dnsmasq-devel: add test release 2.85rc1

This is to fix a port randomization flaw that subjects dnsmasq to a cache poisoning attack.

ChangeLog:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=CHANGELOG;h=155fc966f9542259596b41594f4b85775d1f9c9a;hb=023ace8e54c2e83e88082a1073a281d659f2a860#l1

Add CONFLICTS_INSTALL markers.

Security: CVE-2021-3448
Security: 5b72b1ff-877c-11eb-bd4f-2f1d57dafe46

8 files changed, 302 insertions, 1 deletions

diff --git a/dns/Makefile b/dns/Makefile
index afc8e3f4ee11..7fa0217f84aa 100644
--- a/dns/Makefile
+++ b/dns/Makefile
@@ -48,6 +48,7 @@
     SUBDIR += dnshistory
     SUBDIR += dnsjava
     SUBDIR += dnsmasq
+    SUBDIR += dnsmasq-devel
     SUBDIR += dnsmax-perl
     SUBDIR += dnsproxy
     SUBDIR += dnsrecon
diff --git a/dns/dnsmasq-devel/Makefile b/dns/dnsmasq-devel/Makefile
new file mode 100644
index 000000000000..4d7bab8d9337
--- /dev/null
+++ b/dns/dnsmasq-devel/Makefile
@@ -0,0 +1,146 @@
+# Created by: Steven Honson
+# $FreeBSD$
+
+PORTNAME=	dnsmasq
+DISTVERSION=	2.85rc1
+# Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps:
+PORTREVISION=	0
+PORTEPOCH=	1
+CATEGORIES=	dns
+MASTER_SITES=	https://www.thekelleys.org.uk/dnsmasq/release-candidates/ \
+		LOCAL/mandree/
+PKGNAMESUFFIX=	-devel
+
+MAINTAINER=	mandree@FreeBSD.org
+COMMENT=	Lightweight DNS forwarder, DHCP, and TFTP server
+
+LICENSE=	GPLv2
+
+USES=		cpe shebangfix tar:xz
+CPE_VENDOR=	thekelleys
+
+SHEBANG_FILES=	contrib/dnslist/dnslist.pl \
+		contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl
+
+MAKE_ARGS=	CC="${CC}" \
+		CFLAGS="${CFLAGS}" \
+		COPTS="${CFLAGS}" \
+		LIBS="${LDFLAGS}" \
+		PREFIX="${PREFIX}" \
+		RPM_OPT_FLAGS="${CPPFLAGS}"
+CFLAGS+=	-Wall -Wno-unused-function -Wno-unused-parameter \
+		-Wno-unused-value -Wno-unused-variable
+CPPFLAGS+=	-I${LOCALBASE}/include
+
+CONFLICTS_INSTALL=	dnsmasq-2*
+PATCH_STRIP=	-p1
+SUB_FILES=	pkg-message
+
+PORTDOCS=	CHANGELOG CHANGELOG.archive FAQ doc.html setup.html
+
+OPTIONS_DEFINE=		DBUS DNSSEC DOCS IPSET IPV6 LUA
+OPTIONS_DEFAULT=	DNSSEC IPSET
+OPTIONS_RADIO=		INTL
+OPTIONS_RADIO_INTL=	IDN NLS
+OPTIONS_EXCLUDE+=	EXAMPLES
+
+DNSSEC_DESC=	Enable DNSSEC caching and validation (needs nettle)
+IDN_DESC=	IDN: Int'l Domain Names WITHOUT full NLS
+INTL_DESC=	Internationalization Support Level
+IPSET_DESC=	Dynamic firewall management of resolved names (needs PF)
+LUA_DESC=	Support lease-change scripts written in Lua
+NLS_DESC=	IDN+NLS: Int'l Domain Names & National Language support
+
+IPSET_CFLAGS_OFF=	-DNO_IPSET
+IPV6_CFLAGS_OFF=	-DNO_IPV6
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MNLS}
+USES+=		gettext gmake iconv pkgconfig
+CFLAGS+=	-DHAVE_LIBIDN2
+LIB_DEPENDS+=	libidn2.so:dns/libidn2
+PLIST_SUB+=	NLS=""
+ALL_TARGET=	all-i18n
+_intllibs=	-lidn2 -lintl
+.else
+_intllibs=
+PLIST_SUB+=	NLS="@comment "
+.if ${PORT_OPTIONS:MIDN}
+USES+=		iconv
+CFLAGS+=	-DHAVE_LIBIDN2
+LIB_DEPENDS+=	libidn2.so:dns/libidn2
+_intllibs+=	-lidn2
+.endif
+.endif
+
+.if ${PORT_OPTIONS:MDBUS}
+LIB_DEPENDS+=	libdbus-1.so:devel/dbus
+USES+=		pkgconfig
+CPPFLAGS+=	`pkg-config --cflags dbus-1`
+CFLAGS+=	-DHAVE_DBUS
