summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2015-09-03 00:33:31 +0000
committertaca <taca@pkgsrc.org>2015-09-03 00:33:31 +0000
commit8dc3a66fb73d39744442f0f971a014332ef108a7 (patch)
tree6b833624e7b32177940f33d98263d40cbaf9520c
parent1ff365d73a5492e52e9e8109dbbc335c608e86ef (diff)
downloadpkgsrc-8dc3a66fb73d39744442f0f971a014332ef108a7.tar.gz
Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4).
(Already fixed by bind-9.10.2pl3nb1.) --- 9.10.2-P4 released --- 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]
-rw-r--r--net/bind910/Makefile5
-rw-r--r--net/bind910/distinfo20
-rw-r--r--net/bind910/patches/patch-lib_dns_hmac_link.c120
-rw-r--r--net/bind910/patches/patch-lib_dns_include_dst_dst.h15
-rw-r--r--net/bind910/patches/patch-lib_dns_ncache.c33
-rw-r--r--net/bind910/patches/patch-lib_dns_openssldh_link.c106
-rw-r--r--net/bind910/patches/patch-lib_dns_openssldsa_link.c103
-rw-r--r--net/bind910/patches/patch-lib_dns_opensslecdsa_link.c19
-rw-r--r--net/bind910/patches/patch-lib_dns_opensslrsa_link.c64
-rw-r--r--net/bind910/patches/patch-lib_dns_pkcs11dh_link.c93
-rw-r--r--net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c97
-rw-r--r--net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c67
-rw-r--r--net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c16
-rw-r--r--net/bind910/patches/patch-lib_dns_resolver.c28
14 files changed, 6 insertions, 780 deletions
diff --git a/net/bind910/Makefile b/net/bind910/Makefile
index bb3052163e6..759c9be1992 100644
--- a/net/bind910/Makefile
+++ b/net/bind910/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.11 2015/09/02 19:46:44 sevan Exp $
+# $NetBSD: Makefile,v 1.12 2015/09/03 00:33:31 taca Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ \
http://ftp.belnet.be/pub/mirror/ftp.isc.org/isc/bind9/${BIND_VERSION}/
@@ -15,7 +14,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.10.2-P3
+BIND_VERSION= 9.10.2-P4
.include "../../mk/bsd.prefs.mk"
diff --git a/net/bind910/distinfo b/net/bind910/distinfo
index e5b58afa2b5..adb0de4c638 100644
--- a/net/bind910/distinfo
+++ b/net/bind910/distinfo
@@ -1,25 +1,13 @@
-$NetBSD: distinfo,v 1.9 2015/09/02 19:46:44 sevan Exp $
+$NetBSD: distinfo,v 1.10 2015/09/03 00:33:31 taca Exp $
-SHA1 (bind-9.10.2-P3.tar.gz) = ab362f2632db923accd1b29e37b8fffa66d21d8d
-RMD160 (bind-9.10.2-P3.tar.gz) = 1cd59e605ab723a1e051dfd6727f4534f3368efa
-Size (bind-9.10.2-P3.tar.gz) = 8469831 bytes
+SHA1 (bind-9.10.2-P4.tar.gz) = 55b8803c566aa0c9a9e4dbabbad06fb4536a8d5b
+RMD160 (bind-9.10.2-P4.tar.gz) = 8b2e0501899a5d654d8a234a7bd939cf06c43948
+Size (bind-9.10.2-P4.tar.gz) = 8471531 bytes
SHA1 (patch-bin_dig_dighost.c) = 582fa4c7288e70bcc6ac906e8429cf38e0ad5152
SHA1 (patch-bin_tests_system_Makefile.in) = 8bb6130981a6ff2ac736cf53a061115782bb65a2
SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2
SHA1 (patch-configure) = 3ea12f60b26064679e086ef5e637420b95d165be
SHA1 (patch-contrib_dlz_config.dlz.in) = f18bec63fbfce7cb2cd72929058ce3770fce458f
-SHA1 (patch-lib_dns_hmac_link.c) = 4ed376d95d5588b0b4fd408f7e889b6ec2c23f1f
-SHA1 (patch-lib_dns_include_dst_dst.h) = 574b8c74cfc5e48c535716be0dc4adc38078ad18
-SHA1 (patch-lib_dns_ncache.c) = 95b50b3a89f7f7988ff15a16746e73500e85b321
-SHA1 (patch-lib_dns_openssldh_link.c) = 4f357bff84a822326833de7c132395c1cc252a94
-SHA1 (patch-lib_dns_openssldsa_link.c) = a21c32975643c939f4090db60c9066adac6a3800
-SHA1 (patch-lib_dns_opensslecdsa_link.c) = 6e33e77c40b64c887057a18e0f6d8406db55920a
-SHA1 (patch-lib_dns_opensslrsa_link.c) = e1f3a1f1d96ba56b877fd6123221ba8a54cef427
-SHA1 (patch-lib_dns_pkcs11dh_link.c) = 8a2fc71462a21bd17dab8e9221c00ce05694f4e2
-SHA1 (patch-lib_dns_pkcs11dsa_link.c) = 2ade7fe1e629e4d3ab4c486286105989f39f2b91
-SHA1 (patch-lib_dns_pkcs11rsa_link.c) = c59c26fec43a2193eee016be0c4169492395c351
SHA1 (patch-lib_dns_rbt.c) = 510dfc72bc7764e548a46e9c48b58b2543490d7a
-SHA1 (patch-lib_dns_rdata_generic_openpgpkey_61.c) = 8b323bae83dc9bf508b4c6765462eac4271b8761
-SHA1 (patch-lib_dns_resolver.c) = b922349bb5e4f4c70aad67976fec41c642735d04
SHA1 (patch-lib_lwres_getaddrinfo.c) = 69e9c8049fedcb93bd219c6053163f21ce3b2535
