initial import

unbound/CVE-2024-43167.patch

@@ -0,0 +1,42 @@
+From 8e43e2574c4e02f79c562a061581cdcefe136912 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 21 May 2024 08:40:16 +0000
+Subject: [PATCH] fix null pointer dereference issue in function ub_ctx_set_fwd
+ of file libunbound/libunbound.c
+
+---
+ libunbound/libunbound.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
+index 17057ec6c..3c8955149 100644
+--- a/libunbound/libunbound.c
++++ b/libunbound/libunbound.c
+@@ -981,7 +981,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	if(!addr) {
+ 		/* disable fwd mode - the root stub should be first. */
+ 		if(ctx->env->cfg->forwards &&
+-			strcmp(ctx->env->cfg->forwards->name, ".") == 0) {
++			(ctx->env->cfg->forwards->name &&
++			strcmp(ctx->env->cfg->forwards->name, ".") == 0)) {
+ 			s = ctx->env->cfg->forwards;
+ 			ctx->env->cfg->forwards = s->next;
+ 			s->next = NULL;
+@@ -1001,7 +1002,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	/* it parses, add root stub in front of list */
+ 	lock_basic_lock(&ctx->cfglock);
+ 	if(!ctx->env->cfg->forwards ||
+-		strcmp(ctx->env->cfg->forwards->name, ".") != 0) {
++		(ctx->env->cfg->forwards->name &&
++		strcmp(ctx->env->cfg->forwards->name, ".") != 0)) {
+ 		s = calloc(1, sizeof(*s));
+ 		if(!s) {
+ 			lock_basic_unlock(&ctx->cfglock);
+@@ -1019,6 +1021,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 		ctx->env->cfg->forwards = s;
+ 	} else {
+ 		log_assert(ctx->env->cfg->forwards);
++		log_assert(ctx->env->cfg->forwards->name);
+ 		s = ctx->env->cfg->forwards;
+ 	}
+ 	dupl = strdup(addr);

unbound/PKGBUILD

@@ -0,0 +1,73 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+pkgname=unbound
+pkgver=1.13.1
+pkgrel=5
+pkgdesc='Validating, recursive, and caching DNS resolver'
+url='https://unbound.net/'
+license=('Modified-BSD')
+arch=('i686' 'x86_64')
+depends=('libressl' 'libsodium' 'libevent' 'ldns' 'dnssec-anchors')
+makedepends=('expat' 'gettext-tiny')
+optdepends=('expat: unbound-anchor'
+            'logger: message logging support')
+backup=('etc/unbound/unbound.conf'
+        'etc/conf.d/unbound')
+install=unbound.install
+source=("https://unbound.net/downloads/${pkgname}-${pkgver}.tar.gz"
+        "hook"
+        "unbound.conf"
+        "unbound.confd"
+        "unbound.initd"
+        "unbound.run"
+        "CVE-2024-43167.patch")
+sha512sums=('f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c'
+            'dab83cc253d8ce8fac52a1fc7abcdb31e183a7245a887d85cad2c83d8b69ca4e4cbbcfc0914e71d686653b7252e40b29574ca0889da7d9b06e668a3ba8cfb763'
+            'f0f87cd414e7efef28a3df09d09deb4eaec49d6694e93f532c6ec3f23ee5ed1c950bed047c755b20d21e618bde31f56e210208fbcc2f35ded880f0cdba45b4bc'
+            'e3e4c7f97c13d133724417a70e4f20dac6f1f4b5a4e2e573c410148059d9f722589249b3dd4668069d4e324abef60f5981f20b1797623f37db9c9422410dc13f'
+            '24b973b7da783c7bf66307eb09a837e6fcd2299e2cdfc78dd5e0e48e6faba3b7f23155c14997da0533495a04f4115b711df5f25b9400dbb70cf4aeebfdd75fd5'
+            'cb1b931f9628f75ea2a72f1fa0489baa2af392208f503bb2bcee3af2221c3283ea6e584d65722abe01c8420aaec94c8b4263cd9b6212f2e06c5d8eb5150ba985'
+            '52dad70da916d3935f80f10399c3a86226349dcece4a8674b20f77ec36069961dfc6137526aa96ad428b38531958d96a1905a37b49a620df03b9e590c3ab62b5')
+
+prepare() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  patch -Np1 -i ${srcdir}/CVE-2024-43167.patch
+  sed '/# trust-anchor-file:/c\\ttrust-anchor-file: /etc/unbound/trusted-key.key' -i doc/example.conf.in
+}
+
+build() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+
+  ./configure \
+    --prefix=/usr \
+    --sysconfdir=/etc \
+    --localstatedir=/var \
+    --disable-rpath \
+    --disable-systemd \
+    --disable-dnstap \
+    --enable-dnscrypt \
+    --enable-pie \
+    --enable-relro-now \
+    --enable-subnet \
+    --enable-tfo-client \
+    --enable-tfo-server \
+    --enable-cachedb \
+    --with-conf-file=/etc/unbound/unbound.conf \
+    --with-pidfile=/run/unbound.pid \
+    --with-rootkey-file=/etc/trusted-key.key \
+    --with-libevent
+
+  make
+}
+
+package() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  make DESTDIR="${pkgdir}" install
+  install -Dm644 doc/example.conf.in "${pkgdir}/etc/unbound/unbound.conf.example"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+  install -Dm644 $srcdir/unbound.confd "${pkgdir}/etc/conf.d/unbound"
+  install -Dm755 $srcdir/unbound.initd "${pkgdir}/etc/init.d/unbound"
+  install -Dm644 $srcdir/unbound.conf "${pkgdir}/etc/unbound/unbound.conf"
+  install -Dm755 $srcdir/unbound.run "${pkgdir}/etc/sv/unbound/run"
+  install -Dm644 $srcdir/hook "${pkgdir}/usr/share/libalpm/hooks/unbound-key.hook"
+}