+LDFLAGS+=	`pkg-config --libs dbus-1`
+.endif
+
+.if ${PORT_OPTIONS:MLUA}
+CPPFLAGS+=	-I${LUA_INCDIR}
+CFLAGS+=	-DHAVE_LUASCRIPT
+LDFLAGS+=	-L${LUA_LIBDIR} -llua-${LUA_VER}
+USES+=		lua pkgconfig
+.endif
+
+.if ${PORT_OPTIONS:MDNSSEC}
+CFLAGS+=	-DHAVE_DNSSEC -I${LOCALBASE}/include
+USES+=		pkgconfig
+LIB_DEPENDS+=	libgmp.so:math/gmp \
+		libnettle.so:security/nettle
+.endif
+
+USE_RC_SUBR=	dnsmasq
+
+.include <bsd.port.pre.mk>
+
+LDFLAGS+=	-L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB}
+
+post-patch:
+	${REINPLACE_CMD} -e '/^lua_/s/lua5\.2/lua-${LUA_VER}/' ${WRKSRC}/Makefile
+	${REINPLACE_CMD} -e 's/ifr\.ifr_ifindex/ifr.ifr_index/' ${WRKSRC}/src/network.c
+
+pre-configure: pretty-print-config
+.if ${PORT_OPTIONS:MIDN}
+.if empty(PORT_OPTIONS:MNLS)
+	@if ${READELF} -d ${LOCALBASE}/lib/libidn2.so \
+		| ${EGREP} -q '\<NEEDED\>.*\[libintl\.so' ; \
+	then ${ECHO} ; ${ECHO} 'WARNING: dns/libidn2 was compiled with NLS support!' ; \
+	${ECHO} 'Recompile libidn2 WITHOUT_NLS to get rid of NLS dependencies.' ; ${ECHO} ; \
+	fi
+.else
+	@${ECHO} 'WARNING: IDN and NLS enabled, building IDN WITH NLS.'
+.endif
+.endif
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/src/dnsmasq ${STAGEDIR}${PREFIX}/sbin
+	${INSTALL_DATA} ${WRKSRC}/dnsmasq.conf.example ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample
+	${REINPLACE_CMD} -i '' 's}%%PREFIX%%}${PREFIX}}' ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample
+	${INSTALL_MAN} ${WRKSRC}/man/${PORTNAME}.8 ${STAGEDIR}${PREFIX}/man/man8
+	${MKDIR} ${STAGEDIR}${DATADIR}
+	${INSTALL_DATA} ${WRKSRC}/trust-anchors.conf ${STAGEDIR}${DATADIR}/
+.if ${PORT_OPTIONS:MDOCS}
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+.endif
+.if ${PORT_OPTIONS:MNLS}
+.for i in de es fi fr id it no pl pt_BR ro
+	${MKDIR} ${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES
+	${INSTALL_DATA} ${WRKSRC}/src/${i}.mo \
+		${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES/${PORTNAME}.mo
+.endfor
+.endif
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq ${STAGEDIR}${EXAMPLESDIR}/dnslist
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq/
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/dnslist/dnslist.pl ${STAGEDIR}${EXAMPLESDIR}/dnslist/
+	${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dhcp.css ${STAGEDIR}${EXAMPLESDIR}/dnslist/
+	${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dnslist.tt2 ${STAGEDIR}${EXAMPLESDIR}/dnslist/
+
+.include <bsd.port.post.mk>
diff --git a/dns/dnsmasq-devel/distinfo b/dns/dnsmasq-devel/distinfo
new file mode 100644
index 000000000000..925def555089
--- /dev/null
+++ b/dns/dnsmasq-devel/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1616024487
+SHA256 (dnsmasq-2.85rc1.tar.xz) = 97bf5b606f0a5a9e439b464ac5d2296f64b0b19723985e5bc330beda6407a09a
+SIZE (dnsmasq-2.85rc1.tar.xz) = 537632
diff --git a/dns/dnsmasq-devel/files/dnsmasq.in b/dns/dnsmasq-devel/files/dnsmasq.in
new file mode 100644
index 000000000000..de9da9249b40
--- /dev/null
+++ b/dns/dnsmasq-devel/files/dnsmasq.in
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# $FreeBSD$
+#
+# PROVIDE: dnsmasq
