Bug#750222: wheezy-pu: package unbound (NMU)
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Robert S. Edmonds <edmonds@debian.org>
Dear release team and unbound maintainer,
I would like to NMU unbound to stable, because it crashes when
validating DNSSEC on multiple threads simultaneously. The relevant
Debian bug #691528 is fixed upstream, in unstable and I sent a
backported patch to that bug (also attached for convenience). Is this
patch suitable for wheezy?
Helmut
diff -Nru unbound-1.4.17/debian/changelog unbound-1.4.17/debian/changelog
--- unbound-1.4.17/debian/changelog 2013-02-17 18:35:34.000000000 +0100
+++ unbound-1.4.17/debian/changelog 2014-03-11 17:36:53.000000000 +0100
@@ -1,3 +1,10 @@
+unbound (1.4.17-3+wheezy1) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Fix crash when using DNSSEC and num-threads > 1; closes: #691528.
+
+ -- Helmut Grohne <helmut@subdivi.de> Tue, 11 Mar 2014 17:33:23 +0100
+
unbound (1.4.17-3) testing; urgency=low
* Update IPv4 address hint for D.ROOT-SERVERS.NET.
diff -Nru unbound-1.4.17/debian/patches/series unbound-1.4.17/debian/patches/series
--- unbound-1.4.17/debian/patches/series 2013-02-17 18:54:32.000000000 +0100
+++ unbound-1.4.17/debian/patches/series 2014-03-11 17:27:03.000000000 +0100
@@ -1 +1,2 @@
debian-changes
+unbound-1.4.18-openssl-threads.patch
diff -Nru unbound-1.4.17/debian/patches/unbound-1.4.18-openssl-threads.patch unbound-1.4.17/debian/patches/unbound-1.4.18-openssl-threads.patch
--- unbound-1.4.17/debian/patches/unbound-1.4.18-openssl-threads.patch 1970-01-01 01:00:00.000000000 +0100
+++ unbound-1.4.17/debian/patches/unbound-1.4.18-openssl-threads.patch 2014-03-11 17:31:22.000000000 +0100
@@ -0,0 +1,109 @@
+Description: fix crash when using DNSSEC and num-threads > 1
+Bug-Debian: http://bugs.debian.org/691528
+Last-Update: 2014-03-11
+Applied-Upstream: revision 2733
+
+Index: unbound-1.4.17/daemon/daemon.c
+===================================================================
+--- unbound-1.4.17.orig/daemon/daemon.c 2014-03-11 17:26:28.541719650 +0100
++++ unbound-1.4.17/daemon/daemon.c 2014-03-11 17:26:32.621688573 +0100
+@@ -203,6 +203,10 @@
+ comp_meth = (void*)SSL_COMP_get_compression_methods();
+ #endif
+ (void)SSL_library_init();
++# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
++ if(!ub_openssl_lock_init())
++ fatal_exit("could not init openssl locks");
++# endif
+ #ifdef HAVE_TZSET
+ /* init timezone info while we are not chrooted yet */
+ tzset();
+@@ -555,6 +559,9 @@
+ ERR_remove_state(0);
+ ERR_free_strings();
+ RAND_cleanup();
++# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
++ ub_openssl_lock_delete();
++# endif
+ checklock_stop();
+ #ifdef USE_WINSOCK
+ if(WSACleanup() != 0) {
+Index: unbound-1.4.17/util/net_help.c
+===================================================================
+--- unbound-1.4.17.orig/util/net_help.c 2014-03-11 17:26:28.541719650 +0100
++++ unbound-1.4.17/util/net_help.c 2014-03-11 17:26:32.621688573 +0100
+@@ -697,3 +697,54 @@
+ }
+ return ssl;
+ }
++
++/** global lock list for openssl locks */
++static lock_basic_t *ub_openssl_locks = NULL;
++
++/** callback that gets thread id for openssl */
++static unsigned long
++ub_crypto_id_cb(void)
++{
++ return (unsigned long)ub_thread_self();
++}
++
++static void
++ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
++ int ATTR_UNUSED(line))
++{
++ if((mode&CRYPTO_LOCK)) {
++ lock_basic_lock(&ub_openssl_locks[type]);
++ } else {
++ lock_basic_unlock(&ub_openssl_locks[type]);
++ }
++}
++
++int ub_openssl_lock_init(void)
++{
++#ifdef OPENSSL_THREADS
++ size_t i;
++ ub_openssl_locks = (lock_basic_t*)malloc(
++ sizeof(lock_basic_t)*CRYPTO_num_locks());
++ if(!ub_openssl_locks)
++ return 0;
++ for(i=0; i<CRYPTO_num_locks(); i++) {
++ lock_basic_init(&ub_openssl_locks[i]);
++ }
++ CRYPTO_set_id_callback(&ub_crypto_id_cb);
++ CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
++#endif /* OPENSSL_THREADS */
++ return 1;
++}
++
++void ub_openssl_lock_delete(void)
++{
++#ifdef OPENSSL_THREADS
++ size_t i;
++ if(!ub_openssl_locks)
++ return;
++ for(i=0; i<CRYPTO_num_locks(); i++) {
++ lock_basic_destroy(&ub_openssl_locks[i]);
++ }
++#endif /* OPENSSL_THREADS */
++}
++
+Index: unbound-1.4.17/util/net_help.h
+===================================================================
+--- unbound-1.4.17.orig/util/net_help.h 2014-03-11 17:26:28.541719650 +0100
++++ unbound-1.4.17/util/net_help.h 2014-03-11 17:26:32.621688573 +0100
+@@ -369,4 +369,15 @@
+ */
+ void* outgoing_ssl_fd(void* sslctx, int fd);
+
++/**
++ * Initialize openssl locking for thread safety
++ * @return false on failure (alloc failure).
++ */
++int ub_openssl_lock_init(void);
++
++/**
++ * De-init the allocated openssl locks
++ */
++void ub_openssl_lock_delete(void);
++
+ #endif /* NET_HELP_H */
diff -Nru unbound-1.4.17/debian/source/options unbound-1.4.17/debian/source/options
--- unbound-1.4.17/debian/source/options 2013-02-17 18:35:34.000000000 +0100
+++ unbound-1.4.17/debian/source/options 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-single-debian-patch
Reply to: