Fix for CVE-2020-19860 ldns: heap overread vulnerability and patch for removed Python distutils module

Resolves: rhbz#2051211
This commit is contained in:
Richard Lescak 2022-02-24 17:43:22 +01:00
parent 2782fd1afc
commit 871e8c6d31
3 changed files with 199 additions and 1 deletions

View File

@ -0,0 +1,147 @@
diff -urN a/ldns-1.7.1/ax_python_devel.m4 b/ldns-1.7.1/ax_python_devel.m4
--- a/ldns-1.7.1/ax_python_devel.m4 2019-07-26 17:07:44.000000000 +0200
+++ b/ldns-1.7.1/ax_python_devel.m4 2022-02-15 12:35:30.881489085 +0100
@@ -135,16 +135,24 @@
#
# Check if you have distutils, else fail
#
- AC_MSG_CHECKING([for the distutils Python package])
- ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
- if test -z "$ac_distutils_result"; then
+ AC_MSG_CHECKING([for the sysconfig Python package])
+ ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`
+ if test $? -eq 0; then
AC_MSG_RESULT([yes])
+ IMPORT_SYSCONFIG="import sysconfig"
else
AC_MSG_RESULT([no])
- AC_MSG_ERROR([cannot import Python module "distutils".
+ AC_MSG_CHECKING([for the distutils Python package])
+ ac_sysconfig_result=`$PYTHON -c "from distutils import sysconfig" 2>&1`
+ if test $? -eq 0; then
+ AC_MSG_RESULT([yes])
+ IMPORT_SYSCONFIG="from distutils import sysconfig"
+ else
+ AC_MSG_ERROR([cannot import Python module "distutils".
Please check your Python installation. The error was:
-$ac_distutils_result])
- PYTHON_VERSION=""
+$ac_sysconfig_result])
+ PYTHON_VERSION=""
+ fi
fi
#
@@ -152,10 +160,19 @@
#
AC_MSG_CHECKING([for Python include path])
if test -z "$PYTHON_CPPFLAGS"; then
- python_path=`$PYTHON -c "import distutils.sysconfig; \
- print (distutils.sysconfig.get_python_inc ());"`
- plat_python_path=`$PYTHON -c "import distutils.sysconfig; \
- print (distutils.sysconfig.get_python_inc (plat_specific=1));"`
+ if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
+ # sysconfig module has different functions
+ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_path ('include'));"`
+ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_path ('platinclude'));"`
+ else
+ # old distutils way
+ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_python_inc ());"`
+ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_python_inc (plat_specific=1));"`
+ fi
if test -n "${python_path}"; then
if test "${plat_python_path}" != "${python_path}"; then
python_path="-I$python_path -I$plat_python_path"
@@ -179,7 +196,7 @@
# join all versioning strings, on some systems
# major/minor numbers could be in different list elements
-from distutils.sysconfig import *
+from sysconfig import *
e = get_config_var('VERSION')
if e is not None:
print(e)
@@ -202,8 +219,8 @@
ac_python_libdir=`cat<<EOD | $PYTHON -
# There should be only one
-import distutils.sysconfig
-e = distutils.sysconfig.get_config_var('LIBDIR')
+$IMPORT_SYSCONFIG
+e = sysconfig.get_config_var('LIBDIR')
if e is not None:
print (e)
EOD`
@@ -211,8 +228,8 @@
# Now, for the library:
ac_python_library=`cat<<EOD | $PYTHON -
-import distutils.sysconfig
-c = distutils.sysconfig.get_config_vars()
+$IMPORT_SYSCONFIG
+c = sysconfig.get_config_vars()
if 'LDVERSION' in c:
print ('python'+c[['LDVERSION']])
else:
@@ -231,7 +248,7 @@
else
# old way: use libpython from python_configdir
ac_python_libdir=`$PYTHON -c \
- "from distutils.sysconfig import get_python_lib as f; \
+ "from sysconfig import get_python_lib as f; \
import os; \
print (os.path.join(f(plat_specific=1, standard_lib=1), 'config'));"`
PYTHON_LDFLAGS="-L$ac_python_libdir -lpython$ac_python_version"
@@ -252,8 +269,14 @@
#
AC_MSG_CHECKING([for Python site-packages path])
if test -z "$PYTHON_SITE_PKG"; then
- PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
- print (distutils.sysconfig.get_python_lib(1,0));"`
+ if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
+ PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_path('platlib'));"`
+ else
+ # distutils.sysconfig way
+ PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ print (sysconfig.get_python_lib(0,0));"`
+ fi
fi
AC_MSG_RESULT([$PYTHON_SITE_PKG])
AC_SUBST([PYTHON_SITE_PKG])
@@ -263,9 +286,9 @@
#
AC_MSG_CHECKING(python extra libraries)
if test -z "$PYTHON_EXTRA_LIBS"; then
- PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
- conf = distutils.sysconfig.get_config_var; \
- print (conf('LIBS'))"`
+ PYTHON_EXTRA_LIBS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ conf = sysconfig.get_config_var; \
+ print (conf('LIBS') + ' ' + conf('SYSLIBS'))"`
fi
AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
AC_SUBST(PYTHON_EXTRA_LIBS)
@@ -275,8 +298,8 @@
#
AC_MSG_CHECKING(python extra linking flags)
if test -z "$PYTHON_EXTRA_LDFLAGS"; then
- PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
- conf = distutils.sysconfig.get_config_var; \
+ PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
+ conf = sysconfig.get_config_var; \
print (conf('LINKFORSHARED'))"`
fi
AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
@@ -300,6 +323,7 @@
# turn back to default flags
CPPFLAGS="$ac_save_CPPFLAGS"
LIBS="$ac_save_LIBS"
+ LDFLAGS="$ac_save_LDFLAGS"
AC_MSG_RESULT([$pythonexists])

