[ldns] * Tue May 06 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-3 - CVE-2014-3209 ldns: ldns-keygen ge
Paul Wouters
pwouters at fedoraproject.org
Tue May 6 01:29:08 UTC 2014
commit ec602fcb9f95d5dd7a498437de05508d9e07a7df
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon May 5 21:29:17 2014 -0400
* Tue May 06 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-3
- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages
- Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686
- Incorporate fixes from Tuomo Soini <tis at foobar.fi>
- fix ldns internal provides and requires filter
- fix perl-ldns requirement to include %%_isa
- setup filters for perl and python bindings for internal stuff
- split utils to separate package
ldns-1.6.17-keygen.patch | 32 +++++++
ldns.spec | 209 +++++++++++++++++++++++++++++-----------------
2 files changed, 164 insertions(+), 77 deletions(-)
---
diff --git a/ldns-1.6.17-keygen.patch b/ldns-1.6.17-keygen.patch
new file mode 100644
index 0000000..1c010f6
--- /dev/null
+++ b/ldns-1.6.17-keygen.patch
@@ -0,0 +1,32 @@
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 316d60d..f4f0116 100644
+--- a/examples/ldns-keygen.c
++++ b/examples/ldns-keygen.c
+@@ -247,9 +247,14 @@ main(int argc, char *argv[])
+ LDNS_FREE(filename);
+ }
+
++ {
++ mode_t oldmask = umask();
++
+ /* print the priv key to stderr */
+ filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
++
++ umask(077); /* ensure only owner can read private key */
+ file = fopen(filename, "w");
+ if (!file) {
+ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+@@ -262,9 +267,12 @@ main(int argc, char *argv[])
+ } else {
+ ldns_key_print(file, key);
+ fclose(file);
++ umask(oldmask);
+ LDNS_FREE(filename);
+ }
+
++ }
++
+ /* print the DS to .ds */
+ if (algorithm != LDNS_SIGN_HMACMD5 &&
+ algorithm != LDNS_SIGN_HMACSHA1 &&
diff --git a/ldns.spec b/ldns.spec
index dda078d..9b60395 100644
--- a/ldns.spec
+++ b/ldns.spec
@@ -2,9 +2,18 @@
%{?!with_perl: %global with_perl 1}
%{?!with_ecc: %global with_ecc 1}
-%if %{with_python}
+%if %{with python}
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%{?filter_setup:
+%global _ldns_internal_filter /^_ldns[.]so.*/d;
+%filter_from_requires %{_ldns_internal_filter}
+%filter_from_provides %{_ldns_internal_filter}
+%filter_setup
+}
+%global _ldns_internal _ldns[.]so[.].*
+%global __requires_exclude ^(%{_ldns_internal})$
+%global __provides_exclude ^(%{_ldns_internal})$
%endif
%if %{with_perl}
@@ -14,21 +23,33 @@
Summary: Low-level DNS(SEC) library with API
Name: ldns
Version: 1.6.17
-Release: 2%{?dist}
+Release: 3%{?dist}
+
License: BSD
Url: http://www.nlnetlabs.nl/%{name}/
-Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
+Source0: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
Patch1: ldns-1.6.17-multilib.patch
-Patch2: %{name}-1.6.16-dsa-key-failures.patch
+Patch2: ldns-1.6.16-dsa-key-failures.patch
+Patch3: ldns-1.6.17-keygen.patch
+
Group: System Environment/Libraries
-BuildRequires: libpcap-devel, openssl-devel, gcc-c++, doxygen,
+# Only needed for builds from svn snapshot
+# BuildRequires: libtool
+# BuildRequires: autoconf
+# BuildRequires: automake
+
+BuildRequires: libpcap-devel
+BuildRequires: openssl-devel
+BuildRequires: gcc-c++
+BuildRequires: doxygen
+
# for snapshots only
# BuildRequires: libtool, autoconf, automake
-%if %{with_python}
-BuildRequires: python-devel, swig
+%if %{with python}
+BuildRequires: python-devel, swig
%endif
-%if %{with_perl}
-BuildRequires: perl perl-ExtUtils-MakeMaker
+%if %{with perl}
+BuildRequires: perl-ExtUtils-MakeMaker
%endif
Requires: ca-certificates
@@ -41,45 +62,53 @@ packets.
%package devel
Summary: Development package that includes the ldns header files
Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The devel package contains the ldns library and the include files
-%if %{with_python}
-%package python
+%package utils
+Summary: DNS(SEC) utilities for querying dns
+Group: Applications/System
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description utils
+Collection of tools to get, check or alter DNS(SEC) data.