SHA1 (patch-lib_lwres_getnameinfo.c) = 418ad349cf52925c9e8051b5c71d9d51ea8d2fb1
diff --git a/net/bind910/patches/patch-lib_dns_hmac_link.c b/net/bind910/patches/patch-lib_dns_hmac_link.c
deleted file mode 100644
index 0827fbf25a7..00000000000
--- a/net/bind910/patches/patch-lib_dns_hmac_link.c
+++ /dev/null
@@ -1,120 +0,0 @@
-$NetBSD: patch-lib_dns_hmac_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/hmac_link.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/hmac_link.c
-@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
- hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
- if (hmacmd5ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
-+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
- dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
- isc_buffer_t b;
- isc_result_t ret;
- unsigned int bytes;
-- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
-+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
-
- UNUSED(callback);
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
-- bytes = ISC_SHA1_BLOCK_LENGTH;
-- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
-+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
-+ bytes = ISC_MD5_BLOCK_LENGTH;
-+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacmd5_fromdns(key, &b);
-- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
-+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
- isc_md5_init(&md5ctx);
- isc_md5_update(&md5ctx, r.base, r.length);
- isc_md5_final(&md5ctx, hkey->key);
-@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
- key->key_size = keylen * 8;
- key->keydata.hmacmd5 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -519,6 +521,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
- key->key_size = keylen * 8;
- key->keydata.hmacsha1 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
- key->key_size = keylen * 8;
- key->keydata.hmacsha224 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -1089,6 +1095,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
- key->key_size = keylen * 8;
- key->keydata.hmacsha256 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -1374,6 +1382,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
- key->key_size = keylen * 8;
- key->keydata.hmacsha384 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -1659,6 +1669,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
- key->key_size = keylen * 8;
- key->keydata.hmacsha512 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
diff --git a/net/bind910/patches/patch-lib_dns_include_dst_dst.h b/net/bind910/patches/patch-lib_dns_include_dst_dst.h
deleted file mode 100644
index d17686bd54e..00000000000
--- a/net/bind910/patches/patch-lib_dns_include_dst_dst.h
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-lib_dns_include_dst_dst.h,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/include/dst/dst.h.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/include/dst/dst.h
-@@ -71,6 +71,7 @@ typedef struct dst_context dst_context_
- #define DST_ALG_HMACSHA256 163 /* XXXMPA */
- #define DST_ALG_HMACSHA384 164 /* XXXMPA */
- #define DST_ALG_HMACSHA512 165 /* XXXMPA */
-+#define DST_ALG_INDIRECT 252
- #define DST_ALG_PRIVATE 254
- #define DST_ALG_EXPAND 255
- #define DST_MAX_ALGS 255
diff --git a/net/bind910/patches/patch-lib_dns_ncache.c b/net/bind910/patches/patch-lib_dns_ncache.c
deleted file mode 100644
index cfcbddbadb1..00000000000
--- a/net/bind910/patches/patch-lib_dns_ncache.c
+++ /dev/null
@@ -1,33 +0,0 @@
-$NetBSD: patch-lib_dns_ncache.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/ncache.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/ncache.c
-@@ -615,13 +615,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
- dns_name_fromregion(&tname, &remaining);
- INSIST(remaining.length >= tname.length);
- isc_buffer_forward(&source, tname.length);
-- remaining.length -= tname.length;
-- remaining.base += tname.length;
-+ isc_region_consume(&remaining, tname.length);
-
- INSIST(remaining.length >= 2);
- type = isc_buffer_getuint16(&source);
-- remaining.length -= 2;
-- remaining.base += 2;
-+ isc_region_consume(&remaining, 2);
