match () from /usr/lib/libdns.so.43
No symbol table info available.
#1  0x0805a80f in ?? ()
No symbol table info available.
#2  0xb753c264 in ?? ()
No symbol table info available.
#3  0x00000000 in ?? ()
No symbol table info available.

Cheers,
maykel






Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 24 Sep 2008 15:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 24 Sep 2008 15:57:06 GMT) Full text and rfc822 format available.

Message #32 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Wed, 24 Sep 2008 23:53:50 +0800
[Message part 1 (text/plain, inline)]
On Wed, 2008-09-24 at 11:17 -0400, Maykel Moya wrote:

> Well, I purged everything related to bind and it started without
> problem.
> 
> bind in etch is working fine with my config, that's why I tend to
> discard any syntactic error in it.

Hmm, perhaps the lenny version has a more buggy config parser.

> This is the back trace of running bind9 built with debugging info and
> using my current config:
...

Hmm, that doesn't look like you had debugging information available.
What does 'file /usr/lib/libdns.so.43' print when the version with debug
info is installed?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 24 Sep 2008 18:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 24 Sep 2008 18:48:05 GMT) Full text and rfc822 format available.

Message #37 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: Paul Wise <pabs@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Wed, 24 Sep 2008 14:43:46 -0400
[Message part 1 (text/plain, inline)]
On mié, 2008-09-24 at 23:53 +0800, Paul Wise wrote:

> > This is the back trace of running bind9 built with debugging info and
> > using my current config:
> ...
> 
> Hmm, that doesn't look like you had debugging information available.
> What does 'file /usr/lib/libdns.so.43' print when the version with debug
> info is installed?

mx1:/home/moya/bind9# file /usr/lib/libdns.so.43.0.1 
/usr/lib/libdns.so.43.0.1: ELF 32-bit LSB shared object, Intel 80386,
version 1 (SYSV), dynamically linked, stripped

First lines after debuild:

dpkg-buildpackage: set CFLAGS to default value: -g -O0
dpkg-buildpackage: set CPPFLAGS to default value: 
dpkg-buildpackage: set LDFLAGS to default value: 
dpkg-buildpackage: set FFLAGS to default value: -g -O0
dpkg-buildpackage: set CXXFLAGS to default value: -g -O0

I commented out the dh_strip line and rebuilt the package, this is the
backtrace now

--
mx1:/home/moya/bind9# gdb --args named -u bind -f
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: /usr/sbin/named -u bind -f
[Thread debugging using libthread_db enabled]
[New Thread 0xb75386d0 (LWP 4047)]
[New Thread 0xb748cb90 (LWP 4062)]
[New Thread 0xb6c8cb90 (LWP 4063)]
[New Thread 0xb648cb90 (LWP 4064)]
[New Thread 0xb5c8cb90 (LWP 4065)]
[New Thread 0xb548cb90 (LWP 4066)]
[New Thread 0xb4c8cb90 (LWP 4067)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb748cb90 (LWP 4062)]
0xb7d74fc5 in dns_acl_match (reqaddr=0xb748c274, reqsigner=0x0,
acl=0xb748e1e8, env=0xb74990a8, match=0xb748b8ac, matchelt=0x0) at
acl.c:226
226	acl.c: No such file or directory.
	in acl.c
(gdb) bt
#0  0xb7d74fc5 in dns_acl_match (reqaddr=0xb748c274, reqsigner=0x0,
acl=0xb748e1e8, env=0xb74990a8, match=0xb748b8ac, matchelt=0x0) at
acl.c:226
#1  0x0805a80f in allowed (addr=0xb748c274, signer=0x0, acl=0xb748e1e8)
at client.c:1265
#2  0x0805b840 in client_request (task=0xb74a4890, event=0xb42860f8) at
client.c:1699
#3  0xb7b9062e in dispatch (manager=0xb7491008) at task.c:862
#4  0xb7b908c8 in run (uap=0xb7491008) at task.c:1005
#5  0xb7a07f3b in start_thread () from /lib/libpthread.so.0
#6  0xb7854c9e in clone () from /lib/libc.so.6
--

Find attached the full backtrace.

Cheers,
maykel

[bind-bt-full.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Thu, 25 Sep 2008 07:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 25 Sep 2008 07:45:03 GMT) Full text and rfc822 format available.

Message #42 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Thu, 25 Sep 2008 15:25:05 +0800
[Message part 1 (text/plain, inline)]
The function where the crash is has changed a lot since etch.

Can you run the following gdb commands at the point of the crash?

p *node
p node->data
p node->data[0]
p *(node->data[0])

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Tue, 30 Sep 2008 06:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 30 Sep 2008 06:24:02 GMT) Full text and rfc822 format available.

Message #47 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Tue, 30 Sep 2008 14:20:54 +0800
[Message part 1 (text/plain, inline)]
On Thu, 2008-09-25 at 15:25 +0800, Paul Wise wrote:

> Can you run the following gdb commands at the point of the crash?

Any luck with this?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 01 Oct 2008 19:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 01 Oct 2008 19:06:02 GMT) Full text and rfc822 format available.

Message #52 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Thu, 02 Oct 2008 03:03:02 +0800
[Message part 1 (text/plain, inline)]
On Tue, 2008-09-30 at 14:20 +0800, Paul Wise wrote:
> On Thu, 2008-09-25 at 15:25 +0800, Paul Wise wrote:
> 
> > Can you run the following gdb commands at the point of the crash?
> 
> Any luck with this?

After moya sent me his configs in private, I cannot reproduce the crash
on amd64 with bind9 version 1:9.5.0.dfsg.P2-1 nor in an i386 chroot with
1:9.5.0.dfsg.P1-2 or 1:9.5.0.dfsg.P2-1.

I didn't attempt to replicate the network setup, just put the configs in
place. moya, are you able to reproduce it in a separate machine at all?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 01 Oct 2008 20:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 01 Oct 2008 20:15:05 GMT) Full text and rfc822 format available.

Message #57 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: Paul Wise <pabs@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Wed, 01 Oct 2008 16:13:44 -0400
[Message part 1 (text/plain, inline)]
On jue, 2008-10-02 at 03:03 +0800, Paul Wise wrote:

> On Tue, 2008-09-30 at 14:20 +0800, Paul Wise wrote:
> > On Thu, 2008-09-25 at 15:25 +0800, Paul Wise wrote:
> > 
> > > Can you run the following gdb commands at the point of the crash?
> > 
> > Any luck with this?
> 
> After moya sent me his configs in private, I cannot reproduce the crash
> on amd64 with bind9 version 1:9.5.0.dfsg.P2-1 nor in an i386 chroot with
> 1:9.5.0.dfsg.P1-2 or 1:9.5.0.dfsg.P2-1.
> 
> I didn't attempt to replicate the network setup, just put the configs in
> place. moya, are you able to reproduce it in a separate machine at all?

A short history about the machines. There are three, namely, ns{1,2,3}

1. ns1 is master, ns{2,3} are slaves
2. the three were etch, configuration almost the same
3. I did upgrade the three to lenny
4. ns3's named didn't crash, ns1 and ns2's named did

5. I created a clean /etc/bind in ns2. bind started gracefully
6. ... then I copied the relevant bits of my old configuration over the
freshly created /etc/bind in ns2. bind started gracefully

7. I created a clean /etc/bind in ns1. bind started gracefully
8. ... then I copied the relevant bits of my old configuration over
the freshly created /etc/bind in ns1. bind crash at startup

bind is crashing only in the master server.

With respect to the data at the point of the crash

(gdb) p *node
$1 = {bit = 19, prefix = 0xb41f50e8, l = 0xb41f4da0, r = 0xb41f90d0,
parent = 0xb41f9418, data = {0x0, 0x0}, node_num = {29, -1}}
(gdb) p node->data
$2 = {0x0, 0x0}
(gdb) p node->data[0]
$3 = (void *) 0x0
(gdb) p *(node->data[0])
Attempt to dereference a generic pointer.

The full backtrace is attached.

Cheers,
maykel

[bt-full-200810011611.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Thu, 02 Oct 2008 04:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 02 Oct 2008 04:27:03 GMT) Full text and rfc822 format available.

Message #62 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Thu, 02 Oct 2008 12:23:41 +0800
[Message part 1 (text/plain, inline)]
On Wed, 2008-10-01 at 16:13 -0400, Maykel Moya wrote:

> With respect to the data at the point of the crash
> 
> ...

