[ldns/el6] * Tue Sep 30 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-1 - Fix ldns-config (rhbz#1147972) [Fl
Paul Wouters
pwouters at fedoraproject.org
Tue Sep 30 19:20:15 UTC 2014
commit fbbf0eb32d948dfefbf572f2331f8eaeac421954
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Sep 30 15:19:59 2014 -0400
* Tue Sep 30 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-1
- Fix ldns-config (rhbz#1147972) [Florian Lehner]
- Enable ECDSA support
- Fix error causing ldns to sometimes produce faulty DSA sign (#1077776)
- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages
- Hardened build
- Fix some dates in changelog entries
.gitignore | 1 +
ldns-1.6.16-dsa-key-failures.patch | 28 +++++++++++++
ldns-1.6.17-keygen.patch | 32 +++++++++++++++
ldns-1.6.17-multilib.patch | 75 ++++++++++++++++++++++++++++++++++++
ldns.spec | 40 ++++++++++++++-----
sources | 2 +-
6 files changed, 167 insertions(+), 11 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 8940417..a1bdc00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ ldns-1.6.10.tar.gz
/ldns-1.6.14.tar.gz
/ldns-1.6.15.tar.gz
/ldns-1.6.16.tar.gz
+/ldns-1.6.17.tar.gz
diff --git a/ldns-1.6.16-dsa-key-failures.patch b/ldns-1.6.16-dsa-key-failures.patch
new file mode 100644
index 0000000..93e8a73
--- /dev/null
+++ b/ldns-1.6.16-dsa-key-failures.patch
@@ -0,0 +1,28 @@
+diff -up ldns-1.6.17/keys.c.dsa ldns-1.6.17/keys.c
+--- ldns-1.6.17/keys.c.dsa 2014-01-10 22:04:41.000000000 +0100
++++ ldns-1.6.17/keys.c 2014-03-18 17:54:34.751742493 +0100
+@@ -1324,7 +1324,6 @@ ldns_key_dsa2bin(unsigned char *data, DS
+ /* See RFC2536 */
+ *size = (uint16_t)BN_num_bytes(k->p);
+ T = (*size - 64) / 8;
+- memcpy(data, &T, 1);
+
+ if (T > 8) {
+ #ifdef STDERR_MSGS
+@@ -1335,12 +1334,13 @@ ldns_key_dsa2bin(unsigned char *data, DS
+ }
+
+ /* size = 64 + (T * 8); */
++ memset(data, 0, 21 + *size * 3);
+ data[0] = (unsigned char)T;
+ BN_bn2bin(k->q, data + 1 ); /* 20 octects */
+ BN_bn2bin(k->p, data + 21 ); /* offset octects */
+- BN_bn2bin(k->g, data + 21 + *size); /* offset octets */
+- BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */
+- *size = 21 + (*size * 3);
++ BN_bn2bin(k->g, data + 21 + *size * 2 - BN_num_bytes(k->g));
++ BN_bn2bin(k->pub_key,data + 21 + *size * 3 - BN_num_bytes(k->pub_key));
++ *size = 21 + *size * 3;
+ return true;
+ }
+
diff --git a/ldns-1.6.17-keygen.patch b/ldns-1.6.17-keygen.patch
new file mode 100644
index 0000000..1c010f6
--- /dev/null
+++ b/ldns-1.6.17-keygen.patch
@@ -0,0 +1,32 @@
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 316d60d..f4f0116 100644
+--- a/examples/ldns-keygen.c
++++ b/examples/ldns-keygen.c
+@@ -247,9 +247,14 @@ main(int argc, char *argv[])
+ LDNS_FREE(filename);
+ }
+
++ {
++ mode_t oldmask = umask();
++
+ /* print the priv key to stderr */
+ filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
++
++ umask(077); /* ensure only owner can read private key */
+ file = fopen(filename, "w");
+ if (!file) {
+ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+@@ -262,9 +267,12 @@ main(int argc, char *argv[])
+ } else {
+ ldns_key_print(file, key);
+ fclose(file);
++ umask(oldmask);
+ LDNS_FREE(filename);
+ }
+
++ }
++
+ /* print the DS to .ds */
+ if (algorithm != LDNS_SIGN_HMACMD5 &&
+ algorithm != LDNS_SIGN_HMACSHA1 &&