-
- if (type != dns_rdatatype_rrsig ||
- !dns_name_equal(&tname, name)) {
-@@ -633,8 +631,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
- INSIST(remaining.length >= 1);
- trust = isc_buffer_getuint8(&source);
- INSIST(trust <= dns_trust_ultimate);
-- remaining.length -= 1;
-- remaining.base += 1;
-+ isc_region_consume(&remaining, 1);
-
- raw = remaining.base;
- count = raw[0] * 256 + raw[1];
diff --git a/net/bind910/patches/patch-lib_dns_openssldh_link.c b/net/bind910/patches/patch-lib_dns_openssldh_link.c
deleted file mode 100644
index 51094da3b13..00000000000
--- a/net/bind910/patches/patch-lib_dns_openssldh_link.c
+++ /dev/null
@@ -1,106 +0,0 @@
-$NetBSD: patch-lib_dns_openssldh_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/openssldh_link.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/openssldh_link.c
-@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
-
- static void
- uint16_toregion(isc_uint16_t val, isc_region_t *region) {
-- *region->base++ = (val & 0xff00) >> 8;
-- *region->base++ = (val & 0x00ff);
-+ *region->base = (val & 0xff00) >> 8;
-+ isc_region_consume(region, 1);
-+ *region->base = (val & 0x00ff);
-+ isc_region_consume(region, 1);
- }
-
- static isc_uint16_t
-@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region)
- val = ((unsigned int)(cp[0])) << 8;
- val |= ((unsigned int)(cp[1]));
-
-- region->base += 2;
-+ isc_region_consume(region, 2);
-+
- return (val);
- }
-
-@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
- }
- else
- BN_bn2bin(dh->p, r.base);
-- r.base += plen;
-+ isc_region_consume(&r, plen);
-
- uint16_toregion(glen, &r);
- if (glen > 0)
- BN_bn2bin(dh->g, r.base);
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- uint16_toregion(publen, &r);
- BN_bn2bin(dh->pub_key, r.base);
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- isc_buffer_add(data, dnslen);
-
-@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
- return (DST_R_INVALIDPUBLICKEY);
- }
- if (plen == 1 || plen == 2) {
-- if (plen == 1)
-- special = *r.base++;
-- else
-+ if (plen == 1) {
-+ special = *r.base;
-+ isc_region_consume(&r, 1);
-+ } else {
- special = uint16_fromregion(&r);
-+ }
- switch (special) {
- case 1:
- dh->p = &bn768;
-@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- }
-- else {
-+ } else {
- dh->p = BN_bin2bn(r.base, plen, NULL);
-- r.base += plen;
-+ isc_region_consume(&r, plen);
- }
-
- /*
-@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
- return (DST_R_INVALIDPUBLICKEY);
- }
- }
-- }
-- else {
-+ } else {
- if (glen == 0) {
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
- dh->g = BN_bin2bn(r.base, glen, NULL);
- }
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- if (r.length < 2) {
- DH_free(dh);
-@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
- return (DST_R_INVALIDPUBLICKEY);
- }
- dh->pub_key = BN_bin2bn(r.base, publen, NULL);
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- key->key_size = BN_num_bits(dh->p);
-
diff --git a/net/bind910/patches/patch-lib_dns_openssldsa_link.c b/net/bind910/patches/patch-lib_dns_openssldsa_link.c
deleted file mode 100644
index 50b1d39df8b..00000000000
--- a/net/bind910/patches/patch-lib_dns_openssldsa_link.c
+++ /dev/null
@@ -1,103 +0,0 @@
-$NetBSD: patch-lib_dns_openssldsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/openssldsa_link.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/openssldsa_link.c
-@@ -137,6 +137,7 @@ openssldsa_sign(dst_context_t *dctx, isc
- DSA *dsa = key->keydata.dsa;
- isc_region_t r;
- DSA_SIG *dsasig;
-+ unsigned int klen;
- #if USE_EVP
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey;
-@@ -188,6 +189,7 @@ openssldsa_sign(dst_context_t *dctx, isc
- ISC_R_FAILURE));
- }
- free(sigbuf);
-+
- #elif 0
- /* Only use EVP for the Digest */
- if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
-@@ -209,11 +211,17 @@ openssldsa_sign(dst_context_t *dctx, isc
- "DSA_do_sign",
- DST_R_SIGNFAILURE));
- #endif
-- *r.base++ = (key->key_size - 512)/64;
-+
-+ klen = (key->key_size - 512)/64;
-+ if (klen > 255)
-+ return (ISC_R_FAILURE);
-+ *r.base = klen;
-+ isc_region_consume(&r, 1);