I suspected as much. I don't know enough about the bind code to know if
it is correct, but I suspect this should fix the crash:

--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -219,7 +219,7 @@
 	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
 
 	/* Found a match. */
-	if (result == ISC_R_SUCCESS && node != NULL) {
+	if (result == ISC_R_SUCCESS && node != NULL && node->data[ISC_IS6(family)] != NULL) {
 		if (node->bit == 0)
 			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];

Upstream should be consulted about the validity of this.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Thu, 02 Oct 2008 19:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 02 Oct 2008 19:51:07 GMT) Full text and rfc822 format available.

Message #67 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: Paul Wise <pabs@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Thu, 02 Oct 2008 15:47:06 -0400
On jue, 2008-10-02 at 12:23 +0800, Paul Wise wrote:
> On Wed, 2008-10-01 at 16:13 -0400, Maykel Moya wrote:
> 
> > With respect to the data at the point of the crash
> > 
> > ...
> 
> I suspected as much. I don't know enough about the bind code to know if
> it is correct, but I suspect this should fix the crash:
> 
> --- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
> +++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
> @@ -219,7 +219,7 @@
>  	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
>  
>  	/* Found a match. */
> -	if (result == ISC_R_SUCCESS && node != NULL) {
> +	if (result == ISC_R_SUCCESS && node != NULL && node->data[ISC_IS6(family)] != NULL) {
>  		if (node->bit == 0)
>  			family = AF_INET;
>  		match_num = node->node_num[ISC_IS6(family)];
> 
> Upstream should be consulted about the validity of this.

I applied the patch and bind is working now.

Regards,
maykel






Tags added: patch Request was from Josselin Mouette <joss@debian.org> to control@bugs.debian.org. (Fri, 03 Oct 2008 11:09:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sun, 05 Oct 2008 17:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 05 Oct 2008 17:18:02 GMT) Full text and rfc822 format available.

Message #74 received at 496954@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 496954@bugs.debian.org
Subject: Re: bind9: Fails to start due to SIGSEGV
Date: Sun, 05 Oct 2008 19:16:12 +0200
Hi Lamont

Will you upload a fixed package soon? Do you want someone to NMU or do
you think the fix is not ready?

Cheers

Luk




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496954; Package bind9. (Mon, 06 Oct 2008 02:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. (Mon, 06 Oct 2008 02:21:03 GMT) Full text and rfc822 format available.

Message #79 received at 496954@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Luk Claes <luk@debian.org>, 496954@bugs.debian.org
Subject: Re: Bug#496954: bind9: Fails to start due to SIGSEGV
Date: Sun, 5 Oct 2008 20:18:15 -0600
On Sun, Oct 05, 2008 at 07:16:12PM +0200, Luk Claes wrote:
> Will you upload a fixed package soon? Do you want someone to NMU or do
> you think the fix is not ready?

I'm still not sure if the patch is just masking an issue, or if it's a
proper fix.

And no, a random NMU is not the right answer for this.

lamont




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Tue, 07 Oct 2008 03:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maykel Moya <moya@latertulia.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 07 Oct 2008 03:51:02 GMT) Full text and rfc822 format available.

Message #84 received at 496954@bugs.debian.org (full text, mbox):

From: Maykel Moya <moya@latertulia.org>
To: Paul Wise <pabs@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Mon, 06 Oct 2008 23:49:19 -0400
El jue, 02-10-2008 a las 12:23 +0800, Paul Wise escribió:

> On Wed, 2008-10-01 at 16:13 -0400, Maykel Moya wrote:
> 
> > With respect to the data at the point of the crash
> > 
> > ...
> 
> I suspected as much. I don't know enough about the bind code to know if
> it is correct, but I suspect this should fix the crash:
> 
> --- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
> +++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
> @@ -219,7 +219,7 @@
>  	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
>  
>  	/* Found a match. */
> -	if (result == ISC_R_SUCCESS && node != NULL) {
> +	if (result == ISC_R_SUCCESS && node != NULL && node->data[ISC_IS6(family)] != NULL) {
>  		if (node->bit == 0)
>  			family = AF_INET;
>  		match_num = node->node_num[ISC_IS6(family)];
> 
> Upstream should be consulted about the validity of this.

I had to revert the patch after being unable to issue recursive queries
to bind. My IP is inside and ACL so it's sure bind wasn't obeying acl
settings.

Regards,
maykel






Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Tue, 07 Oct 2008 10:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 07 Oct 2008 10:00:02 GMT) Full text and rfc822 format available.

Message #89 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Tue, 7 Oct 2008 05:15:12 -0400
On Mon, Oct 06, 2008 at 11:49:19PM -0400, Maykel Moya wrote:

> I had to revert the patch after being unable to issue recursive queries
> to bind. My IP is inside and ACL so it's sure bind wasn't obeying acl
> settings.

Does bind crash if you remove the ACL? Are you able to narrow down which
part of the ACL causes crashes?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 08 Oct 2008 23:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 08 Oct 2008 23:36:02 GMT) Full text and rfc822 format available.

Message #94 received at 496954@bugs.debian.org (full text, mbox):

From: Ben Finney <ben@benfinney.id.au>
To: Paul Wise <pabs@debian.org>, Debian BTS control <control@bugs.debian.org>
Cc: 496954@bugs.debian.org, 496954-submitter@bugs.debian.org
Subject: bind9: 496954: bug in upstream code?
Date: Thu, 9 Oct 2008 10:32:01 +1100
[Message part 1 (text/plain, inline)]
package bind9
tags 496954 + upstream
thanks

On 02-Oct-2008, Paul Wise wrote:
> I suspected as much. I don't know enough about the bind code to know 
> if it is correct, but I suspect this should fix the crash:
[…]

My reading of the conversation so far indicates the bug is in upstream 
code; tagging appropriately.

If this isn't true, feel free to correct the tag.

-- 
 \          “Isn't it enough to see that a garden is beautiful without |
  `\      having to believe that there are fairies at the bottom of it |
_o__)                                             too?” —Douglas Adams |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Tags added: upstream Request was from Ben Finney <ben@benfinney.id.au> to control@bugs.debian.org. (Wed, 08 Oct 2008 23:36:03 GMT) Full text and rfc822 format available.

Message sent on to Maykel Moya <moya@latertulia.org>:
Bug#496954. (Wed, 08 Oct 2008 23:36:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 15 Oct 2008 13:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 15 Oct 2008 13:54:03 GMT) Full text and rfc822 format available.

Message #104 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954@bugs.debian.org
Subject: Re: bind9: 496954: more info needed
Date: Wed, 15 Oct 2008 21:49:33 +0800
[Message part 1 (text/plain, inline)]
On Tue, 2008-10-07 at 05:15 -0400, Paul Wise wrote:

> Does bind crash if you remove the ACL? Are you able to narrow down which
> part of the ACL causes crashes?

Were you able to look into either of these possibilities?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sat, 18 Oct 2008 01:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to 496954 <496954@bugs.debian.org>, Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 18 Oct 2008 01:00:03 GMT) Full text and rfc822 format available.

Message #109 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Maykel Moya <moya@latertulia.org>
Cc: 496954 <496954@bugs.debian.org>
Subject: Re: bind9: 496954: more info needed
Date: Sat, 18 Oct 2008 08:59:29 +0800
[Message part 1 (text/plain, inline)]
On Fri, 2008-10-17 at 15:40 -0400, Maykel Moya wrote:

> I've been short on time. Besides, the server I've testing this is our
> primary NS and so there are some restriction about the time of maing
> tests.

OK, fair enough.

> I'll keep you informed of any news with respect to this.

Thanks, please CC the bug too (done in this mail).

> Would you (or any other) be able to contact upstream for this?

I'm hoping the maintainer will once we've figured out what configuration
settings cause the crash.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Merged 496954 501800. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Tue, 21 Oct 2008 10:33:05 GMT) Full text and rfc822 format available.

Tags removed: patch Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Wed, 22 Oct 2008 05:57:02 GMT) Full text and rfc822 format available.

Disconnected #501800 from all other report(s). Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Wed, 22 Oct 2008 07:45:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 22 Oct 2008 08:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to 501800@bugs.debian.org, 496954@bugs.debian.org, pabs@debian.org:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 22 Oct 2008 08:12:07 GMT) Full text and rfc822 format available.