View File

@ -0,0 +1,41 @@
From 15d96206996bea969fbc918eb0a4a346f514b9f3 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 24 Sep 2019 16:50:27 +0200
Subject: [PATCH 1/2] * bugfix #70: heap Out-of-bound Read vulnerability in
rr_frm_str_internal reported by pokerfacett.
From 4e9861576a600a5ecfa16ec2de853c90dd9ce276 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 24 Sep 2019 16:51:09 +0200
Subject: [PATCH 2/2] Fix #70 fix code.
diff --git a/ldns-1.7.1/rr.c b/ldns-1.7.1/rr.c
index 6642aca7..adf67ae4 100644
--- a/ldns-1.7.1/rr.c
+++ b/ldns-1.7.1/rr.c
@@ -365,15 +365,18 @@ ldns_rr_new_frm_str_internal(ldns_rr **newrr, const char *str,
ldns_buffer_remaining(rd_buf) > 0){
/* skip spaces */
- while (*(ldns_buffer_current(rd_buf)) == ' ') {
+ while (ldns_buffer_remaining(rd_buf) > 0 &&
+ *(ldns_buffer_current(rd_buf)) == ' ') {
ldns_buffer_skip(rd_buf, 1);
}
- if (*(ldns_buffer_current(rd_buf)) == '\"') {
+ if (ldns_buffer_remaining(rd_buf) > 0 &&
+ *(ldns_buffer_current(rd_buf)) == '\"') {
delimiters = "\"\0";
ldns_buffer_skip(rd_buf, 1);
quoted = true;
- } else if (ldns_rr_descriptor_field_type(desc, r_cnt)
+ }
+ if (!quoted && ldns_rr_descriptor_field_type(desc, r_cnt)
== LDNS_RDF_TYPE_LONG_STR) {
status = LDNS_STATUS_SYNTAX_RDATA_ERR;
--
2.34.1

View File

@ -39,7 +39,7 @@
Summary: Low-level DNS(SEC) library with API
Name: ldns
Version: 1.7.1
Release: 8%{?dist}
Release: 9%{?dist}
License: BSD
Url: https://www.nlnetlabs.nl/%{name}/
@ -50,6 +50,12 @@ Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100
Patch1: ldns-1.7.0-multilib.patch
# 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e
Patch2: ldns-1.7.1-openssl-build.patch
# 2051211 - https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
Patch3: ldns-1.7.1-out-of-boud-read-vuln.patch
# https://github.com/autoconf-archive/autoconf-archive/commit/7f21e125bbe4e7c93d3bc86cda29c8b8e3b07d52
# used 'platlib' instead of 'purelib'
Patch4: ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
# Only needed for builds from svn snapshot
%if 0%{snapshot}
@ -351,6 +357,10 @@ rm -rf doc/man
%doc doc
%changelog
* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 1.7.1-9
- Fix for CVE-2020-19860 ldns: heap overread vulnerability (#2051211)
- Added also patch for deprecated distutils Python module used in build
* Wed Oct 13 2021 Richard Lescak <rlescak@redhat.com> - 1.7.1-8
- Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445)