-+
- BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- DSA_SIG_free(dsasig);
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
-@@ -446,15 +454,16 @@ openssldsa_todns(const dst_key_t *key, i
- if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
-
-- *r.base++ = t;
-+ *r.base = t;
-+ isc_region_consume(&r, 1);
- BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-
-@@ -479,29 +488,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
- return (ISC_R_NOMEMORY);
- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-- t = (unsigned int) *r.base++;
-+ t = (unsigned int) *r.base;
-+ isc_region_consume(&r, 1);
- if (t > 8) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
- p_bytes = 64 + 8 * t;
-
-- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
- dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- key->key_size = p_bytes * 8;
-
diff --git a/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c b/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c
deleted file mode 100644
index 4b00806e31f..00000000000
--- a/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c
+++ /dev/null
@@ -1,19 +0,0 @@
-$NetBSD: patch-lib_dns_opensslecdsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/opensslecdsa_link.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/opensslecdsa_link.c
-@@ -159,9 +159,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
- "ECDSA_do_sign",
- DST_R_SIGNFAILURE));
- BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
-- r.base += siglen / 2;
-+ isc_region_consume(&r, siglen / 2);
- BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
-- r.base += siglen / 2;
-+ isc_region_consume(&r, siglen / 2);
- ECDSA_SIG_free(ecdsasig);
- isc_buffer_add(sig, siglen);
- ret = ISC_R_SUCCESS;
diff --git a/net/bind910/patches/patch-lib_dns_opensslrsa_link.c b/net/bind910/patches/patch-lib_dns_opensslrsa_link.c
deleted file mode 100644
index a087bd8979e..00000000000
--- a/net/bind910/patches/patch-lib_dns_opensslrsa_link.c
+++ /dev/null
@@ -1,64 +0,0 @@
-$NetBSD: patch-lib_dns_opensslrsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/opensslrsa_link.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/opensslrsa_link.c
-@@ -964,6 +964,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
- RSA *rsa;
- isc_region_t r;
- unsigned int e_bytes;
-+ unsigned int length;
- #if USE_EVP
- EVP_PKEY *pkey;
- #endif
-@@ -971,6 +972,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-+ length = r.length;
-
- rsa = RSA_new();
- if (rsa == NULL)
-@@ -981,17 +983,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
- RSA_free(rsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- e_bytes = *r.base++;
-- r.length--;
-+ e_bytes = *r.base;
-+ isc_region_consume(&r, 1);
-
- if (e_bytes == 0) {
- if (r.length < 2) {
- RSA_free(rsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- e_bytes = ((*r.base++) << 8);
-- e_bytes += *r.base++;
-- r.length -= 2;
-+ e_bytes = (*r.base) << 8;
-+ isc_region_consume(&r, 1);
-+ e_bytes += *r.base;
-+ isc_region_consume(&r, 1);
- }
-
- if (r.length < e_bytes) {
-@@ -999,14 +1002,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
- return (DST_R_INVALIDPUBLICKEY);
- }
- rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
-- r.base += e_bytes;
-- r.length -= e_bytes;
-+ isc_region_consume(&r, e_bytes);
-
- rsa->n = BN_bin2bn(r.base, r.length, NULL);
-
- key->key_size = BN_num_bits(rsa->n);
-
-- isc_buffer_forward(data, r.length);
-+ isc_buffer_forward(data, length);
-
- #if USE_EVP
- pkey = EVP_PKEY_new();
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c b/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c
deleted file mode 100644
index 9f93dd9d408..00000000000
--- a/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c
+++ /dev/null
@@ -1,93 +0,0 @@
-$NetBSD: patch-lib_dns_pkcs11dh_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/pkcs11dh_link.c.orig 2015-09-02 00:44:20.000000000 +0000
-+++ lib/dns/pkcs11dh_link.c
-@@ -632,8 +632,10 @@ pkcs11dh_destroy(dst_key_t *key) {
-
- static void
- uint16_toregion(isc_uint16_t val, isc_region_t *region) {