Message #120 received at 496954@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: bind9-bugs@isc.org
Cc: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Subject: bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Wed, 22 Oct 2008 16:08:27 +0800
[Message part 1 (text/plain, inline)]
Hi,

A couple of Debian users reported acl-related segfaults when upgrading
from bind 9.3.4 to 9.5.0-P2. Both bug reports come with full backtraces
and the bug reports can be found here:

http://bugs.debian.org/496954
http://bugs.debian.org/501800

Any insight you can give into these bugs would be appreciated.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Mon, 27 Oct 2008 21:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Mon, 27 Oct 2008 21:54:03 GMT) Full text and rfc822 format available.

Message #125 received at 496954@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Cc: bind9-bugs@isc.org
Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Mon, 27 Oct 2008 22:53:21 +0100
Hi,

I was “assigned” the RC bug as part of BugSprint (http://wiki.debian.org/BugSprint).

After some time debugging, i can add more information.

Here is a more simple use case to reproduce the bug from a fresh
install of bind9. Add the following lines to
/etc/bind/named.conf.local.
--8<-----------------------------------
acl "plop1" {
        { 192.168.1.0/24; };
};

acl "plop2" {
        { 192.168.1.8; 192.168.1.128; };
};

zone "example.com" {
        type master;
        file "/etc/bind/db.local";
        allow-update { "plop2"; "plop1"; };
};
----------------------------------->8--

Something very weird is that the following changes make it work
correctly : 
--8<-----------------------------------
-        { 192.168.1.8; 192.168.1.128; };
+        { 192.168.1.8; 192.168.1.X; };
----------------------------------->8--
with X < 128

or 

--8<-----------------------------------
-        allow-update { "plop2"; "plop1"; };
+        allow-update { "plop1"; "plop2"; };
----------------------------------->8--

The backtrace for the segv is the following :

--8<-----------------------------------
#0  0x00007f136e6c7839 in is_insecure (prefix=0x7f136ecf55b0, data=0x7f136ed1e6f8) at acl.c:499
#1  0x00007f136d871624 in isc_radix_process (radix=0x7f136ed17a60, func=0x7f136e6c77dd <is_insecure>) at radix.c:227
#2  0x00007f136e6c7958 in dns_acl_isinsecure (a=0x7f136ecf3ce0) at acl.c:546
#3  0x000000000045153e in ns_zone_configure (config=0x7f136ed198d0, vconfig=0x0, zconfig=0x7f136ed1bb50, ac=0x41626fe0, zone=0x13d62a0) at zoneconf.c:663
#4  0x0000000000437689 in configure_zone (config=0x7f136ed198d0, zconfig=0x7f136ed1bb50, vconfig=0x0, mctx=0x1308350, view=0x137bf20, aclconf=0x41626fe0) at server.c:2484
#5  0x00000000004331e8 in configure_view (view=0x137bf20, config=0x7f136ed198d0, vconfig=0x0, mctx=0x1308350, actx=0x41626fe0, need_hints=isc_boolean_true) at server.c:1127
#6  0x00000000004393b7 in load_configuration (filename=0x4660a1 "/etc/bind/named.conf", server=0x7f136ecfe010, first_time=isc_boolean_true) at server.c:3275
#7  0x000000000043ab5f in run_server (task=0x7f136ed07010, event=0x0) at server.c:3703
----------------------------------->8--

I think that the problem comes from the acl struture (arg ac in
ns_zone_configure ()) which is not filled correctly :

1 : configure_zone () server.c:2484
2: ns_zone_configure () (zoneconf.c, line 657)
   -> RETERR(configure_zone_acl(zconfig, vconfig, config, "allow-update", ac, zone, dns_zone_setupdateacl, dns_zone_clearupdateacl));
3: configure_zone_acl() (zoneconf.c, line 93)
    -> result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, dns_zone_getmctx(zone), 0, &dacl);
4: cfg_acl_fromconfig() (aclconf.c, line 253)
    -> result = dns_iptable_addprefix(iptab, &addr, bitlen, ISC_TF(nest_level != 0 || !neg));
5: dns_iptable_addprefix (iptable.c, line 61)
    -> result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
6: isc_radix_insert (radix.c, line 301) 
    -> ....

The segv occurs because the node->data[] 'array' contains null value
but it should not hence i think there is something goes wrong in
isc_radix_insert() with this use case.

It's a bit difficult to fix this bug regarding the complexity of the
code, and difficult to have a fix with no side effects.

I'm CCing bind9-bugs@isc.org, and hope they could take a look at these
bugs and help us to fix them.

Any help would be appreciated.

Cheers,

-- 
Emmanuel Bouthenot




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Mon, 27 Oct 2008 23:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Mon, 27 Oct 2008 23:45:02 GMT) Full text and rfc822 format available.

Message #130 received at 496954@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Subject: Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Tue, 28 Oct 2008 00:42:04 +0100
Here are 2 replies from upstream :

Evan Hunt wrotes :
--8<--------------------------------
> Here is a more simple use case to reproduce the bug from a fresh
> install of bind9. Add the following lines to
> /etc/bind/named.conf.local.

Thank you, I was able to reproduce the bug with these instructions.
The
bug doesn't show up in 9.5.1b3, which is due to be released in a
couple
of days.  I believe this is attributable to the following fix:

2470.   [bug]           Elements of the isc_radix_node_t could be
incorrectly
                        overwritten.  [RT# 18719]

This one may have been a factor as well:

2474.   [bug]           ACL structures could be allocated with
insufficient
                        space, causing an array overrun. [RT #18765]
-------------------------------->8--

Mark Andrews wrotes :
--8<--------------------------------
Thanks for the update.

I could reproduce this against 9.5.0-P2.
I could not reproduce this against 9.5.1b2.

Mark
-------------------------------->8--

Regarding these additional informations, i took a look at differences
in file radix.c. As i presumed, most changes occurs in fonction
isc_radix_insert().

As a quick fix, i try to only apply the changes from radix.c in
9.5.0-P2 and the segv has gone. The patch is short and seems to not
have any other side effects.


Cheers,

-- 
Emmanuel Bouthenot
 mail : kolter@openics.org
  gpg : 0x414EC36E
  jid : kolter@im.openics.org
  irc : kolter@(freenode|oftc)




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Tue, 28 Oct 2008 08:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 28 Oct 2008 08:09:04 GMT) Full text and rfc822 format available.

Message #135 received at 496954@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954@bugs.debian.org
Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Tue, 28 Oct 2008 09:07:31 +0100
[Message part 1 (text/plain, inline)]
tags 501800 +patch
thanks


After further discussions with upstream authors :

Evan Hunt wrotes :

--8<--------------------------------
Thanks to  Emmanuel Bouthenot for the assistance, I was able to
reproduce the issue with his instructions.  It turned out to be a bug
that was fixed in 9.5.1b2.

There are several other ACL problems that have been fixed in that
release and in 9.5.1b3, which is due out in a few days.  I'd recommend
using 9.5.1 when it's complete (in about a month, most likely), but
I'm told Debian is planning is to release 9.5.0-P2 plus patches
instead.  So I've rolled all the ACL fixes in the 9.5.1 pipeline up
into a single patch and attached it to this email. This reflects the
following changes:


2474.   [bug]           ACL structures could be allocated with insufficient
                        space, causing an array overrun. [RT #18765]
2470.   [bug]           Elements of the isc_radix_node_t could be incorrectly
                        overwritten.  [RT# 18719]
2456.   [bug]           In ACLs, ::/0 and 0.0.0.0/0 would both match any
                        address, regardless of family.  They now
			correctly distinguish IPv4 from IPv6.  [RT #18559]
2441.   [bug]           isc_radix_insert() could copy radix tree nodes
                        incompletely. [RT #18573]
2439.   [bug]           Potential NULL dereference in dns_acl_isanyornone().
                        [RT #18559]

(For the record, the bug you hit was 2441.)

Thanks again and let me know if you have any questions.
-------------------------------->8--

The patch is attached.


Cheers,

-- 
Emmanuel Bouthenot
 mail : kolter@openics.org
  gpg : 0x414EC36E
  jid : kolter@im.openics.org
  irc : kolter@(freenode|oftc)
[aclfixes.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Thu, 30 Oct 2008 09:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 30 Oct 2008 09:21:03 GMT) Full text and rfc822 format available.

