Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600212 - net-dns/bind-9.11.{0,1}_p* should call configure ... --with-dlopen - ../dns/.libs/libdns.so: undefined reference to `dlopen'
Summary: net-dns/bind-9.11.{0,1}_p* should call configure ... --with-dlopen - ../dns/....
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Christian Ruppert (idl0r)
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks: CVE-2017-3136, CVE-2017-3137, CVE-2017-3138
  Show dependency tree
 
Reported: 2016-11-19 03:52 UTC by Hank Leininger
Modified: 2017-06-26 09:05 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Force --with-dlopen to fix building when it is not implied by a USE flag. (bind_dlopen.patch,319 bytes, patch)
2017-01-15 16:17 UTC, Hank Leininger
Details | Diff
bind-9.11.0_p5-dyndb-dlopen.patch (bind-9.11.0_p5-dyndb-dlopen.patch,2.86 KB, patch)
2017-05-30 20:50 UTC, Peter
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2016-11-19 03:52:50 UTC
Arguably this is an upstream problem, but we can work around it.

The ebuilds for bind 9.10.x and 9.11.x require dlz if any of various USE flags are set (mysql, ldap, etc.).  In turn, if dlz is set, --with-dlopen is passed to configure.

If none of those are set, dlopen is not enabled.  In 9.10.x this work(ed) fine.

But in 9.11.0_p1, building without --with-dlopen dies with:

[snip]
libtool: compile:  x86_64-pc-linux-gnu-gcc -I/var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1 -I../.. -I./include -I../dns/include -I/var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/include -I../../lib/dns/include -I/var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/nothreads/include -I../../lib/isc/x86_32/include -I../../lib/irs/include -I../../lib/irs/include -DVERSION=\"9.11.0-P1\" -DSYSCONFDIR=\"/etc/bind\" -D_GNU_SOURCE -march=core2 -freorder-blocks-and-partition -O2 -pipe -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -c nsprobe.c -o nsprobe.o >/dev/null 2>&1
libtool: link: x86_64-pc-linux-gnu-gcc -march=core2 -freorder-blocks-and-partition -O2 -pipe -Wl,-O1 -o .libs/sample-gai .libs/sample-gai.o  -Wl,--as-needed ../irs/.libs/libirs.so ../dns/.libs/libdns.so ../isccfg/.libs/libisccfg.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/dns/.libs/libdns.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isccc/.libs/libisccc.so /var/tmp/portage/net-dns/bind-9.11.0_p1/work/bind-9.11.0-P1/lib/isc/.libs/libisc.so ../isc/.libs/libisc.so -lcap -lz 
../dns/.libs/libdns.so: undefined reference to `dlopen'
../dns/.libs/libdns.so: undefined reference to `dlclose'
../dns/.libs/libdns.so: undefined reference to `dlerror'
../dns/.libs/libdns.so: undefined reference to `dlsym'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:463: sample-gai] Error 1

[This occurred under lib/samples/, but the problem is with libdns.so itself; bypassing samples/ just means it will die somewhere else in the build.]

Tested with gcc-4.9.4[hardened] and glibc-2.23-r2[hardened] on x86_64.

Simply enabling --with-dlopen unconditionally in the ebuild allows the build to succeed.
Comment 1 Felix Janda 2016-11-19 10:49:42 UTC
I think upstream introduced this issue when merging dyndb:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=a00f9e2f50675bd43cc6a9fe2669709162a2ccb4

They should either disable dyndb if --without-dlopen (does not look
straightforward to implement) or remove the configure option.
Comment 2 Hank Leininger 2017-01-15 16:16:59 UTC
net-dns/bind-9.11.0_p2 has the same problem, cannot build without --with-dlopen set either implicitly or explicitly.

