From 04777b9bc59614a249195301ec4d940c925555ec Mon Sep 17 00:00:00 2001 From: he Date: Tue, 18 Nov 2014 13:40:56 +0000 Subject: Adapt a fix for SA59651, similar to CVE-2014-3209 from the code branch fro SoftHSMv2: ensure created pkcs8 file is not group- or world-readable. Rename patch-aa to patch-Makefile.in, and add a comment. Bump PKGREVISION. --- security/softhsm/Makefile | 4 +-- security/softhsm/distinfo | 5 ++-- security/softhsm/patches/patch-Makefile.in | 31 +++++++++++++++++++ security/softhsm/patches/patch-aa | 29 ------------------ .../patches/patch-src_bin_softhsm-keyconv.cpp | 35 ++++++++++++++++++++++ 5 files changed, 71 insertions(+), 33 deletions(-) create mode 100644 security/softhsm/patches/patch-Makefile.in delete mode 100644 security/softhsm/patches/patch-aa create mode 100644 security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp (limited to 'security') diff --git a/security/softhsm/Makefile b/security/softhsm/Makefile index f901d7fcdfe..f9f911361fd 100644 --- a/security/softhsm/Makefile +++ b/security/softhsm/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.26 2014/10/07 16:47:14 adam Exp $ +# $NetBSD: Makefile,v 1.27 2014/11/18 13:40:56 he Exp $ # DISTNAME= softhsm-1.3.7 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.opendnssec.org/files/source/ diff --git a/security/softhsm/distinfo b/security/softhsm/distinfo index e0f9ac4509d..a2893448348 100644 --- a/security/softhsm/distinfo +++ b/security/softhsm/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.12 2014/06/07 20:37:25 pettai Exp $ +$NetBSD: distinfo,v 1.13 2014/11/18 13:40:56 he Exp $ SHA1 (softhsm-1.3.7.tar.gz) = e8bf4269472f9e63d1dfeda238b1d542d6c036f2 RMD160 (softhsm-1.3.7.tar.gz) = bb11177520ca2fd62200a9b23d66c1b32eeb5104 Size (softhsm-1.3.7.tar.gz) = 438437 bytes -SHA1 (patch-aa) = 480865e0a50759d582380573c0254bcdb517ddfe +SHA1 (patch-Makefile.in) = ab9a9db898e4c1600bf9d5b28b27759e33c204b3 +SHA1 (patch-src_bin_softhsm-keyconv.cpp) = 07f7ebe070047cfbbee461595effe2c7de9caef6 diff --git a/security/softhsm/patches/patch-Makefile.in b/security/softhsm/patches/patch-Makefile.in new file mode 100644 index 00000000000..9fabf1bdf9a --- /dev/null +++ b/security/softhsm/patches/patch-Makefile.in @@ -0,0 +1,31 @@ +$NetBSD: patch-Makefile.in,v 1.1 2014/11/18 13:40:57 he Exp $ + +Tweak install-data-hook target. + +--- Makefile.in.orig 2012-05-09 18:41:49.000000000 +0000 ++++ Makefile.in +@@ -271,6 +271,7 @@ sharedstatedir = @sharedstatedir@ + softhsmdbdir = @softhsmdbdir@ + srcdir = @srcdir@ + sysconfdir = @sysconfdir@ ++EGDIR = @EGDIR@ + target_alias = @target_alias@ + top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ +@@ -869,11 +870,11 @@ uninstall-man: uninstall-man5 + + + install-data-hook: +- test -d ${DESTDIR}${sysconfdir} || \ +- ${INSTALL} -d ${DESTDIR}${sysconfdir} +- test -f ${DESTDIR}${sysconfdir}/softhsm.conf || \ +- ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir} +- ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}/softhsm.conf.sample ++ test -d ${DESTDIR}${EGDIR} || \ ++ ${INSTALL} -d ${DESTDIR}${EGDIR} ++ test -f ${DESTDIR}${EGDIR}/softhsm.conf || \ ++ ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR} ++ ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}/softhsm.conf.sample + test -d ${DESTDIR}${softhsmdbdir} || \ + ${INSTALL} -d -m 700 ${DESTDIR}${softhsmdbdir} + diff --git a/security/softhsm/patches/patch-aa b/security/softhsm/patches/patch-aa deleted file mode 100644 index a5b477f4bd6..00000000000 --- a/security/softhsm/patches/patch-aa +++ /dev/null @@ -1,29 +0,0 @@ -$NetBSD: patch-aa,v 1.3 2012/05/23 10:05:44 pettai Exp $ - ---- Makefile.in.orig 2012-05-09 18:41:49.000000000 +0000 -+++ Makefile.in -@@ -271,6 +271,7 @@ sharedstatedir = @sharedstatedir@ - softhsmdbdir = @softhsmdbdir@ - srcdir = @srcdir@ - sysconfdir = @sysconfdir@ -+EGDIR = @EGDIR@ - target_alias = @target_alias@ - top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ -@@ -869,11 +870,11 @@ uninstall-man: uninstall-man5 - - - install-data-hook: -- test -d ${DESTDIR}${sysconfdir} || \ -- ${INSTALL} -d ${DESTDIR}${sysconfdir} -- test -f ${DESTDIR}${sysconfdir}/softhsm.conf || \ -- ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir} -- ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}/softhsm.conf.sample -+ test -d ${DESTDIR}${EGDIR} || \ -+ ${INSTALL} -d ${DESTDIR}${EGDIR} -+ test -f ${DESTDIR}${EGDIR}/softhsm.conf || \ -+ ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR} -+ ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}/softhsm.conf.sample - test -d ${DESTDIR}${softhsmdbdir} || \ - ${INSTALL} -d -m 700 ${DESTDIR}${softhsmdbdir} - diff --git a/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp b/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp new file mode 100644 index 00000000000..372b12cab2e --- /dev/null +++ b/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp @@ -0,0 +1,35 @@ +$NetBSD: patch-src_bin_softhsm-keyconv.cpp,v 1.1 2014/11/18 13:40:57 he Exp $ + +Adapt fix for SA59651, similar to CVE-2014-3209, from +https://github.com/bellgrim/SoftHSMv2/commit/492447cd4a2be449e99fb9ad2519ea3277aaad28 +Ensure created pkcs8 file is not group- or world-readable. + +--- src/bin/softhsm-keyconv.cpp.orig 2014-05-28 05:59:14.000000000 +0000 ++++ src/bin/softhsm-keyconv.cpp +@@ -48,6 +48,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + void usage() { + printf("Converting between BIND .private-key format and PKCS#8 key file format.\n"); +@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_pa + return 1; + } + ++ // Create and set file permissions if the file does not exist. ++ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ out_path, errno); ++ return 1; ++ } ++ ::close(fd); ++ + // Save the the key to the disk + switch(algorithm) { + case DNS_KEYALG_ERROR: -- cgit v1.2.3