Message #140 received at 496954@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: debian-release@lists.debian.org
Cc: 501800@bugs.debian.org, 496954@bugs.debian.org, kolter@openics.org, lamont@debian.org
Subject: bind9 fix for #501800 - call for release team opinion
Date: Thu, 30 Oct 2008 10:17:43 +0100
[Message part 1 (text/plain, inline)]
Hi,

bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
investigated those, and contacted upstream, who provided a patch that
backports several fixes from the new upstream release (not yet
released).

The unstable package also received several changes. Here is its
changelog:
+bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
+
+  * meta: fix typo in Depends: lsb-base.  Closes: #501365
+
+ -- LaMont Jones <lamont@debian.org>  Tue, 07 Oct 2008 17:20:11 -0600
+
+bind9 (1:9.5.0.dfsg.P2-3) unstable; urgency=low
+
+  [LaMont Jones]
+
+  * enable largefile support.  Closes: #497040
+
+  [localization folks]
+
+  * l10n: Dutch translation.  Closes: #499977 (Paul Gevers)
+  * l10n: simplified chinese debconf template.  Closes: #501103 (LI Daobing)
+  * l10n: Update spanish template.  Closes: #493775 (Ignacio Mondino)
+
+ -- LaMont Jones <lamont@debian.org>  Sun, 05 Oct 2008 20:20:00 -0600
+
+bind9 (1:9.5.0.dfsg.P2-2) unstable; urgency=low
+
+  [Kees Cook]
+
+  * debian/{control,rules}: enable PIE hardening (from -1ubuntu1)
+
+  [Nicolas Valcárcel]
+
+  * Add ufw integration (from -1ubuntu2)
+
+  [Dustin Kirkland]
+
+  * use pid file in init.d/bind9 status.  LP: #247084
+
+  [LaMont Jones]
+
+  * dig: add -DDIG_SIGCHASE to compile options.  LP: #257682
+  * apparmor profile: add /var/log/named
+
+  [Nikita Ofitserov]
+
+  * ipv6 support requires _GNU_SOURCE definition.  LP: #249824
+
+ -- LaMont Jones <lamont@debian.org>  Thu, 28 Aug 2008 23:08:36 -0600


We have two options:
(A) Fix the ACL bugs in the unstable version, migrate it to lenny
(B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
    the unstable version.

I've attached:
bind9_9.5.0.dfsg-P2-1_to_-4.debdiff.gz:
    debdiff between the testing and unstable verison.
bind9_9.5.0.dfsg-P2-4+aclfixes.debdiff:
    proposed NMU of the unstable version with upstream's patch.

Release team, what do you want to do?
-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |
[bind9_9.5.0.dfsg-P2-4+aclfixes.debdiff (text/plain, attachment)]
[bind9_9.5.0.dfsg-P2-1_to_-4.debdiff.gz (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496954; Package bind9. (Thu, 30 Oct 2008 13:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. (Thu, 30 Oct 2008 13:51:03 GMT) Full text and rfc822 format available.

Message #145 received at 496954@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org
Cc: debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org, lamont@debian.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Thu, 30 Oct 2008 07:49:56 -0600
On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> investigated those, and contacted upstream, who provided a patch that
> backports several fixes from the new upstream release (not yet
> released).

I'll be uploading new bits to unstable with these fixes shortly myself.
(Shortly == waiting for the next upstream beta/rc to pull patches from
for this and other significant bugs)

> We have two options:
> (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
>     the unstable version.

> Release team, what do you want to do?

I prefer (A), though I'm not wedded to it.

lamont




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sat, 15 Nov 2008 01:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 15 Nov 2008 01:03:02 GMT) Full text and rfc822 format available.

Message #150 received at 496954@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: LaMont Jones <lamont@debian.org>, Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org, debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Sat, 15 Nov 2008 01:58:51 +0100
On Thu, Oct 30, 2008 at 07:49:56AM -0600, LaMont Jones wrote:
> On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> > bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> > investigated those, and contacted upstream, who provided a patch that
> > backports several fixes from the new upstream release (not yet
> > released).
> 
> I'll be uploading new bits to unstable with these fixes shortly myself.
> (Shortly == waiting for the next upstream beta/rc to pull patches from
> for this and other significant bugs)
> 
> > We have two options:
> > (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> > (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
> >     the unstable version.
> 
> > Release team, what do you want to do?
> 
> I prefer (A), though I'm not wedded to it.

Meanwhile 1:9.5.0.dfsg.P2-4 has migrated to testing; can you please go ahead
with (A) now?

Cheers,
        Moritz




Tags removed: Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sat, 22 Nov 2008 20:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Wed, 03 Dec 2008 17:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 03 Dec 2008 17:51:02 GMT) Full text and rfc822 format available.

Message #157 received at 496954@bugs.debian.org (full text, mbox):

From: <marcos.marado@sonae.com>
To: <496954@bugs.debian.org>, <501800@bugs.debian.org>
Subject: BIND 9.5.1rc1 is now available
Date: Wed, 3 Dec 2008 17:47:42 +0000
Just a head's up:

BIND 9.5.1rc1 is now available (since today):
http://oldwww.isc.org/sw/bind/view/?release=9.5.1rc1

Best regards,
-- 
Marcos Marado




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Thu, 04 Dec 2008 17:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 04 Dec 2008 17:36:02 GMT) Full text and rfc822 format available.

Message #162 received at 496954@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: LaMont Jones <lamont@debian.org>
Cc: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org, debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Thu, 4 Dec 2008 18:30:24 +0100
On Sat, Nov 15, 2008 at 01:58:51AM +0100, Moritz Muehlenhoff wrote:
> On Thu, Oct 30, 2008 at 07:49:56AM -0600, LaMont Jones wrote:
> > On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> > > bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> > > investigated those, and contacted upstream, who provided a patch that
> > > backports several fixes from the new upstream release (not yet
> > > released).
> > 
> > I'll be uploading new bits to unstable with these fixes shortly myself.
> > (Shortly == waiting for the next upstream beta/rc to pull patches from
> > for this and other significant bugs)
> > 
> > > We have two options:
> > > (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> > > (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
> > >     the unstable version.
> > 
> > > Release team, what do you want to do?
> > 
> > I prefer (A), though I'm not wedded to it.
> 
> Meanwhile 1:9.5.0.dfsg.P2-4 has migrated to testing; can you please go ahead
> with (A) now?

Another three weeks have passed, what's the status?

Cheers,
        Moritz





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sun, 07 Dec 2008 17:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 07 Dec 2008 17:03:02 GMT) Full text and rfc822 format available.

Message #167 received at 496954@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954@bugs.debian.org, 501800@bugs.debian.org
Subject: NMU diff for bind9 1:9.5.0.dfsg.P2-4.1
Date: Sun, 07 Dec 2008 16:58:02 +0000
[Message part 1 (text/plain, inline)]
I intend to upload the following changes to delayed/3 shortly.

Ben.

diff -u bind9-9.5.0.dfsg.P2/debian/changelog bind9-9.5.0.dfsg.P2/debian/changelog
--- bind9-9.5.0.dfsg.P2/debian/changelog
+++ bind9-9.5.0.dfsg.P2/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.5.0.dfsg.P2-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Backported upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
+    by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
+    contacted him. Closes: #496954, #501800.
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 07 Dec 2008 16:30:43 +0000
+
 bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
 
   * meta: fix typo in Depends: lsb-base.  Closes: #501365
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/iptable.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/iptable.c
@@ -70,22 +70,39 @@
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? pfx.family : AF_INET;
-
 	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
 		return(result);
+	}
 
-	/* If the node already contains data, don't overwrite it */
-	if (node->data[ISC_IS6(family)] == NULL) {
-		if (pos)
-			node->data[ISC_IS6(family)] = &dns_iptable_pos;
-		else
-			node->data[ISC_IS6(family)] = &dns_iptable_neg;
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+ 		/* "any" or "none" */
+ 		INSIST(pfx.bitlen == 0);
+ 		if (pos) {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_pos;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_pos;
+ 		} else {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_neg;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_neg;
+ 		}
+ 	} else {
+ 		/* any other prefix */
+ 		if (node->data[ISC_IS6(family)] == NULL) {
+ 			if (pos)
+ 				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+ 			else
+ 				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+ 		}
 	}
 
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -148,7 +148,10 @@
 		return (ISC_FALSE);
 
 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+  	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+	    acl->iptable->radix->head->data[1] &&
+  	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
 		return (ISC_TRUE);
 
 	return (ISC_FALSE); /* All others */
@@ -220,8 +223,6 @@
 
 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -491,9 +492,8 @@
 	isc_boolean_t secure;
 	int bitlen, family;
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;
 