+# REQUIRE: SERVERS ldconfig
+# BEFORE:  DAEMON named
+# KEYWORD: shutdown
+#
+# Start before named so as not to break named_wait if named is
+# enabled and /etc/resolv.conf points to ourselves (dnsmasq).
+#
+#
+# Please add the following line to /etc/rc.conf.local or /etc/rc.conf to
+# enable the dnsmasq service(s):
+#
+# dnsmasq_enable (bool):  Set to "NO" by default.
+#                         Set it to "YES" to enable dnsmasq at boot.
+#
+# Further settings you can change in /etc/rc.conf if desired:
+#
+# dnsmasq_conf (path):    Set to %%PREFIX%%/etc/dnsmasq.conf by default.
+#                         Set it to another configuration file if you want.
+#
+# dnsmasq_flags (string): Empty by default. Set it to additional command
+#                         line arguments if desired.
+#
+# dnsmasq_restart (bool): Set to "YES" by default.
+#                         If "YES", a "reload" action will trigger a "restart"
+#                         if the configuration file has changed, to work
+#                         around a dnsmasq(8) limitation.
+#
+#
+# Additional actions supported by this script:
+#
+# reload        Reload database files by sending SIGHUP and SIGUSR2.
+#               However, if dnsmasq_restart is true (see above) and the
+#               configuration file has changed since this rc script has
+#               started dnsmasq, restart it instead.
+#
+# logstats      Dump statistics information to where dnsmasq is configured to
+#               log (syslog by default). This sends SIGUSR1 to dnsmasq.
+#
+
+. /etc/rc.subr
+
+name=dnsmasq
+rcvar=dnsmasq_enable
+
+command="%%PREFIX%%/sbin/${name}"
+pidfile="/var/run/${name}.pid"
+# timestamp (below) is used to check if "reload" should be a "restart" instead
+timestamp="/var/run/${name}.stamp"
+
+load_rc_config "${name}"
+
+: ${dnsmasq_enable="NO"}
+: ${dnsmasq_conf="%%PREFIX%%/etc/${name}.conf"}
+: ${dnsmasq_restart="YES"}
+
+command_args="-x $pidfile -C $dnsmasq_conf"
+
+required_files="${dnsmasq_conf}"
+extra_commands="reload logstats"
+
+reload_precmd="reload_pre"
+reload_postcmd="reload_post"
+start_postcmd="timestampconf"
+stop_precmd="rmtimestamp"
+logstats_cmd="logstats"
+
+reload_pre() {
+        if [ "$dnsmasq_conf" -nt "${timestamp}" ] ; then
+                if checkyesno dnsmasq_restart ; then
+                        info "restart: $dnsmasq_conf changed"
+                        exec "$0" restart
+                else
+                        warn "restart required, $dnsmasq_conf changed"
+                fi
+        fi
+}
+
+reload_post() {
+        kill -USR2 ${rc_pid}
+}
+
+logstats() {
+        kill -USR1 ${rc_pid}
+}
+
+timestampconf() {
+        touch -r "${dnsmasq_conf}" "${timestamp}"
+}
+
+rmtimestamp() {
+        rm -f "${timestamp}"
+}
+
+run_rc_command "$1"
diff --git a/dns/dnsmasq-devel/files/pkg-message.in b/dns/dnsmasq-devel/files/pkg-message.in
new file mode 100644
index 000000000000..ea0fda8b3e92
--- /dev/null
+++ b/dns/dnsmasq-devel/files/pkg-message.in
@@ -0,0 +1,18 @@
+[
+{
+message: <<EOM
+To enable dnsmasq, edit %%PREFIX%%/etc/dnsmasq.conf and