-- *region->base++ = (val & 0xff00) >> 8;
-- *region->base++ = (val & 0x00ff);
-+ *region->base = (val & 0xff00) >> 8;
-+ isc_region_consume(region, 1);
-+ *region->base = (val & 0x00ff);
-+ isc_region_consume(region, 1);
- }
-
- static isc_uint16_t
-@@ -644,7 +646,8 @@ uint16_fromregion(isc_region_t *region)
- val = ((unsigned int)(cp[0])) << 8;
- val |= ((unsigned int)(cp[1]));
-
-- region->base += 2;
-+ isc_region_consume(region, 2);
-+
- return (val);
- }
-
-@@ -708,16 +711,16 @@ pkcs11dh_todns(const dst_key_t *key, isc
- }
- else
- memmove(r.base, prime, plen);
-- r.base += plen;
-+ isc_region_consume(&r, plen);
-
- uint16_toregion(glen, &r);
- if (glen > 0)
- memmove(r.base, base, glen);
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- uint16_toregion(publen, &r);
- memmove(r.base, pub, publen);
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- isc_buffer_add(data, dnslen);
-
-@@ -764,10 +767,12 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
- }
- plen_ = plen;
- if (plen == 1 || plen == 2) {
-- if (plen == 1)
-- special = *r.base++;
-- else
-+ if (plen == 1) {
-+ special = *r.base;
-+ isc_region_consume(&r, 1);
-+ } else {
- special = uint16_fromregion(&r);
-+ }
- switch (special) {
- case 1:
- prime = pk11_dh_bn768;
-@@ -789,7 +794,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
- }
- else {
- prime = r.base;
-- r.base += plen;
-+ isc_region_consume(&r, plen);
- }
-
- /*
-@@ -835,7 +840,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
- }
- base = r.base;
- }
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- if (r.length < 2) {
- memset(dh, 0, sizeof(*dh));
-@@ -849,7 +854,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
- return (DST_R_INVALIDPUBLICKEY);
- }
- pub = r.base;
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- key->key_size = pk11_numbits(prime, plen_);
-
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c b/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c
deleted file mode 100644
index de1cc1e3c07..00000000000
--- a/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c
+++ /dev/null
@@ -1,97 +0,0 @@
-$NetBSD: patch-lib_dns_pkcs11dsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/pkcs11dsa_link.c.orig 2015-09-02 00:44:29.000000000 +0000
-+++ lib/dns/pkcs11dsa_link.c
-@@ -388,6 +388,7 @@ pkcs11dsa_sign(dst_context_t *dctx, isc_
- isc_region_t r;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-+ unsigned int klen;
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
-@@ -399,7 +400,10 @@ pkcs11dsa_sign(dst_context_t *dctx, isc_
- if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
- return (DST_R_SIGNFAILURE);
-
-- *r.base = (dctx->key->key_size - 512)/64;
-+ klen = (dctx->key->key_size - 512)/64;
-+ if (klen > 255)
-+ return (ISC_R_FAILURE);
-+ *r.base = klen;
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
- err:
-@@ -744,23 +748,25 @@ pkcs11dsa_todns(const dst_key_t *key, is
- return (ISC_R_NOSPACE);
-
- memset(r.base, 0, dnslen);
-- *r.base++ = t;
-+ *r.base = t;
-+ isc_region_consume(&r, 1);
-+
- cp = (CK_BYTE *) subprime->pValue;
- memmove(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
- cp, subprime->ulValueLen);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- cp = (CK_BYTE *) prime->pValue;
- memmove(r.base + key->key_size/8 - prime->ulValueLen,
- cp, prime->ulValueLen);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- cp = (CK_BYTE *) base->pValue;
- memmove(r.base + key->key_size/8 - base->ulValueLen,
- cp, base->ulValueLen);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- cp = (CK_BYTE *) pub_key->pValue;
- memmove(r.base + key->key_size/8 - pub_key->ulValueLen,
- cp, pub_key->ulValueLen);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-
-@@ -784,7 +790,8 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_bu
- return (ISC_R_NOMEMORY);
- memset(dsa, 0, sizeof(*dsa));
-
-- t = (unsigned int) *r.base++;
-+ t = (unsigned int) *r.base;
-+ isc_region_consume(&r, 1);
- if (t > 8) {
- memset(dsa, 0, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
-@@ -792,23 +799,23 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_bu
- }