 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isccfg/aclconf.c
+++ bind9-9.5.0.dfsg.P2/lib/isccfg/aclconf.c
@@ -160,6 +160,51 @@
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
@@ -194,14 +239,18 @@
 	} else {
 		/*
 		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition and allocate space for that many
-		 * elements (even though some or all of them may end up in
-		 * the iptable instead of the element array).
+		 * in the ACL definition that will require space in the
+		 * elemnts table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
 		 */
-		isc_boolean_t recurse = ISC_TF(nest_level == 0);
-		result = dns_acl_create(mctx,
-					cfg_list_length(caml, recurse),
-					&dacl);
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/radix.c
+++ bind9-9.5.0.dfsg.P2/lib/isc/radix.c
@@ -53,7 +53,7 @@
 
 	REQUIRE(target != NULL);
 
-	if (family != AF_INET6 && family != AF_INET)
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
@@ -64,6 +64,7 @@
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
 		memcpy(&prefix->add.sin6, dest, 16);
 	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
 		memcpy(&prefix->add.sin, dest, 4);
 	}
@@ -95,7 +96,8 @@
 _ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
 	INSIST(prefix != NULL);
 	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128));
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
 	REQUIRE(target != NULL);
 
 	/* If this prefix is a static allocation, copy it into new memory */
@@ -236,7 +238,7 @@
 	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
 	u_char *addr;
 	isc_uint32_t bitlen;
-	int family, tfamily = -1;
+	int tfamily = -1;
 	int cnt = 0;
 
 	REQUIRE(radix != NULL);
@@ -276,16 +278,12 @@
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
 				    node->prefix->bitlen)) {
-			/* Bitlen 0 means "any" or "none",
-			   which is always treated as IPv4 */
-			family = node->prefix->bitlen ?
-				 prefix->family : AF_INET;
-			if (node->node_num[ISC_IS6(family)] != -1 &&
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
 				 ((*target == NULL) ||
 				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(family)])) {
+				   node->node_num[ISC_IS6(prefix->family)])) {
 				*target = node;
-				tfamily = family;
+				tfamily = prefix->family;
 			}
 		}
 	}
@@ -303,7 +301,7 @@
 {
 	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
 	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, family, check_bit, differ_bit;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
 	isc_uint32_t i, j, r;
 	isc_result_t result;
 
@@ -317,9 +315,7 @@
 	INSIST(prefix != NULL);
 
 	bitlen = prefix->bitlen;
-
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? prefix->family : AF_INET;
+	fam = prefix->family;
 
 	if (radix->head == NULL) {
 		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
@@ -353,8 +349,14 @@
 			node->data[0] = source->data[0];
 			node->data[1] = source->data[1];
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 			node->data[0] = NULL;
 			node->data[1] = NULL;
 		}
@@ -417,25 +419,71 @@
 	if (differ_bit == bitlen && node->bit == bitlen) {
 		if (node->prefix != NULL) {
 			/* Set node_num only if it hasn't been set before */
-			if (node->node_num[ISC_IS6(family)] == -1)
-				node->node_num[ISC_IS6(family)] =
-					 ++radix->num_added_node;
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+ 					/* "any" or "none" */
+ 					int next = radix->num_added_node + 1;
+ 					if (node->node_num[0] == -1) {
+ 						node->node_num[0] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 					if (node->node_num[1] == -1) {
+ 						node->node_num[1] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 				} else {
+ 					if (node->node_num[ISC_IS6(fam)] == -1)
+ 						node->node_num[ISC_IS6(fam)]
+ 						   = ++radix->num_added_node;
+ 				}
+			}
 			*target = node;
 			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
 		       node->data[1] == NULL && node->node_num[1] == -1);
 		if (source != NULL) {
 			/* Merging node */
-			node->node_num[ISC_IS6(family)] =
-				radix->num_added_node +
-				source->node_num[ISC_IS6(family)];
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 		}
 		*target = node;
 		return (ISC_R_SUCCESS);
@@ -477,7 +525,14 @@
 		new_node->data[0] = source->data[0];
 		new_node->data[1] = source->data[1];
 	} else {
-		new_node->node_num[ISC_IS6(family)] = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
 		new_node->data[0] = NULL;
 		new_node->data[1] = NULL;
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/include/isc/radix.h
+++ bind9-9.5.0.dfsg.P2/lib/isc/include/isc/radix.h
@@ -37,7 +37,7 @@
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
 		memset(&(pt), 0, sizeof(pt)); \
-		if((bits) && (na) != NULL) { \
+		if((na) != NULL) { \
 			(pt).family = (na)->family; \
 			(pt).bitlen = (bits); \
 			if ((pt).family == AF_INET6) { \
@@ -46,14 +46,16 @@
 			} else \
 				memcpy(&(pt).add.sin, &(na)->type.in, \
 				       ((bits)+7)/8); \
-		} else \
-			(pt).family = AF_INET; \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)
 
 typedef struct isc_prefix {
-    unsigned int family;	/* AF_INET | AF_INET6 */
-    unsigned int bitlen;
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
     isc_refcount_t refcount;
     union {
 		struct in_addr sin;
--- END ---

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so ingenious.
[signature.asc (application/pgp-signature, inline)]

Tags added: patch, upstream, fixed-upstream, pending Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 07 Dec 2008 17:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Sun, 07 Dec 2008 17:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 07 Dec 2008 17:42:04 GMT) Full text and rfc822 format available.

Message #174 received at 496954@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954@bugs.debian.org, 501800@bugs.debian.org
Subject: Re: NMU diff for bind9 1:9.5.0.dfsg.P2-4.1
Date: Sun, 07 Dec 2008 17:38:31 +0000
[Message part 1 (text/plain, inline)]
On Sun, 2008-12-07 at 16:58 +0000, Ben Hutchings wrote:
> I intend to upload the following changes to delayed/3 shortly.
> 
> Ben.

lintian and my basic testing found some more easy bugs to fix.  Here are
the actual changes.

Ben.

diff -u bind9-9.5.0.dfsg.P2/debian/changelog bind9-9.5.0.dfsg.P2/debian/changelog
--- bind9-9.5.0.dfsg.P2/debian/changelog
+++ bind9-9.5.0.dfsg.P2/debian/changelog
@@ -1,3 +1,15 @@
+bind9 (1:9.5.0.dfsg.P2-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Backported upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
+    by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
+    contacted him. Closes: #496954, #501800.
+  * Fix library dependencies for bind9utils
+  * Fix minor errors in package descriptions
+  * Add dependency of bind9 on net-tools (ifconfig used in init script)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 07 Dec 2008 17:08:28 +0000
+
 bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
 
   * meta: fix typo in Depends: lsb-base.  Closes: #501365
diff -u bind9-9.5.0.dfsg.P2/debian/control bind9-9.5.0.dfsg.P2/debian/control
--- bind9-9.5.0.dfsg.P2/debian/control
+++ bind9-9.5.0.dfsg.P2/debian/control
@@ -10,7 +10,7 @@
 
 Package: bind9
 Architecture: any
-Depends: ${shlibs:Depends}, debconf | debconf-2.0, netbase, adduser, libdns43 (=${binary:Version}), libisccfg40 (=${binary:Version}), libisc44 (=${binary:Version}), libisccc40 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres40 (=${binary:Version}), libbind9-40 (=${binary:Version})
+Depends: ${shlibs:Depends}, debconf | debconf-2.0, netbase, adduser, libdns43 (=${binary:Version}), libisccfg40 (=${binary:Version}), libisc44 (=${binary:Version}), libisccc40 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres40 (=${binary:Version}), libbind9-40 (=${binary:Version}), net-tools
 Conflicts: bind, apparmor-profiles (<< 2.1+1075-0ubuntu4)
 Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4)
 Suggests: dnsutils, bind9-doc, resolvconf, ufw
@@ -22,7 +22,7 @@
 Package: bind9utils
 Architecture: any
 Replaces: bind9 (<= 1:9.5.0~b2-1)
-Depends: libbind9-40
+Depends: ${shlibs:Depends}
 Description: Utilities for BIND
  This package provides various utilities that are useful for maintaining a
  working BIND installation.
@@ -55,7 +55,7 @@
 Depends: libbind9-40 (= ${binary:Version}), liblwres40 (= ${binary:Version}) 
 Description: Static Libraries and Headers used by BIND
  This package delivers archive-style libraries, header files, and API man
- pages for libbind, libdns, libisc, and liblwres.  These are are only needed 
+ pages for libbind, libdns, libisc, and liblwres.  These are only needed 
  if you want to compile other packages that need more nameserver API than the 
  resolver code provided in libc.
 
