Sat May 17 18:57:13 2014 UTC ()
Pullup ticket #4409 - requested by he
net/ldns: security update
Revisions pulled up:
- net/ldns/Makefile 1.30
- net/ldns/patches/patch_examples_ldns-keygen.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 17 14:55:51 UTC 2014
Modified Files:
pkgsrc/net/ldns: Makefile
Added Files:
pkgsrc/net/ldns/patches: patch_examples_ldns-keygen.c
Log Message:
Add a patch to fix CVE-2014-3209:
Let ldns-keygen create private key file with mode 0600.
Bump PKGREVISION.
(schnoebe)
diff -r1.29 -r1.29.2.1 pkgsrc/net/ldns/Makefile
diff -r0 -r1.1.2.2 pkgsrc/net/ldns/patches/patch_examples_ldns-keygen.c
--- pkgsrc/net/ldns/Makefile 2014/02/12 23:18:22 1.29
+++ pkgsrc/net/ldns/Makefile 2014/05/17 18:57:13 1.29.2.1
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.29 2014/02/12 23:18:22 tron Exp $ | | 1 | # $NetBSD: Makefile,v 1.29.2.1 2014/05/17 18:57:13 schnoebe Exp $ |
2 | | | 2 | |
3 | DISTNAME= ldns-1.6.16 | | 3 | DISTNAME= ldns-1.6.16 |
4 | PKGREVISION= 3 | | 4 | PKGREVISION= 4 |
5 | CATEGORIES= net | | 5 | CATEGORIES= net |
6 | MASTER_SITES= http://www.nlnetlabs.nl/downloads/ldns/ | | 6 | MASTER_SITES= http://www.nlnetlabs.nl/downloads/ldns/ |
7 | | | 7 | |
8 | MAINTAINER= he@NetBSD.org | | 8 | MAINTAINER= he@NetBSD.org |
9 | HOMEPAGE= http://www.nlnetlabs.nl/projects/ldns/ | | 9 | HOMEPAGE= http://www.nlnetlabs.nl/projects/ldns/ |
10 | COMMENT= Library for simplified DNS programming | | 10 | COMMENT= Library for simplified DNS programming |
11 | LICENSE= modified-bsd | | 11 | LICENSE= modified-bsd |
12 | | | 12 | |
13 | USE_TOOLS+= gmake perl | | 13 | USE_TOOLS+= gmake perl |
14 | USE_LIBTOOL= yes | | 14 | USE_LIBTOOL= yes |
15 | GNU_CONFIGURE= yes | | 15 | GNU_CONFIGURE= yes |
16 | | | 16 | |
17 | REPLACE_PERL= doc/doxyparse.pl | | 17 | REPLACE_PERL= doc/doxyparse.pl |
$NetBSD: patch_examples_ldns-keygen.c,v 1.1.2.2 2014/05/17 18:57:13 schnoebe Exp $
Get bugfix #573: ldns-keygen write private keys with mode 0600.
From http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b
Fixes CVE-2014-3209.
--- examples/ldns-keygen.c.orig 2010-10-18 13:59:21.000000000 +0000
+++ examples/ldns-keygen.c
@@ -10,6 +10,9 @@
#include <ldns/ldns.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#include <errno.h>
#ifdef HAVE_SSL
@@ -48,6 +51,7 @@ int
main(int argc, char *argv[])
{
int c;
+ int fd;
char *prog;
/* default key size */
@@ -250,21 +254,21 @@ main(int argc, char *argv[])
/* print the priv key to stderr */
filename = LDNS_XMALLOC(char, strlen(owner) + 21);
snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
- file = fopen(filename, "w");
+ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ if (fd < 0) {
+ goto fail;
+ }
+
+ file = fdopen(fd, "w");
if (!file) {
- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
- ldns_key_deep_free(key);
- free(owner);
- ldns_rr_free(pubkey);
- ldns_rr_free(ds);
- LDNS_FREE(filename);
- exit(EXIT_FAILURE);
- } else {
- ldns_key_print(file, key);
- fclose(file);
- LDNS_FREE(filename);
+ goto fail;
}
+ ldns_key_print(file, key);
+ fclose(file);
+ LDNS_FREE(filename);
+
/* print the DS to .ds */
if (algorithm != LDNS_SIGN_HMACMD5 &&
algorithm != LDNS_SIGN_HMACSHA1 &&
@@ -296,6 +300,15 @@ main(int argc, char *argv[])
ldns_rr_free(pubkey);
ldns_rr_free(ds);
exit(EXIT_SUCCESS);
+
+fail:
+ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+ ldns_key_deep_free(key);
+ free(owner);
+ ldns_rr_free(pubkey);
+ ldns_rr_free(ds);
+ LDNS_FREE(filename);
+ exit(EXIT_FAILURE);
}
#else
int