diff options
author | schnoebe <schnoebe@pkgsrc.org> | 2014-05-17 18:57:13 +0000 |
---|---|---|
committer | schnoebe <schnoebe@pkgsrc.org> | 2014-05-17 18:57:13 +0000 |
commit | 846a26db159aac4fdcf786238a2986297a8ed6e2 (patch) | |
tree | 4d87ddf3d932680502a72578e150c2adffc30880 | |
parent | 5cd01b8baeb0fc1a5b175a23b9273deacdc56e73 (diff) | |
download | pkgsrc-846a26db159aac4fdcf786238a2986297a8ed6e2.tar.gz |
Pullup ticket #4409 - requested by he
net/ldns: security update
Revisions pulled up:
- net/ldns/Makefile 1.30
- net/ldns/patches/patch_examples_ldns-keygen.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 17 14:55:51 UTC 2014
Modified Files:
pkgsrc/net/ldns: Makefile
Added Files:
pkgsrc/net/ldns/patches: patch_examples_ldns-keygen.c
Log Message:
Add a patch to fix CVE-2014-3209:
Let ldns-keygen create private key file with mode 0600.
Bump PKGREVISION.
-rw-r--r-- | net/ldns/Makefile | 4 | ||||
-rw-r--r-- | net/ldns/patches/patch_examples_ldns-keygen.c | 76 |
2 files changed, 78 insertions, 2 deletions
diff --git a/net/ldns/Makefile b/net/ldns/Makefile index e301ba2c899..1301a015c47 100644 --- a/net/ldns/Makefile +++ b/net/ldns/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.29 2014/02/12 23:18:22 tron Exp $ +# $NetBSD: Makefile,v 1.29.2.1 2014/05/17 18:57:13 schnoebe Exp $ DISTNAME= ldns-1.6.16 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= net MASTER_SITES= http://www.nlnetlabs.nl/downloads/ldns/ diff --git a/net/ldns/patches/patch_examples_ldns-keygen.c b/net/ldns/patches/patch_examples_ldns-keygen.c new file mode 100644 index 00000000000..754de5f40a7 --- /dev/null +++ b/net/ldns/patches/patch_examples_ldns-keygen.c @@ -0,0 +1,76 @@ +$NetBSD: patch_examples_ldns-keygen.c,v 1.1.2.2 2014/05/17 18:57:13 schnoebe Exp $ + +Get bugfix #573: ldns-keygen write private keys with mode 0600. +From http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b +Fixes CVE-2014-3209. + +--- examples/ldns-keygen.c.orig 2010-10-18 13:59:21.000000000 +0000 ++++ examples/ldns-keygen.c +@@ -10,6 +10,9 @@ + + #include <ldns/ldns.h> + ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <fcntl.h> + #include <errno.h> + + #ifdef HAVE_SSL +@@ -48,6 +51,7 @@ int + main(int argc, char *argv[]) + { + int c; ++ int fd; + char *prog; + + /* default key size */ +@@ -250,21 +254,21 @@ main(int argc, char *argv[]) + /* print the priv key to stderr */ + filename = LDNS_XMALLOC(char, strlen(owner) + 21); + snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); +- file = fopen(filename, "w"); ++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/ ++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); ++ if (fd < 0) { ++ goto fail; ++ } ++ ++ file = fdopen(fd, "w"); + if (!file) { +- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); +- ldns_key_deep_free(key); +- free(owner); +- ldns_rr_free(pubkey); +- ldns_rr_free(ds); +- LDNS_FREE(filename); +- exit(EXIT_FAILURE); +- } else { +- ldns_key_print(file, key); +- fclose(file); +- LDNS_FREE(filename); ++ goto fail; + } + ++ ldns_key_print(file, key); ++ fclose(file); ++ LDNS_FREE(filename); ++ + /* print the DS to .ds */ + if (algorithm != LDNS_SIGN_HMACMD5 && + algorithm != LDNS_SIGN_HMACSHA1 && +@@ -296,6 +300,15 @@ main(int argc, char *argv[]) + ldns_rr_free(pubkey); + ldns_rr_free(ds); + exit(EXIT_SUCCESS); ++ ++fail: ++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); ++ ldns_key_deep_free(key); ++ free(owner); ++ ldns_rr_free(pubkey); ++ ldns_rr_free(ds); ++ LDNS_FREE(filename); ++ exit(EXIT_FAILURE); + } + #else + int |