@@ -149,7 +149,7 @@
  This package delivers various client programs related to DNS that are 
  derived from the BIND source tree.
  .
-  - dig	- query the DNS in various ways
+  - dig - query the DNS in various ways
   - nslookup - the older way to do it
   - nsupdate - perform dynamic updates (See RFC2136)
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/iptable.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/iptable.c
@@ -70,22 +70,39 @@
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? pfx.family : AF_INET;
-
 	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
 		return(result);
+	}
 
-	/* If the node already contains data, don't overwrite it */
-	if (node->data[ISC_IS6(family)] == NULL) {
-		if (pos)
-			node->data[ISC_IS6(family)] = &dns_iptable_pos;
-		else
-			node->data[ISC_IS6(family)] = &dns_iptable_neg;
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+ 		/* "any" or "none" */
+ 		INSIST(pfx.bitlen == 0);
+ 		if (pos) {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_pos;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_pos;
+ 		} else {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_neg;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_neg;
+ 		}
+ 	} else {
+ 		/* any other prefix */
+ 		if (node->data[ISC_IS6(family)] == NULL) {
+ 			if (pos)
+ 				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+ 			else
+ 				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+ 		}
 	}
 
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -148,7 +148,10 @@
 		return (ISC_FALSE);
 
 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+  	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+	    acl->iptable->radix->head->data[1] &&
+  	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
 		return (ISC_TRUE);
 
 	return (ISC_FALSE); /* All others */
@@ -220,8 +223,6 @@
 
 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -491,9 +492,8 @@
 	isc_boolean_t secure;
 	int bitlen, family;
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;
 
 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isccfg/aclconf.c
+++ bind9-9.5.0.dfsg.P2/lib/isccfg/aclconf.c
@@ -160,6 +160,51 @@
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
@@ -194,14 +239,18 @@
 	} else {
 		/*
 		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition and allocate space for that many
-		 * elements (even though some or all of them may end up in
-		 * the iptable instead of the element array).
+		 * in the ACL definition that will require space in the
+		 * elemnts table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
 		 */
-		isc_boolean_t recurse = ISC_TF(nest_level == 0);
-		result = dns_acl_create(mctx,
-					cfg_list_length(caml, recurse),
-					&dacl);
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/radix.c
+++ bind9-9.5.0.dfsg.P2/lib/isc/radix.c
@@ -53,7 +53,7 @@
 
 	REQUIRE(target != NULL);
 
-	if (family != AF_INET6 && family != AF_INET)
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
@@ -64,6 +64,7 @@
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
 		memcpy(&prefix->add.sin6, dest, 16);
 	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
 		memcpy(&prefix->add.sin, dest, 4);
 	}
@@ -95,7 +96,8 @@
 _ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
 	INSIST(prefix != NULL);
 	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128));
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
 	REQUIRE(target != NULL);
 
 	/* If this prefix is a static allocation, copy it into new memory */
@@ -236,7 +238,7 @@
 	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
 	u_char *addr;
 	isc_uint32_t bitlen;
-	int family, tfamily = -1;
+	int tfamily = -1;
 	int cnt = 0;
 
 	REQUIRE(radix != NULL);
@@ -276,16 +278,12 @@
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
 				    node->prefix->bitlen)) {
-			/* Bitlen 0 means "any" or "none",
-			   which is always treated as IPv4 */
-			family = node->prefix->bitlen ?
-				 prefix->family : AF_INET;
-			if (node->node_num[ISC_IS6(family)] != -1 &&
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
 				 ((*target == NULL) ||
 				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(family)])) {
+				   node->node_num[ISC_IS6(prefix->family)])) {
 				*target = node;
-				tfamily = family;
+				tfamily = prefix->family;
 			}
 		}
 	}
@@ -303,7 +301,7 @@
 {
 	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
 	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, family, check_bit, differ_bit;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
 	isc_uint32_t i, j, r;
 	isc_result_t result;
 
@@ -317,9 +315,7 @@
 	INSIST(prefix != NULL);
 
 	bitlen = prefix->bitlen;
-
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? prefix->family : AF_INET;
+	fam = prefix->family;
 
 	if (radix->head == NULL) {
 		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
@@ -353,8 +349,14 @@
 			node->data[0] = source->data[0];
 			node->data[1] = source->data[1];
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 			node->data[0] = NULL;
 			node->data[1] = NULL;
 		}
@@ -417,25 +419,71 @@
 	if (differ_bit == bitlen && node->bit == bitlen) {
 		if (node->prefix != NULL) {
 			/* Set node_num only if it hasn't been set before */
-			if (node->node_num[ISC_IS6(family)] == -1)
-				node->node_num[ISC_IS6(family)] =
-					 ++radix->num_added_node;
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+ 					/* "any" or "none" */
+ 					int next = radix->num_added_node + 1;
+ 					if (node->node_num[0] == -1) {
+ 						node->node_num[0] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 					if (node->node_num[1] == -1) {
+ 						node->node_num[1] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 				} else {
+ 					if (node->node_num[ISC_IS6(fam)] == -1)
+ 						node->node_num[ISC_IS6(fam)]
+ 						   = ++radix->num_added_node;
+ 				}
+			}
 			*target = node;
 			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
 		       node->data[1] == NULL && node->node_num[1] == -1);
 		if (source != NULL) {
 			/* Merging node */
-			node->node_num[ISC_IS6(family)] =
-				radix->num_added_node +
-				source->node_num[ISC_IS6(family)];
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 		}
 		*target = node;
 		return (ISC_R_SUCCESS);
@@ -477,7 +525,14 @@
 		new_node->data[0] = source->data[0];
 		new_node->data[1] = source->data[1];
 	} else {
-		new_node->node_num[ISC_IS6(family)] = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
 		new_node->data[0] = NULL;
 		new_node->data[1] = NULL;
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/include/isc/radix.h
+++ bind9-9.5.0.dfsg.P2/lib/isc/include/isc/radix.h
@@ -37,7 +37,7 @@
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
 		memset(&(pt), 0, sizeof(pt)); \
-		if((bits) && (na) != NULL) { \
+		if((na) != NULL) { \
 			(pt).family = (na)->family; \
 			(pt).bitlen = (bits); \
 			if ((pt).family == AF_INET6) { \
@@ -46,14 +46,16 @@
 			} else \
 				memcpy(&(pt).add.sin, &(na)->type.in, \
 				       ((bits)+7)/8); \
-		} else \
-			(pt).family = AF_INET; \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)
 
 typedef struct isc_prefix {
-    unsigned int family;	/* AF_INET | AF_INET6 */
-    unsigned int bitlen;
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
     isc_refcount_t refcount;
     union {
 		struct in_addr sin;
--- END ---

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.
[signature.asc (application/pgp-signature, inline)]

Merged 496954 501800. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 02 Jan 2009 16:51:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Fri, 02 Jan 2009 17:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Fri, 02 Jan 2009 17:39:03 GMT) Full text and rfc822 format available.

Message #181 received at 496954@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954@bugs.debian.org
Subject: NMU diff for bind9 9.5.0.dfsg.P2-5.1
Date: Fri, 02 Jan 2009 17:37:54 +0000
[Message part 1 (text/plain, inline)]
I uploaded the following changes to delayed/3.

Lamont, if you do not like these changes, please upload alternate fixes,
but do not block them.

