924895 – net-dns/bind-9.16.48, net-dns/bind-tools-9.16.48: security stabilisation

Bug 924895 - net-dns/bind-9.16.48, net-dns/bind-tools-9.16.48: security stabilisation

Summary: net-dns/bind-9.16.48, net-dns/bind-tools-9.16.48: security stabilisation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Stabilization (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Patrick McLean

URL:
Whiteboard:
Keywords:	CC-ARCHES, PullRequest, SECURITY

Depends on:	924995
Blocks:	CVE-2023-3341 CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516
	Show dependency tree

Reported:	2024-02-18 10:50 UTC by Sam James
Modified:	2024-03-17 09:19 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35429
Package list:	net-dns/bind-9.16.48 net-dns/bind-tools-9.16.48 sec-keys/openpgp-keys-isc-20240213
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-02-18 10:50:34 UTC

Thanks!

Comment 1 NATTkA bot gentoo-dev

2024-02-18 10:52:17 UTC Comment hidden (obsolete)

Sanity check failed:

> net-dns/bind-tools-9.16.48
>   bdepend amd64 dev profile default/linux/amd64/17.0/musl (50 total)
>     sec-keys/openpgp-keys-isc
>   bdepend amd64 stable profile default/linux/amd64/17.1 (80 total)
>     sec-keys/openpgp-keys-isc
> net-dns/bind-9.16.48
>   bdepend amd64 dev profile default/linux/amd64/17.0/musl (50 total)
>     sec-keys/openpgp-keys-isc
>   bdepend amd64 stable profile default/linux/amd64/17.1 (80 total)
>     sec-keys/openpgp-keys-isc

Comment 2 Sam James archtester

2024-02-18 13:30:22 UTC

ppc64 done

Comment 3 Arthur Zamarin archtester

2024-02-18 19:56:48 UTC

amd64 done

Comment 4 Arthur Zamarin archtester

2024-02-18 20:01:24 UTC

x86 done

Comment 5 Chicago 2024-02-19 16:38:17 UTC

Hi,

    Are y'all testing this with the verify-sig USE flag enabled?

>>> Emerging (3 of 4) net-dns/bind-9.16.48::gentoo
 * bind-9.16.48.tar.xz BLAKE2B SHA512 size ;-) ...                                                                                               [ ok ]
 * dyndns-samples.tbz2 BLAKE2B SHA512 size ;-) ...                                                                                               [ ok ]
 * bind-9.16.48.tar.xz.asc BLAKE2B SHA512 size ;-) ...                                                                                           [ ok ]
>>> Unpacking source...
 * The following distfiles lack detached signatures:
 *   dyndns-samples.tbz2
 * ERROR: net-dns/bind-9.16.48::gentoo failed (unpack phase):
 *   Unsigned distfiles found
 * 
 * Call stack:
 *     ebuild.sh, line  136:  Called src_unpack
 *   environment, line 3653:  Called verify-sig_src_unpack
 *   environment, line 4842:  Called die
 * The specific snippet of code:
 *               die "Unsigned distfiles found";
 * 
 * If you need support, post the output of `emerge --info '=net-dns/bind-9.16.48::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-dns/bind-9.16.48::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/net-dns/bind-9.16.48/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-dns/bind-9.16.48/temp/environment'.
 * Working directory: '/var/tmp/portage/net-dns/bind-9.16.48/work'
 * S: '/var/tmp/portage/net-dns/bind-9.16.48/work/bind-9.16.48'


-Chicago

Comment 6 Sam James archtester

2024-02-19 17:13:23 UTC

(In reply to Chicago from comment #5)
> Hi,
> 
>     Are y'all testing this with the verify-sig USE flag enabled?
> 

Please file a new bug.

Comment 7 Chicago 2024-02-19 17:38:26 UTC

Hi Sam,

    This is the stabilization ticket for net-dns/bind-9.16.48.

    If the package can't emerge with certain combinations of USE flags enabled on a particular arch or all of the archs, it would be a duplication of efforts to file a new bug in my humble opinion.

Best Regards,
-Chicago

Comment 8 Chicago 2024-02-19 17:38:52 UTC

I forgot to add, it is a security concern.

Comment 9 Hank Leininger 2024-02-19 17:40:34 UTC

Created https://bugs.gentoo.org/924995, working on the verify-sig+doc problem.

Comment 10 Sam James archtester

2024-02-19 17:58:46 UTC

It's not a duplicate, as Hank has done, the correct thing is to make this bug depend on it.

This makes sure the right person sees it and it also blocks any further automatic stabilisation. I only saw this by chance, as the stabilisation bugs are very noisy.

Comment 11 Chicago 2024-02-19 18:20:35 UTC

Okay, thank you very much for everyone keeping Portage chugging along!

Comment 12 Larry the Git Cow gentoo-dev

2024-02-19 20:22:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fec12a1db44041aa37ed5acc198ef70d8b265afa

commit fec12a1db44041aa37ed5acc198ef70d8b265afa
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2024-02-19 17:45:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-19 20:22:14 +0000

    net-dns/bind: Fix USE=doc+verify-sig
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/924995
    Bug: https://bugs.gentoo.org/924895
    Closes: https://github.com/gentoo/gentoo/pull/35429
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind/bind-9.16.48.ebuild | 7 +++++++
 1 file changed, 7 insertions(+)

Comment 13 Sam James archtester

2024-03-03 00:23:59 UTC

arm64 done

Comment 14 Arthur Zamarin archtester

2024-03-12 21:51:40 UTC

ppc done

Comment 15 Arthur Zamarin archtester

2024-03-12 21:51:41 UTC

arm done

Comment 16 Arthur Zamarin archtester

2024-03-17 09:19:26 UTC

sparc done

all arches done