I'll attach a patch that worked for me with net-dns/bind-9.11.0_p1 and now net-dns/bind-9.11.0_p2 as well.
Comment 3 Hank Leininger 2017-01-15 16:17:58 UTC
Created attachment 460200 [details, diff]
Force --with-dlopen to fix building when it is not implied by a USE flag.
Comment 4 Tomáš Mózes 2017-01-17 06:40:46 UTC
Same here. Building just a minimalistic bind with USE="-* ipv6 zlib" fails, but works fine with USE="-* ipv6 dlz zlib".
Comment 5 Tim 2017-02-22 23:35:21 UTC
Just had this problem crop up with me for net-dns/bind-9.11.0_p3 today, accidentally worked around it by enabling the ssl useflag, I'll have to try using the dlz useflag instead, my intention is to make as tiny a binary as possible since I'm running it on an rpi to filter out ipv6 hostnames.
Comment 6 Anthony Parsons 2017-03-15 20:09:37 UTC
(In reply to Tim from comment #5)
> Just had this problem crop up with me for net-dns/bind-9.11.0_p3 today,
> accidentally worked around it by enabling the ssl useflag, I'll have to try
> using the dlz useflag instead, my intention is to make as tiny a binary as
> possible since I'm running it on an rpi to filter out ipv6 hostnames.

To add, this workaround only works as a side effect of OpenSSL being there. With USE="ssl libressl" I still get the dlopen compile failure.
Comment 7 Peter 2017-05-08 08:04:47 UTC
Reported upstream: https://lists.isc.org/pipermail/bind-users/2017-May/098574.html

I think currently we should require dlopen in ebuild:

--- a/bind-9.11.0_p3.ebuild
+++ b/bind-9.11.0_p3.ebuild
@@ -170,7 +170,7 @@ src_configure() {
                $(use_enable seccomp) \
                $(use_enable threads) \
                $(use_with berkdb dlz-bdb) \
-               $(use_with dlz dlopen) \
+               --with-dlopen \
                $(use_with dlz dlz-filesystem) \
                $(use_with dlz dlz-stub) \
                $(use_with gost) \


And stabilize for security fixes.
Comment 8 Kerin Millar 2017-05-17 02:43:02 UTC
(In reply to Peter from comment #7)
> Reported upstream:
> https://lists.isc.org/pipermail/bind-users/2017-May/098574.html
> 
> I think currently we should require dlopen in ebuild:

I agree. Doing so would address the problem for everyone. Devs, can we get some traction on this?
Comment 9 Kerin Millar 2017-05-18 10:20:27 UTC
Those who, like myself, are fatigued by having to work around this bug upon every upgrade might consider using package.env to define EXTRA_ECONF="--with-dlopen" for net-dns/bind as an interim workaround.
Comment 10 Peter 2017-05-30 20:50:38 UTC
Created attachment 474718 [details, diff]
bind-9.11.0_p5-dyndb-dlopen.patch

Finally upstream fixed this issue:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=aa3a8979bc7eb1596d044eff572b3c35310584fa
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=ae903759c205f8a5039458d780c0e0c4442b7291

Attached patch is exactly two patches togeather without changes in CHANGES file. Works for me.
Comment 11 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2017-06-09 17:40:48 UTC
This has just been fixed by applying the mentioned patch(es). Thanks guys! Should be on the mirrors soon.
Comment 12 Kerin Millar 2017-06-25 18:42:37 UTC
(In reply to Christian Ruppert (idl0r) from comment #11)
> This has just been fixed by applying the mentioned patch(es). Thanks guys!
> Should be on the mirrors soon.

Thanks. Unfortunately, bind-9.11.1_p1 also requires these patches.
Comment 13 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2017-06-26 09:05:14 UTC
(In reply to Kerin Millar from comment #12)
> (In reply to Christian Ruppert (idl0r) from comment #11)
> > This has just been fixed by applying the mentioned patch(es). Thanks guys!
> > Should be on the mirrors soon.
> 
> Thanks. Unfortunately, bind-9.11.1_p1 also requires these patches.

Damn... Should be fixed again now, in Git. It might take a bit to hit the mirrors.
Thanks!