community/pdns-recursor: security upgrade to 4.0.4 - fixes #7045

CVE-2016-7068: Crafted queries can cause abnormal CPU usage
CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures

https://doc.powerdns.com/md/changelog/#powerdns-recursor-404

2 files changed, 12 insertions, 161 deletions

diff --git a/community/pdns-recursor/APKBUILD b/community/pdns-recursor/APKBUILD
index 4cdccebd0c9..9606cc31063 100644
--- a/community/pdns-recursor/APKBUILD
+++ b/community/pdns-recursor/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Contributor: Olivier Mauras <olivier@mauras.ch>
 pkgname=pdns-recursor
-pkgver=4.0.3
-pkgrel=2
+pkgver=4.0.4
+pkgrel=0
 pkgdesc="PowerDNS Recursive Server"
 url="http://www.powerdns.com/"
 arch="all"
@@ -14,11 +15,16 @@ subpackages="$pkgname-doc"
 pkgusers="pdns"
 pkggroups="pdns"
 source="http://downloads.powerdns.com/releases/pdns-recursor-$pkgver.tar.bz2
-	boost-fix.patch
 	pdns-recursor.initd
 	recursor.conf
 	"
 
+# secfixes:
+#   4.0.4-r0:
+#   - CVE-2016-7068
+#   - CVE-2016-7073
+#   - CVE-2016-7074
+
 _builddir="$srcdir/$pkgname-$pkgver"
 
 prepare() {
@@ -56,15 +62,12 @@ package() {
 		"$pkgdir"/etc/pdns/recursor.conf || return 1
 }
 