+set dnsmasq_enable="YES" in /etc/rc.conf[.local]
+
+Further options and actions are documented inside
+%%PREFIX%%/etc/rc.d/dnsmasq
+
+SECURITY RECOMMENDATION
+~~~~~~~~~~~~~~~~~~~~~~~
+It is recommended to enable the wpad-related options
+at the end of the configuration file (you may need to
+copy them from the example file to yours) to fix
+CERT Vulnerability VU#598349.
+EOM
+}
+]
diff --git a/dns/dnsmasq-devel/pkg-descr b/dns/dnsmasq-devel/pkg-descr
new file mode 100644
index 000000000000..ad791e101ed9
--- /dev/null
+++ b/dns/dnsmasq-devel/pkg-descr
@@ -0,0 +1,14 @@
+Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It
+is designed to provide DNS and, optionally, DHCP, to a small network. It can
+serve the names of local machines which are not in the global DNS. The DHCP
+server integrates with the DNS server and allows machines with DHCP-allocated
+addresses to appear in the DNS with names configured either in each host or in
+a central configuration file. Dnsmasq supports static and dynamic DHCP leases
+and BOOTP/TFTP/PXE for network booting of diskless machines.
+
+Dnsmasq is targeted at home networks using NAT and connected to the internet
+via a modem, cable-modem or ADSL connection but would be a good choice for any
+smallish network (up to 1000 clients is known to work) where low resource use
+and ease of configuration are important. 			-- Simon Kelley
+
+WWW: http://www.thekelleys.org.uk/dnsmasq/doc.html
diff --git a/dns/dnsmasq-devel/pkg-plist b/dns/dnsmasq-devel/pkg-plist
new file mode 100644
index 000000000000..7b4f201b6fe9
--- /dev/null
+++ b/dns/dnsmasq-devel/pkg-plist
@@ -0,0 +1,18 @@
+sbin/dnsmasq
+@sample etc/dnsmasq.conf.sample
+man/man8/dnsmasq.8.gz
+%%DATADIR%%/trust-anchors.conf
+%%EXAMPLESDIR%%/dnslist/dhcp.css
+%%EXAMPLESDIR%%/dnslist/dnslist.pl
+%%EXAMPLESDIR%%/dnslist/dnslist.tt2
+%%EXAMPLESDIR%%/dynamic-dnsmasq/dynamic-dnsmasq.pl
+%%NLS%%share/locale/de/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/es/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/fi/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/fr/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/id/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/it/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/no/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/pl/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/pt_BR/LC_MESSAGES/dnsmasq.mo
+%%NLS%%share/locale/ro/LC_MESSAGES/dnsmasq.mo
diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile
index 503220567bc3..1040abd23c04 100644
--- a/dns/dnsmasq/Makefile
+++ b/dns/dnsmasq/Makefile
@@ -9,11 +9,12 @@ PORTEPOCH=	1
 CATEGORIES=	dns
 MASTER_SITES=	https://www.thekelleys.org.uk/dnsmasq/ \
 		LOCAL/mandree/
-PATCH_STRIP=	-p1
 
 MAINTAINER=	mandree@FreeBSD.org
 COMMENT=	Lightweight DNS forwarder, DHCP, and TFTP server
 
+CONFLICTS_INSTALL=	dnsmasq-devel-*
+
 LICENSE=	GPLv2
 
 USES=		cpe shebangfix tar:xz
@@ -34,6 +35,7 @@ CPPFLAGS+=	-I${LOCALBASE}/include
 
 CONFLICTS_INSTALL=	dnsmasq-devel-*
 
+PATCH_STRIP=	-p1
 SUB_FILES=	pkg-message
 
 PORTDOCS=	CHANGELOG CHANGELOG.archive FAQ doc.html setup.html