unbound/hook

@@ -0,0 +1,10 @@
+[Trigger]
+Type = File
+Target = etc/trusted-key.key
+Operation = Install
+Operation = Upgrade
+
+[Action]
+Description = Updating trusted-key.key for unbound...
+When = PostTransaction
+Exec = /bin/cp -f /etc/trusted-key.key /etc/unbound/

unbound/unbound.conf

@@ -0,0 +1,5 @@
+server:
+  use-syslog: yes
+  username: "unbound"
+  directory: "/etc/unbound"
+  trust-anchor-file: trusted-key.key

unbound/unbound.confd

@@ -0,0 +1,4 @@
+# Settings should normally not need any changes.
+
+# Location of the unbound configuration file. Leave empty for the default.
+#UNBOUND_CONFFILE="/etc/unbound/unbound.conf"

unbound/unbound.initd

@@ -0,0 +1,53 @@
+#!/sbin/openrc-run
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+name="unbound daemon"
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address."
+description_configtest="Run syntax tests for configuration files only."
+description_reload="Kills all children and reloads the configuration."
+
+UNBOUND_BINARY=${UNBOUND_BINARY:-/usr/sbin/unbound}
+UNBOUND_CHECKCONF=${UNBOUND_CHECKCONF:-/usr/sbin/unbound-checkconf}
+UNBOUND_CONFFILE=${UNBOUND_CONFFILE:-/etc/unbound/$RC_SVCNAME.conf}
+UNBOUND_PIDFILE=${UNBOUND_PIDFILE:-/run/$RC_SVCNAME.pid}
+
+depend() {
+    need net
+    use logger
+    provide dns
+    after auth-dns
+}
+
+checkconfig() {
+    ebegin "Checking ${UNBOUND_CONFFILE}"
+    /usr/sbin/unbound-checkconf -f "${UNBOUND_CONFFILE}" >/dev/null
+    eend $?
+}
+
+start_pre() {
+    checkconfig
+}
+
+start() {
+    ebegin "Starting ${RC_SVCNAME}"
+    start-stop-daemon --start --background --exec "${UNBOUND_BINARY}" --pidfile "${UNBOUND_PIDFILE}" \
+                      -- -c "${UNBOUND_CONFFILE}"
+    eend $?
+}
+
+stop() {
+    start_pre || return $?
+    ebegin "Stopping ${RC_SVCNAME}"
+    start-stop-daemon --stop --pidfile "${UNBOUND_PIDFILE}"
+    eend $?
+}
+
+reload() {
+    start_pre || return $?
+    ebegin "Reloading ${RC_SVCNAME}"
+    start-stop-daemon --signal HUP --pidfile "${UNBOUND_PIDFILE}"
+    eend $?
+}

unbound/unbound.install

@@ -0,0 +1,11 @@
+post_install() {
+    getent group unbound &>/dev/null || groupadd -r unbound >/dev/null
+    getent passwd unbound &>/dev/null || useradd -r -g unbound -G adm -d /etc/unbound -s /bin/nologin -c unbound unbound >/dev/null
+    if ! groups unbound | grep adm &>/dev/null; then
+        gpasswd -a unbound adm >/dev/null
+    fi
+    unbound_shell=$(getent passwd unbound | cut -d: -f7)
+    if [ "$unbound_shell" != '/bin/nologin' ]; then
+        chsh -s /bin/nologin unbound &>/dev/null
+    fi
+}

unbound/unbound.run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec chpst -U unbound:unbound unbound -dp -c /etc/unbound/unbound.conf