Ben.

diff -u bind9-9.5.0.dfsg.P2/debian/changelog bind9-9.5.0.dfsg.P2/debian/changelog
--- bind9-9.5.0.dfsg.P2/debian/changelog
+++ bind9-9.5.0.dfsg.P2/debian/changelog
@@ -1,3 +1,14 @@
+bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
+    by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
+    contacted him. Closes: #496954, #501800.
+  * Remove obsolete dh_installmanpages invocation which was adding
+    unwanted manual pages to bind9. Closes: #486196.
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Fri, 02 Jan 2009 16:51:42 +0000
+
 bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low
 
   [ISC]
diff -u bind9-9.5.0.dfsg.P2/debian/rules bind9-9.5.0.dfsg.P2/debian/rules
--- bind9-9.5.0.dfsg.P2/debian/rules
+++ bind9-9.5.0.dfsg.P2/debian/rules
@@ -90,8 +90,6 @@
 	dh_clean -k
 	dh_installdirs
 	$(MAKE) install DESTDIR=`pwd`/debian/bind9
-	# idn stuff goes somewhere eventually.
-	rm -rf debian/bind9/usr/share/man/man1
 	rm -f debian/bind9/usr/lib/*.la
 	install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.0
 	install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.255
@@ -143,7 +141,6 @@
 	dh_installmenu -a
 	dh_installinit -a --no-start -- defaults 15 85
 	dh_installcron -a
-	dh_installmanpages -pbind9 runmdn.1 mdnconv.1 zone2ldap.1 nslint.8
 	dh_installdebconf -pbind9
 	dh_installinfo -a
 	dh_installchangelogs -a # CHANGES # upstream changelog only in bind9-doc
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/iptable.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/iptable.c
@@ -70,22 +70,39 @@
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? pfx.family : AF_INET;
-
 	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
 		return(result);
+	}
 
-	/* If the node already contains data, don't overwrite it */
-	if (node->data[ISC_IS6(family)] == NULL) {
-		if (pos)
-			node->data[ISC_IS6(family)] = &dns_iptable_pos;
-		else
-			node->data[ISC_IS6(family)] = &dns_iptable_neg;
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+ 		/* "any" or "none" */
+ 		INSIST(pfx.bitlen == 0);
+ 		if (pos) {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_pos;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_pos;
+ 		} else {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_neg;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_neg;
+ 		}
+ 	} else {
+ 		/* any other prefix */
+ 		if (node->data[ISC_IS6(family)] == NULL) {
+ 			if (pos)
+ 				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+ 			else
+ 				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+ 		}
 	}
 
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -148,7 +148,10 @@
 		return (ISC_FALSE);
 
 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+  	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+	    acl->iptable->radix->head->data[1] &&
+  	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
 		return (ISC_TRUE);
 
 	return (ISC_FALSE); /* All others */
@@ -220,8 +223,6 @@
 
 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -491,9 +492,8 @@
 	isc_boolean_t secure;
 	int bitlen, family;
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;
 
 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isccfg/aclconf.c
+++ bind9-9.5.0.dfsg.P2/lib/isccfg/aclconf.c
@@ -160,6 +160,51 @@
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
@@ -194,14 +239,18 @@
 	} else {
 		/*
 		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition and allocate space for that many
-		 * elements (even though some or all of them may end up in
-		 * the iptable instead of the element array).
+		 * in the ACL definition that will require space in the
+		 * elemnts table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
 		 */
-		isc_boolean_t recurse = ISC_TF(nest_level == 0);
-		result = dns_acl_create(mctx,
-					cfg_list_length(caml, recurse),
-					&dacl);
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/radix.c
+++ bind9-9.5.0.dfsg.P2/lib/isc/radix.c
@@ -53,7 +53,7 @@
 
 	REQUIRE(target != NULL);
 
-	if (family != AF_INET6 && family != AF_INET)
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
@@ -64,6 +64,7 @@
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
 		memcpy(&prefix->add.sin6, dest, 16);
 	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
 		memcpy(&prefix->add.sin, dest, 4);
 	}
@@ -95,7 +96,8 @@
 _ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
 	INSIST(prefix != NULL);
 	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128));
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
 	REQUIRE(target != NULL);
 
 	/* If this prefix is a static allocation, copy it into new memory */
@@ -236,7 +238,7 @@
 	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
 	u_char *addr;
 	isc_uint32_t bitlen;
-	int family, tfamily = -1;
+	int tfamily = -1;
 	int cnt = 0;
 
 	REQUIRE(radix != NULL);
@@ -276,16 +278,12 @@
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
 				    node->prefix->bitlen)) {
-			/* Bitlen 0 means "any" or "none",
-			   which is always treated as IPv4 */
-			family = node->prefix->bitlen ?
-				 prefix->family : AF_INET;
-			if (node->node_num[ISC_IS6(family)] != -1 &&
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
 				 ((*target == NULL) ||
 				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(family)])) {
+				   node->node_num[ISC_IS6(prefix->family)])) {
 				*target = node;
-				tfamily = family;
+				tfamily = prefix->family;
 			}
 		}
 	}
@@ -303,7 +301,7 @@
 {
 	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
 	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, family, check_bit, differ_bit;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
 	isc_uint32_t i, j, r;
 	isc_result_t result;
 
@@ -317,9 +315,7 @@
 	INSIST(prefix != NULL);
 
 	bitlen = prefix->bitlen;
-
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? prefix->family : AF_INET;
+	fam = prefix->family;
 
 	if (radix->head == NULL) {
 		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
@@ -353,8 +349,14 @@
 			node->data[0] = source->data[0];
 			node->data[1] = source->data[1];
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 			node->data[0] = NULL;
 			node->data[1] = NULL;
 		}
@@ -417,25 +419,71 @@
 	if (differ_bit == bitlen && node->bit == bitlen) {
 		if (node->prefix != NULL) {
 			/* Set node_num only if it hasn't been set before */
-			if (node->node_num[ISC_IS6(family)] == -1)
-				node->node_num[ISC_IS6(family)] =
-					 ++radix->num_added_node;
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+ 					/* "any" or "none" */
+ 					int next = radix->num_added_node + 1;
+ 					if (node->node_num[0] == -1) {
+ 						node->node_num[0] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 					if (node->node_num[1] == -1) {
+ 						node->node_num[1] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 				} else {
+ 					if (node->node_num[ISC_IS6(fam)] == -1)
+ 						node->node_num[ISC_IS6(fam)]
+ 						   = ++radix->num_added_node;
+ 				}
+			}
 			*target = node;
 			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
 		       node->data[1] == NULL && node->node_num[1] == -1);
 		if (source != NULL) {
 			/* Merging node */
-			node->node_num[ISC_IS6(family)] =
-				radix->num_added_node +
-				source->node_num[ISC_IS6(family)];
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 		}
 		*target = node;
 		return (ISC_R_SUCCESS);
@@ -477,7 +525,14 @@
 		new_node->data[0] = source->data[0];
 		new_node->data[1] = source->data[1];
 	} else {
-		new_node->node_num[ISC_IS6(family)] = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
 		new_node->data[0] = NULL;
 		new_node->data[1] = NULL;
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/include/isc/radix.h
+++ bind9-9.5.0.dfsg.P2/lib/isc/include/isc/radix.h
@@ -37,7 +37,7 @@
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
 		memset(&(pt), 0, sizeof(pt)); \
-		if((bits) && (na) != NULL) { \
+		if((na) != NULL) { \
 			(pt).family = (na)->family; \
 			(pt).bitlen = (bits); \
 			if ((pt).family == AF_INET6) { \
@@ -46,14 +46,16 @@
 			} else \
 				memcpy(&(pt).add.sin, &(na)->type.in, \
 				       ((bits)+7)/8); \
-		} else \
-			(pt).family = AF_INET; \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)
 
 typedef struct isc_prefix {
-    unsigned int family;	/* AF_INET | AF_INET6 */
-    unsigned int bitlen;
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
     isc_refcount_t refcount;
     union {
 		struct in_addr sin;
--- END ---

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Sun, 04 Jan 2009 21:39:10 GMT) Full text and rfc822 format available.

Notification sent to Maykel Moya <moya@latertulia.org>:
Bug acknowledged by developer. (Sun, 04 Jan 2009 21:39:11 GMT) Full text and rfc822 format available.