diff --git a/ldns-1.6.17-multilib.patch b/ldns-1.6.17-multilib.patch
new file mode 100644
index 0000000..0a565d3
--- /dev/null
+++ b/ldns-1.6.17-multilib.patch
@@ -0,0 +1,75 @@
+diff -Naur ldns-1.6.17-orig/configure ldns-1.6.17/configure
+--- ldns-1.6.17-orig/configure 2014-01-10 16:04:50.000000000 -0500
++++ ldns-1.6.17/configure 2014-01-10 20:22:39.138190093 -0500
+@@ -662,6 +662,7 @@
+ PYTHON_LDFLAGS
+ PYTHON_CPPFLAGS
+ PYTHON
++PYTHON_LIB
+ PYTHON_VERSION
+ UNINSTALL_CONFIG_MANPAGE
+ UNINSTALL_CONFIG
+@@ -13599,6 +13600,7 @@
+ # use the official shared library
+ ac_python_library=`echo "$ac_python_library" | sed "s/^lib//"`
+ PYTHON_LDFLAGS="-L$ac_python_libdir -l$ac_python_library"
++ PYTHON_LIB="$ac_python_library"
+ else
+ # old way: use libpython from python_configdir
+ ac_python_libdir=`$PYTHON -c \
+@@ -13606,6 +13608,7 @@
+ import os; \
+ print (os.path.join(f(plat_specific=1, standard_lib=1), 'config'));"`
+ PYTHON_LDFLAGS="-L$ac_python_libdir -lpython$ac_python_version"
++ PYTHON_LIB="python$ac_python_version"
+ fi
+
+ if test -z "PYTHON_LDFLAGS"; then
+diff -Naur ldns-1.6.17-orig/packaging/ldns-config.in ldns-1.6.17/packaging/ldns-config.in
+--- ldns-1.6.17-orig/packaging/ldns-config.in 2014-01-10 16:04:41.000000000 -0500
++++ ldns-1.6.17/packaging/ldns-config.in 2014-01-10 20:33:13.033665804 -0500
+@@ -3,13 +3,25 @@
+ prefix="@prefix@"
+ exec_prefix="@exec_prefix@"
+ VERSION="@PACKAGE_VERSION@"
+-CFLAGS="@CFLAGS@"
+-CPPFLAGS="@CPPFLAGS@ @LIBSSL_CPPFLAGS@ @PYTHON_CPPFLAGS@"
+-LDFLAGS="@LDFLAGS@ @LIBSSL_LDFLAGS@ @PYTHON_LDFLAGS@"
+ LIBS="@LIBS@ @LIBSSL_LIBS@"
+-LIBDIR="@libdir@"
+ INCLUDEDIR="@includedir@"
+ LIBVERSION="@LIBLDNS_CURRENT at .@LIBLDNS_REVISION at .@LIBLDNS_AGE@"
++ARCH="`uname -m`"
++
++case $ARCH in
++ x86_64 | amd64 | sparc64 | s390x | ppc64)
++
++ LIBDIR="/usr/lib64"
++ LIBDIR_SEC="/usr/lib"
++ ;;
++ * )
++ LIBDIR="/usr/lib"
++ LIBDIR_SEC="usr/lib64"
++ ;;
++esac
++
++LDFLAGS="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR -l at PYTHON_LIB@"
++LDFLAGS_SEC="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR_SEC -l at PYTHON_LIB@"
+
+ for arg in $@
+ do
+@@ -21,9 +33,13 @@
+ then
+ echo "${LDFLAGS} -L${LIBDIR} ${LIBS} -lldns"
+ fi
++ if [ $arg = "--libs_sec" ]
++ then
++ echo "${LDFLAGS_SEC} -L${LIBDIR_SEC} ${LIBS} -lldns"
++ fi
+ if [ $arg = "-h" ] || [ $arg = "--help" ]
+ then
+- echo "Usage: $0 [--cflags] [--libs] [--version]"
++ echo "Usage: $0 [--cflags] [--libs] [--libs_sec] [--version]"
+ fi
+ if [ $arg = "--version" ]
+ then
diff --git a/ldns.spec b/ldns.spec
index 241f4f9..b4fc44b 100644
--- a/ldns.spec
+++ b/ldns.spec
@@ -7,11 +7,15 @@
Summary: Lowlevel DNS(SEC) library with API
Name: ldns
-Version: 1.6.16
-Release: 2%{?dist}
+Version: 1.6.17
+Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/%{name}/
Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
+Patch1: ldns-1.6.17-multilib.patch
+Patch2: ldns-1.6.16-dsa-key-failures.patch
+Patch3: ldns-1.6.17-keygen.patch
+
Group: System Environment/Libraries
BuildRequires: perl, libpcap-devel, openssl-devel, gcc-c++, doxygen
# Only needed for builds from svn snapshot
@@ -48,6 +52,9 @@ Python extensions for ldns
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1 -b .dsa
+%patch3 -p1 -b .keygen
# To built svn snapshots
# rm config.guess config.sub ltmain.sh
# aclocal
@@ -55,19 +62,22 @@ Python extensions for ldns