+
+%if %{with python}
+%package -n python-ldns
Summary: Python extensions for ldns
Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
-%description python
+%description -n python-ldns
Python extensions for ldns
%endif
-%if %{with_perl}
-%package perl
+%if %{with perl}
+%package -n perl-ldns
Summary: Perl extensions for ldns
Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
-%description perl
+%description -n perl-ldns
Perl extensions for ldns
%endif
%package doc
Summary: Documentation for the ldns library
Group: Development/Libraries
-Requires: %{name}-devel = %{version}-%{release}
BuildArch: noarch
%description doc
This package contains documentation for the ldns library
%prep
-%setup -q
+%setup -q
%patch1 -p1
%patch2 -p1 -b .dsa
+%patch3 -p1 -b .keygen
# To built svn snapshots
# rm config.guess config.sub ltmain.sh
# aclocal
@@ -87,59 +116,74 @@ This package contains documentation for the ldns library
# autoreconf --install
%build
-%configure --disable-rpath --disable-static \
- --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+CFLAGS="%{optflags} -fPIC"
+CXXFLAGS="%{optflags} -fPIC"
+LDFLAGS="-Wl,-z,relro,-z,now -pie"
+export CFLAGS CXXFLAGS LDFLAGS
+%configure \
+ --disable-rpath \
+ --disable-static \
+%if %{with ecc}
+ --enable-gost \
+ --enable-ecdsa \
%else
- --disable-gost --disable-ecdsa \
+ --disable-gost \
+ --disable-ecdsa \
%endif
-%if %{with_python}
- --with-pyldns \
+%if %{with python}
+ --with-pyldns \
%endif
+ --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+ --with-ca-path=/etc/pki/tls/certs/ \
--with-trust-anchor=%{_sharedstatedir}/unbound/root.key
-(cd drill ; %configure --disable-rpath --disable-static \
- --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+pushd drill
+%configure \
+ --disable-rpath \
+%if %{with ecc}
+ --enable-gost \
+ --enable-ecdsa \
%else
- --disable-gost --disable-ecdsa \
+ --disable-gost \
+ --disable-ecdsa \
%endif
-)
-
-(cd examples ; %configure --disable-rpath --disable-static \
- --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+ --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+ --with-ca-path=/etc/pki/tls/certs/ \
+ --with-trust-anchor=%{_sharedstatedir}/unbound/root.key
+popd
+
+pushd examples
+%configure \
+ --disable-rpath \
+%if %{with ecc}
+ --enable-gost \
+ --enable-ecdsa \
%else
- --disable-gost --disable-ecdsa \
+ --disable-gost \
+ --disable-ecdsa \
%endif
-)
+ --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+ --with-ca-path=/etc/pki/tls/certs/ \
+ --with-trust-anchor=%{_sharedstatedir}/unbound/root.key
+popd
# We cannot use the built-in --with-p5-dns-ldns
-%if %{with_perl}
-(
- cd contrib/DNS-LDNS
- perl Makefile.PL INSTALLDIRS=vendor INC="-I. -I../.."
-)
+%if %{with perl}
+ pushd contrib/DNS-LDNS
+ perl Makefile.PL INSTALLDIRS=vendor INC="-I. -I../.."
+ make
+ popd
%endif
-make %{?_smp_mflags}
-( cd drill ; make %{?_smp_mflags} )
-( cd examples ; make %{?_smp_mflags} )
-%if %{with_perl}
-(
- cd contrib/DNS-LDNS
- make %{?_smp_mflags} LDLOADLIBS="-L../../lib -lldns"
-)
-%endif
+make %{?_smp_mflags}
+make -C drill %{?_smp_mflags}
+make -C examples %{?_smp_mflags}
make %{?_smp_mflags} doc
%install
rm -rf %{buildroot}
-make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install
+make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install
make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install-doc
# don't package xml files
@@ -150,43 +194,48 @@ rm doc/doxyparse.pl
rm -rf doc/man
# remove .la files
rm -rf %{buildroot}%{_libdir}/*.la %{buildroot}%{python_sitearch}/*.la
+make -C drill DESTDIR=%{buildroot} install
+make -C examples DESTDIR=%{buildroot} install
+%if %{with perl}
+ make -C contrib/DNS-LDNS DESTDIR=%{buildroot} pure_install
+ chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so
+ rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
+%endif
-(cd drill ; make DESTDIR=%{buildroot} install)
-(cd examples; make DESTDIR=%{buildroot} install)
+%clean
+rm -rf %{buildroot}
-%if %{with_perl}
-(
- cd contrib/DNS-LDNS
- make DESTDIR=%{buildroot} pure_install
-)
-chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so
-rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
-%endif
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
-%files
+%files
+%doc README LICENSE
%{_libdir}/libldns*so.*
+
+%files utils
%{_bindir}/drill
%{_bindir}/ldnsd
%{_bindir}/ldns-chaos
%{_bindir}/ldns-compare-zones
%{_bindir}/ldns-[d-z]*
-%doc README LICENSE
-%{_mandir}/*/*.[1358]*
+%{_mandir}/man1/*
%files devel
+%doc Changelog README
%{_libdir}/libldns*so
%{_bindir}/ldns-config
%dir %{_includedir}/ldns
%{_includedir}/ldns/*.h
-%doc Changelog README
+%{_mandir}/man3/*
-%if %{with_python}
-%files python
+%if %{with python}
+%files -n python-ldns
%{python_sitearch}/*
%endif
-%if %{with_perl}
-%files perl
+%if %{with perl}
+%files -n perl-ldns
%{perl_vendorarch}/*
%exclude %dir %{perl_vendorarch}/auto/
%endif
@@ -194,11 +243,17 @@ rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
%files doc
%doc doc
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
%changelog
+* Tue May 06 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-3
+- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
+- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages
+- Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686
+- Incorporate fixes from Tuomo Soini <tis at foobar.fi>
+- fix ldns internal provides and requires filter
+- fix perl-ldns requirement to include %%_isa
+- setup filters for perl and python bindings for internal stuff
+- split utils to separate package
+
* Mon Mar 24 2014 Tomas Hozza <thozza at redhat.com> - 1.6.17-2
- Fix error causing ldns to sometimes produce faulty DSA sign (#1077776)
- Fix FTBFS due to perl modules
More information about the scm-commits
mailing list