-md5sums="ca39a08cd0634d98121f27eb4d93a8a6  pdns-recursor-4.0.3.tar.bz2
-1d4b59a980a78c51290a137c20ff53a8  boost-fix.patch
+md5sums="7bc78f05154c4c822ab09117f96d819c  pdns-recursor-4.0.4.tar.bz2
 35f373bae0503632088956fa14754e4e  pdns-recursor.initd
 2950b9932de6baae360f220c7686f520  recursor.conf"
-sha256sums="ae9813a64d13d9ebe4b44e89e8e4e44fc438693b6ce4c3a98e4cab1af22d9627  pdns-recursor-4.0.3.tar.bz2
-fde7aeb34ddbb461331e85db941189fdcbcecd9588349d4eb5314d14323f8c0e  boost-fix.patch
+sha256sums="2338778f49ccd03401e65f6f4b39047890e691c8ff6d810ecee45321fb4f1e4d  pdns-recursor-4.0.4.tar.bz2
 215d916383e3cba184f8418b98cd2ced146500006e21e2efeb0ee5b53f3df049  pdns-recursor.initd
 12bdbf651db0c7fe63ddb01a239a5ddd40825f50811a5d3f4d13cda294bd0344  recursor.conf"
-sha512sums="03c77cff58851f9802eba434fb674d9cbd19b849620996df84b8dccc97539607895e06c1beb662b1ce08146bbc2b51a72bde2d6d90ef88c929ab645d9b5a33c4  pdns-recursor-4.0.3.tar.bz2
-25718ff37454580c399e263c68a081c11259cb08352cf754cdf482c2cdb09372ea2e8ff90799402b44131c575cf118abdf212ca2536d5f2af525999cba3415d8  boost-fix.patch
+sha512sums="9473dfe9abc509b2bb953139dd7892de2027ee1508902fa0c2cd30dd9a88878fcf44370b8372d573cbab12de32bb8c604005d3b39ea34db2ef86786e689d36ab  pdns-recursor-4.0.4.tar.bz2
 f23cb30d943e0b0aea09371dc57aa43e55b8f91062a3caa3fac17e3565a8e36dfd304f45eba588f625ca2337cd2ade450ea5ae1776872c006204cdaf912f6651  pdns-recursor.initd
 954df537693a202fc195e751011bbfaa605b3f3df42ac386fa82eb809b73c2b987f5e418b5c96bb3b0669497426ce0daa39a719844701e06990b82843a4cf0d4  recursor.conf"
diff --git a/community/pdns-recursor/boost-fix.patch b/community/pdns-recursor/boost-fix.patch
deleted file mode 100644
index c6cd9a32631..00000000000
--- a/community/pdns-recursor/boost-fix.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/mtasker_fcontext.cc b/mtasker_fcontext.cc
-index bc37e76..8d96fa1 100644
---- a/mtasker_fcontext.cc
-+++ b/mtasker_fcontext.cc
-@@ -23,14 +23,15 @@
- #include <exception>
- #include <cassert>
- #include <type_traits>
--#if BOOST_VERSION > 106100
--#include <boost/context/detail/fcontext.hpp>
--#else
--#include <boost/context/fcontext.hpp>
--#endif
- #include <boost/version.hpp>
--
-+#if BOOST_VERSION < 106100
-+#include <boost/context/fcontext.hpp>
- using boost::context::make_fcontext;
-+#else
-+#include <boost/context/detail/fcontext.hpp>
-+using boost::context::detail::make_fcontext;
-+#endif /* BOOST_VERSION < 106100 */
-+
- 
- #if BOOST_VERSION < 105600
- /* Note: This typedef means functions taking fcontext_t*, like jump_fcontext(),
-@@ -61,8 +62,15 @@ jump_fcontext (fcontext_t* const ofc, fcontext_t const nfc,
-     }
- }
- #else
-+
-+#if BOOST_VERSION < 106100
- using boost::context::fcontext_t;
- using boost::context::jump_fcontext;
-+#else
-+using boost::context::detail::fcontext_t;
-+using boost::context::detail::jump_fcontext;
-+using boost::context::detail::transfer_t;
-+#endif /* BOOST_VERSION < 106100 */
- 
- static_assert (std::is_pointer<fcontext_t>::value,
-                "Boost Context has changed the fcontext_t type again :-(");
-@@ -72,7 +80,9 @@ static_assert (std::is_pointer<fcontext_t>::value,
-  * jump. args_t simply provides a way to pass more by reference.
-  */
- struct args_t {
-+#if BOOST_VERSION < 106100
-     fcontext_t prev_ctx = nullptr;
-+#endif
-     pdns_ucontext_t* self = nullptr;
-     boost::function<void(void)>* work = nullptr;
- };
-@@ -80,7 +90,11 @@ struct args_t {
- extern "C" {
- static
- void
-+#if BOOST_VERSION < 106100
- threadWrapper (intptr_t const xargs) {
-+#else
-+threadWrapper (transfer_t const t) {
-+#endif
-     /* Access the args passed from pdns_makecontext, and copy them directly from
-      * the calling stack on to ours (we're now using the MThreads stack).
-      * This saves heap allocating an args object, at the cost of an extra
-@@ -90,11 +104,28 @@ threadWrapper (intptr_t const xargs) {
-      * the behaviour of the System V implementation, which can inherently only
-      * be passed ints and pointers.
-      */
-+#if BOOST_VERSION < 106100
-     auto args = reinterpret_cast<args_t*>(xargs);
-+#else
-+    auto args = reinterpret_cast<args_t*>(t.data);
-+#endif
-     auto ctx = args->self;
-     auto work = args->work;
-+    /* we switch back to pdns_makecontext() */
-+#if BOOST_VERSION < 106100
-     jump_fcontext (reinterpret_cast<fcontext_t*>(&ctx->uc_mcontext),
-                    static_cast<fcontext_t>(args->prev_ctx), 0);
-+#else
-+    transfer_t res = jump_fcontext (t.fctx, 0);
-+    /* we got switched back from pdns_swapcontext() */
-+    if (res.data) {
-+      /* if res.data is not a nullptr, it holds a pointer to the context
-+         we just switched from, and we need to fill it to be able to
-+         switch back to it later. */
-+      fcontext_t* ptr = static_cast<fcontext_t*>(res.data);
-+      *ptr = res.fctx;
-+    }
-+#endif
-     args = nullptr;
- 
-     try {
-@@ -106,9 +137,14 @@ threadWrapper (intptr_t const xargs) {
- 
-     /* Emulate the System V uc_link feature. */
-     auto const next_ctx = ctx->uc_link->uc_mcontext;
-+#if BOOST_VERSION < 106100
-     jump_fcontext (reinterpret_cast<fcontext_t*>(&ctx->uc_mcontext),
-                    static_cast<fcontext_t>(next_ctx),
-                    static_cast<bool>(ctx->exception));
-+#else
-+    jump_fcontext (static_cast<fcontext_t>(next_ctx), 0);
-+#endif
-+
- #ifdef NDEBUG
-     __builtin_unreachable();
- #endif
-@@ -129,10 +165,27 @@ pdns_ucontext_t::~pdns_ucontext_t
- void
- pdns_swapcontext
- (pdns_ucontext_t& __restrict octx, pdns_ucontext_t const& __restrict ctx) {
-+  /* we either switch back to threadwrapper() if it's the first time,
-+     or we switch back to pdns_swapcontext(),
-+     in both case we will be returning from a call to jump_fcontext(). */
-+#if BOOST_VERSION < 106100
-     if (jump_fcontext (reinterpret_cast<fcontext_t*>(&octx.uc_mcontext),
-                        static_cast<fcontext_t>(ctx.uc_mcontext), 0)) {
-         std::rethrow_exception (ctx.exception);
-     }
-+#else
-+  transfer_t res = jump_fcontext (static_cast<fcontext_t>(ctx.uc_mcontext), &octx.uc_mcontext);
-+  if (res.data) {
-+    /* if res.data is not a nullptr, it holds a pointer to the context
-+       we just switched from, and we need to fill it to be able to
-+       switch back to it later. */
-+    fcontext_t* ptr = static_cast<fcontext_t*>(res.data);
-+    *ptr = res.fctx;
-+  }
-+  if (ctx.exception) {
-+    std::rethrow_exception (ctx.exception);
-+  }
-+#endif
- }
- 
- void
-@@ -146,7 +199,15 @@ pdns_makecontext
-     args_t args;
-     args.self = &ctx;
-     args.work = &start;
-+    /* jumping to threadwrapper */
-+#if BOOST_VERSION < 106100
-     jump_fcontext (reinterpret_cast<fcontext_t*>(&args.prev_ctx),
-                    static_cast<fcontext_t>(ctx.uc_mcontext),
-                    reinterpret_cast<intptr_t>(&args));
-+#else
-+    transfer_t res = jump_fcontext (static_cast<fcontext_t>(ctx.uc_mcontext),
-+                                    &args);
-+    /* back from threadwrapper, updating the context */
-+    ctx.uc_mcontext = res.fctx;
-+#endif
- }