# autoreconf --install
%build
-# as long as ECC is banned we cannot enable GOST or ECDSA
-%configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \
+CFLAGS="%{optflags} -fPIC"
+CXXFLAGS="%{optflags} -fPIC"
+LDFLAGS="-Wl,-z,relro,-z,now -pie"
+# ECC is in for ECDSA, but does not include GOST support
+%configure --disable-rpath --disable-static --disable-gost --enable-ecdsa \
--with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
%if %{with_python}
--with-pyldns
%endif
(cd drill ; %configure --disable-rpath --disable-static --disable-gost \
- --disable-ecdsa --with-ldns=%{buildroot}/lib/ \
+ --enable-ecdsa --with-ldns=%{buildroot}/lib/ \
--with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/
)
(cd examples ; %configure --disable-rpath --disable-static --disable-gost \
- --disable-ecdsa --with-ldns=%{buildroot}/lib/ \
+ --enable-ecdsa --with-ldns=%{buildroot}/lib/ \
--with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/
)
@@ -103,7 +113,7 @@ rm -rf %{buildroot}
%{_bindir}/ldns-compare-zones
%{_bindir}/ldns-[d-z]*
%doc README LICENSE
-%{_mandir}/*/*
+%{_mandir}/man1/*
%files devel
%defattr(-,root,root,-)
@@ -112,6 +122,7 @@ rm -rf %{buildroot}
%dir %{_includedir}/ldns
%{_includedir}/ldns/*.h
%doc doc Changelog README
+%{_mandir}/man3/*
%if %{with_python}
%files python
@@ -124,6 +135,15 @@ rm -rf %{buildroot}
%postun -p /sbin/ldconfig
%changelog
+* Tue Sep 30 2014 Paul Wouters <pwouters at redhat.com> - 1.6.17-1
+- Fix ldns-config (rhbz#1147972) [Florian Lehner]
+- Enable ECDSA support
+- Fix error causing ldns to sometimes produce faulty DSA sign (#1077776)
+- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
+- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages
+- Hardened build
+- Fix some dates in changelog entries
+
* Tue May 28 2013 Paul Wouters <pwouters at redhat.com> - 1.6.16-2
- rebuilt for newer libpcap
@@ -148,7 +168,7 @@ rm -rf %{buildroot}
* Wed Jan 11 2012 Paul Wouters <paul at nohats.ca> - 1.6.12-1
- Upgraded to 1.6.12, fixes important end of year handling date bug
-* Thu Oct 5 2011 Paul Wouters <paul at xelerance.com> - 1.6.11-2
+* Wed Oct 5 2011 Paul Wouters <paul at xelerance.com> - 1.6.11-2
- Updated to 1.6.11, fixes rhbz#741026 which is CVE-2011-3581
- Python goes into sitearch, not sitelib
- Fix source link and spelling errors in description
@@ -200,7 +220,7 @@ rm -rf %{buildroot}
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
-* Mon Feb 10 2009 Paul Wouters <paul at xelerance.com> - 1.5.1-1
+* Tue Feb 10 2009 Paul Wouters <paul at xelerance.com> - 1.5.1-1
- Updated to new version, 1.5.0 had a bug preventing
zone signing.
@@ -279,7 +299,7 @@ rm -rf %{buildroot}
* Sun Dec 18 2005 Paul Wouters <paul at xelerance.com> 1.0.0-7
- Patched 'make clean' target to get rid of object files shipped with 1.0.0
-* Sun Dec 13 2005 Paul Wouters <paul at xelerance.com> 1.0.0-6
+* Tue Dec 13 2005 Paul Wouters <paul at xelerance.com> 1.0.0-6
- added a make clean for 2.3.3 since .o files were left behind upstream,
causing failure on ppc platform
diff --git a/sources b/sources
index 1beb0c3..4b9e900 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9ab2b402127cf24dffefaacbb727cad7 ldns-1.6.16.tar.gz
+a79423bcc4129e6d59b616b1cae11e5e ldns-1.6.17.tar.gz
More information about the scm-commits
mailing list