- p_bytes = 64 + 8 * t;
-
-- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- memset(dsa, 0, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- subprime = r.base;
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
- prime = r.base;
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- base = r.base;
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- pub_key = r.base;
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- key->key_size = p_bytes * 8;
-
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c b/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c
deleted file mode 100644
index 18745b8c7fe..00000000000
--- a/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c
+++ /dev/null
@@ -1,67 +0,0 @@
-$NetBSD: patch-lib_dns_pkcs11rsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/pkcs11rsa_link.c.orig 2015-09-02 00:44:38.000000000 +0000
-+++ lib/dns/pkcs11rsa_link.c
-@@ -791,23 +791,21 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
- unsigned int e_bytes, mod_bytes;
- CK_BYTE *exponent = NULL, *modulus = NULL;
- CK_ATTRIBUTE *attr;
-+ unsigned int length;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-+ length = r.length;
-
- rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
- if (rsa == NULL)
- return (ISC_R_NOMEMORY);
-+
- memset(rsa, 0, sizeof(*rsa));
-
-- if (r.length < 1) {
-- memset(rsa, 0, sizeof(*rsa));
-- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
-- return (DST_R_INVALIDPUBLICKEY);
-- }
-- e_bytes = *r.base++;
-- r.length--;
-+ e_bytes = *r.base;
-+ isc_region_consume(&r, 1);
-
- if (e_bytes == 0) {
- if (r.length < 2) {
-@@ -815,9 +813,10 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
- }
-- e_bytes = ((*r.base++) << 8);
-- e_bytes += *r.base++;
-- r.length -= 2;
-+ e_bytes = (*r.base) << 8;
-+ isc_region_consume(&r, 1);
-+ e_bytes += *r.base;
-+ isc_region_consume(&r, 1);
- }
-
- if (r.length < e_bytes) {
-@@ -826,14 +825,13 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
- return (DST_R_INVALIDPUBLICKEY);
- }
- exponent = r.base;
-- r.base += e_bytes;
-- r.length -= e_bytes;
-+ isc_region_consume(&r, e_bytes);
- modulus = r.base;
- mod_bytes = r.length;
-
- key->key_size = pk11_numbits(modulus, mod_bytes);
-
-- isc_buffer_forward(data, r.length);
-+ isc_buffer_forward(data, length);
-
- rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
- if (rsa->repr == NULL)
diff --git a/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c b/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
deleted file mode 100644
index 9f9e0655fc4..00000000000
--- a/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-lib_dns_rdata_generic_openpgpkey_61.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
-failure in openpgpkey_61.c
-
---- lib/dns/rdata/generic/openpgpkey_61.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/rdata/generic/openpgpkey_61.c
-@@ -81,6 +81,8 @@ fromwire_openpgpkey(ARGS_FROMWIRE) {
- * Keyring.
- */
- isc_buffer_activeregion(source, &sr);
-+ if (sr.length < 1)
-+ return (ISC_R_UNEXPECTEDEND);
- isc_buffer_forward(source, sr.length);
- return (mem_tobuffer(target, sr.base, sr.length));
- }
diff --git a/net/bind910/patches/patch-lib_dns_resolver.c b/net/bind910/patches/patch-lib_dns_resolver.c
deleted file mode 100644
index 0d981217a75..00000000000
--- a/net/bind910/patches/patch-lib_dns_resolver.c
+++ /dev/null
@@ -1,28 +0,0 @@
-$NetBSD: patch-lib_dns_resolver.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
-
-CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
-assertion in buffer.c
-
---- lib/dns/resolver.c.orig 2015-09-02 00:43:20.000000000 +0000
-+++ lib/dns/resolver.c
-@@ -9488,6 +9488,12 @@ dns_resolver_algorithm_supported(dns_res
-
- REQUIRE(VALID_RESOLVER(resolver));
-
-+ /*
-+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
-+ */
-+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
-+ return (ISC_FALSE);
-+
- #if USE_ALGLOCK
- RWLOCK(&resolver->alglock, isc_rwlocktype_read);
- #endif
-@@ -9507,6 +9513,7 @@ dns_resolver_algorithm_supported(dns_res
- #endif
- if (found)
- return (ISC_FALSE);
-+
- return (dst_algorithm_supported(alg));
- }
-