From 846a26db159aac4fdcf786238a2986297a8ed6e2 Mon Sep 17 00:00:00 2001 From: schnoebe Date: Sat, 17 May 2014 18:57:13 +0000 Subject: Pullup ticket #4409 - requested by he net/ldns: security update Revisions pulled up: - net/ldns/Makefile 1.30 - net/ldns/patches/patch_examples_ldns-keygen.c 1.1 --- Module Name: pkgsrc Committed By: he Date: Sat May 17 14:55:51 UTC 2014 Modified Files: pkgsrc/net/ldns: Makefile Added Files: pkgsrc/net/ldns/patches: patch_examples_ldns-keygen.c Log Message: Add a patch to fix CVE-2014-3209: Let ldns-keygen create private key file with mode 0600. Bump PKGREVISION. --- net/ldns/Makefile | 4 +- net/ldns/patches/patch_examples_ldns-keygen.c | 76 +++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 net/ldns/patches/patch_examples_ldns-keygen.c diff --git a/net/ldns/Makefile b/net/ldns/Makefile index e301ba2c899..1301a015c47 100644 --- a/net/ldns/Makefile +++ b/net/ldns/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.29 2014/02/12 23:18:22 tron Exp $ +# $NetBSD: Makefile,v 1.29.2.1 2014/05/17 18:57:13 schnoebe Exp $ DISTNAME= ldns-1.6.16 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= net MASTER_SITES= http://www.nlnetlabs.nl/downloads/ldns/ diff --git a/net/ldns/patches/patch_examples_ldns-keygen.c b/net/ldns/patches/patch_examples_ldns-keygen.c new file mode 100644 index 00000000000..754de5f40a7 --- /dev/null +++ b/net/ldns/patches/patch_examples_ldns-keygen.c @@ -0,0 +1,76 @@ +$NetBSD: patch_examples_ldns-keygen.c,v 1.1.2.2 2014/05/17 18:57:13 schnoebe Exp $ + +Get bugfix #573: ldns-keygen write private keys with mode 0600. +From http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b +Fixes CVE-2014-3209. + +--- examples/ldns-keygen.c.orig 2010-10-18 13:59:21.000000000 +0000 ++++ examples/ldns-keygen.c +@@ -10,6 +10,9 @@ + + #include + ++#include ++#include ++#include + #include + + #ifdef HAVE_SSL +@@ -48,6 +51,7 @@ int + main(int argc, char *argv[]) + { + int c; ++ int fd; + char *prog; + + /* default key size */ +@@ -250,21 +254,21 @@ main(int argc, char *argv[]) + /* print the priv key to stderr */ + filename = LDNS_XMALLOC(char, strlen(owner) + 21); + snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); +- file = fopen(filename, "w"); ++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/ ++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); ++ if (fd < 0) { ++ goto fail; ++ } ++ ++ file = fdopen(fd, "w"); + if (!file) { +- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); +- ldns_key_deep_free(key); +- free(owner); +- ldns_rr_free(pubkey); +- ldns_rr_free(ds); +- LDNS_FREE(filename); +- exit(EXIT_FAILURE); +- } else { +- ldns_key_print(file, key); +- fclose(file); +- LDNS_FREE(filename); ++ goto fail; + } + ++ ldns_key_print(file, key); ++ fclose(file); ++ LDNS_FREE(filename); ++ + /* print the DS to .ds */ + if (algorithm != LDNS_SIGN_HMACMD5 && + algorithm != LDNS_SIGN_HMACSHA1 && +@@ -296,6 +300,15 @@ main(int argc, char *argv[]) + ldns_rr_free(pubkey); + ldns_rr_free(ds); + exit(EXIT_SUCCESS); ++ ++fail: ++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); ++ ldns_key_deep_free(key); ++ free(owner); ++ ldns_rr_free(pubkey); ++ ldns_rr_free(ds); ++ LDNS_FREE(filename); ++ exit(EXIT_FAILURE); + } + #else + int -- cgit v1.2.3