Message #186 received at 496954-close@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954-close@bugs.debian.org
Subject: Bug#496954: fixed in bind9 1:9.5.0.dfsg.P2-5.1
Date: Sun, 04 Jan 2009 21:32:05 +0000
Source: bind9
Source-Version: 1:9.5.0.dfsg.P2-5.1

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:

bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
  to pool/main/b/bind9/bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
bind9_9.5.0.dfsg.P2-5.1.diff.gz
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1.diff.gz
bind9_9.5.0.dfsg.P2-5.1.dsc
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1.dsc
bind9_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1_i386.deb
bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
libdns43_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libdns43_9.5.0.dfsg.P2-5.1_i386.deb
libisc44_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisc44_9.5.0.dfsg.P2-5.1_i386.deb
libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
lwresd_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/lwresd_9.5.0.dfsg.P2-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Jan 2009 16:51:42 +0000
Source: bind9
Binary: bind9 bind9utils bind9-doc bind9-host libbind-dev libbind9-40 libdns43 libisc44 liblwres40 libisccc40 libisccfg40 dnsutils lwresd
Architecture: source all i386
Version: 1:9.5.0.dfsg.P2-5.1
Distribution: unstable
Urgency: low
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 libbind-dev - Static Libraries and Headers used by BIND
 libbind9-40 - BIND9 Shared Library used by BIND
 libdns43   - DNS Shared Library used by BIND
 libisc44   - ISC Shared Library used by BIND
 libisccc40 - Command Channel Library used by BIND
 libisccfg40 - Config File Handling Library used by BIND
 liblwres40 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 486196 496954 501800
Changes: 
 bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
     by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
     contacted him. Closes: #496954, #501800.
   * Remove obsolete dh_installmanpages invocation which was adding
     unwanted manual pages to bind9. Closes: #486196.
Checksums-Sha1: 
 5386fd82dbd5cf1bf9d0284ba2f914b71ce47ba4 1433 bind9_9.5.0.dfsg.P2-5.1.dsc
 d8a8e2f316f1a38215290750bf1b7a427025e00c 263986 bind9_9.5.0.dfsg.P2-5.1.diff.gz
 913e897ae3f95174265864660a8ca81720ee7711 258548 bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 5fc3a806ffa95e7344f4eb86d19a1aff06d2c78c 238992 bind9_9.5.0.dfsg.P2-5.1_i386.deb
 f9501122bd6349341d7e530ec2aac8c9f0823f79 93210 bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 9571acb400edcb1948487b26cb3158e9dd2a1aa0 60552 bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 7c34aa30aaac46693b3839483a0ee2c48092a099 1246018 libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 9d72d501a76989b89700e404efdedda02159e6b0 31620 libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ce4be2365a9409c592cad6206b071157f326687c 543264 libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 3b2380c4a9ce2c68779e3c85f35fd586130b3cdb 146944 libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 d6b6f3ea333c2b9fe0d2cc7caec19d6663fba348 44662 liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 f925f930344f9351354b6b99ddf6051db266799d 26472 libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 f8b097efabcdf41ba3ead83b451ff45e7b3fb904 43534 libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 46b1596e02807bef99c1fc0cff2deb8c3614977e 144012 dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 0350c2d5184351e5c7c4e4edb1f5f76ffbfad701 198164 lwresd_9.5.0.dfsg.P2-5.1_i386.deb
Checksums-Sha256: 
 5dcb89e502e14923d128c2f6135f1916538a784e371070455547612fabc46773 1433 bind9_9.5.0.dfsg.P2-5.1.dsc
 ffb5b0f7a474084574825f2a56acf5402cfa218dffcf08713d01d325915b72b0 263986 bind9_9.5.0.dfsg.P2-5.1.diff.gz
 4a10942fe5e71a2aab7dfa97e9d11120c1326308b76753d052cc3765726c3825 258548 bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 c759e38286fb69c3aa3aa538fbd807067a7a0482f5fbd5aa6c691a0f4e481e14 238992 bind9_9.5.0.dfsg.P2-5.1_i386.deb
 75948b4b00f3e9151f546dbff1dd3c543041817f37be60c551ec741796e6e402 93210 bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 9e664b7221564fc4bcc1479a354f7dddfc9ec788a66652c89ee28f0e1f89c3fd 60552 bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 85b1d21d772eafd2f85a090940f2ea5ebcb76e552c8ce71b3346ad3a2961e386 1246018 libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 f364ecd0010c184fe439ab690d4a87cd88e7bd69d85e5116e1429d81fe5e0f91 31620 libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ce427238ea763f9603ce77603140278af02c010d530a340b0a23c9556665f234 543264 libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 643260a92f978cf79cbb7335979ff4fe3ce9c26147f9810f2a0ceab927a6066f 146944 libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 e3f750c9fc8985d956768df6dd66d6de2b74c714c4d8a2f9c5238b0a34e56c17 44662 liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 2d03efd716b1e1958f8e1f6d36eea5e99606a4d68cade330b45ed476f93734e5 26472 libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 8dc82e9e1f6e7b6da1a679ce552db2297b98c3d7be1057d5b30cf2c6d27d0f1b 43534 libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 2b34e7c3259c1c6e11d79a7c395da952f21b1613102c9eb9469ffe153cbbad81 144012 dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 7a6edea0679f3cdd9b5d5505dd096c477adea7e3628a92091bfc385eae88d75d 198164 lwresd_9.5.0.dfsg.P2-5.1_i386.deb
Files: 
 caeeca4a517e667fc239853fc0b66de8 1433 net optional bind9_9.5.0.dfsg.P2-5.1.dsc
 7ab1ca3523db07bf8c99448e9bfd20f4 263986 net optional bind9_9.5.0.dfsg.P2-5.1.diff.gz
 05558ab16e6a241076584ab73f7be1eb 258548 doc optional bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 79596986a13890f74a1faf1867b797fd 238992 net optional bind9_9.5.0.dfsg.P2-5.1_i386.deb
 9e9e5bcc6acb01f79dd4b0ce05ff3f89 93210 net optional bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 a4df9011277e7dfc75d92ec70a01685b 60552 net standard bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 fd96e30d6f0145ba0fc2fe69ba95b72f 1246018 libdevel optional libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 d693367b74a2793b32cb9437e2df2699 31620 libs standard libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ae429e59b006c0feca5f556b7eaaf15d 543264 libs standard libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 ece929a0bbd588fbe00f8486ee146d44 146944 libs standard libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 29132cea9bddb4edaaa79dd32212b8f7 44662 libs standard liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 dc1b90295b02ea645f587195f04762fa 26472 libs optional libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 ca08885b7e3b923381a478de234c88a1 43534 libs optional libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 9113a3ca567ea3653e9ea2c5364127f0 144012 net standard dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 1f0d4b470ed58f25c29927345dbe20a8 198164 net optional lwresd_9.5.0.dfsg.P2-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJXk8279ZNCRIGYgcRAlr7AKCwa6sT608auQFPmUa7RokyvpSN+gCdEcF2
zlF8PGjmSKHEL0GROEESgGU=
=lqoY
-----END PGP SIGNATURE-----





Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Sun, 04 Jan 2009 21:39:11 GMT) Full text and rfc822 format available.

Notification sent to Christian Motschke <motschke@itso-berlin.de>:
Bug acknowledged by developer. (Sun, 04 Jan 2009 21:39:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496954; Package bind9. (Mon, 05 Jan 2009 03:14:50 GMT) Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. (Mon, 05 Jan 2009 03:14:59 GMT) Full text and rfc822 format available.

Message #196 received at 496954@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 496954@bugs.debian.org
Subject: Re: Bug#496954: NMU diff for bind9 9.5.0.dfsg.P2-5.1
Date: Sun, 4 Jan 2009 20:11:14 -0700
On Fri, Jan 02, 2009 at 05:37:54PM +0000, Ben Hutchings wrote:
> I uploaded the following changes to delayed/3.
> 
> Lamont, if you do not like these changes, please upload alternate fixes,
> but do not block them.
> 

Any chance you have the diff in a sane (separate commit per change)
diff, or just the big magic lump-o-many changes?

lamont




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#496954; Package bind9. (Mon, 05 Jan 2009 03:16:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Mon, 05 Jan 2009 03:16:18 GMT) Full text and rfc822 format available.

Message #201 received at 496954@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: LaMont Jones <lamont@debian.org>
Cc: 496954@bugs.debian.org
Subject: Re: Bug#496954: NMU diff for bind9 9.5.0.dfsg.P2-5.1
Date: Mon, 05 Jan 2009 03:14:50 +0000
[Message part 1 (text/plain, inline)]
On Sun, 2009-01-04 at 20:11 -0700, LaMont Jones wrote:
> On Fri, Jan 02, 2009 at 05:37:54PM +0000, Ben Hutchings wrote:
> > I uploaded the following changes to delayed/3.
> > 
> > Lamont, if you do not like these changes, please upload alternate fixes,
> > but do not block them.
> > 
> 
> Any chance you have the diff in a sane (separate commit per change)
> diff, or just the big magic lump-o-many changes?

No, you said you had access to this information but it doesn't seem to
be public.

Ben.

-- 
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai Stevenson
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Feb 2009 07:26:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:49:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.