diff --git a/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch b/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch new file mode 100644 index 0000000..bb3f395 --- /dev/null +++ b/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch @@ -0,0 +1,147 @@ +diff -urN a/ldns-1.7.1/ax_python_devel.m4 b/ldns-1.7.1/ax_python_devel.m4 +--- a/ldns-1.7.1/ax_python_devel.m4 2019-07-26 17:07:44.000000000 +0200 ++++ b/ldns-1.7.1/ax_python_devel.m4 2022-02-15 12:35:30.881489085 +0100 +@@ -135,16 +135,24 @@ + # + # Check if you have distutils, else fail + # +- AC_MSG_CHECKING([for the distutils Python package]) +- ac_distutils_result=`$PYTHON -c "import distutils" 2>&1` +- if test -z "$ac_distutils_result"; then ++ AC_MSG_CHECKING([for the sysconfig Python package]) ++ ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1` ++ if test $? -eq 0; then + AC_MSG_RESULT([yes]) ++ IMPORT_SYSCONFIG="import sysconfig" + else + AC_MSG_RESULT([no]) +- AC_MSG_ERROR([cannot import Python module "distutils". ++ AC_MSG_CHECKING([for the distutils Python package]) ++ ac_sysconfig_result=`$PYTHON -c "from distutils import sysconfig" 2>&1` ++ if test $? -eq 0; then ++ AC_MSG_RESULT([yes]) ++ IMPORT_SYSCONFIG="from distutils import sysconfig" ++ else ++ AC_MSG_ERROR([cannot import Python module "distutils". + Please check your Python installation. The error was: +-$ac_distutils_result]) +- PYTHON_VERSION="" ++$ac_sysconfig_result]) ++ PYTHON_VERSION="" ++ fi + fi + + # +@@ -152,10 +160,19 @@ + # + AC_MSG_CHECKING([for Python include path]) + if test -z "$PYTHON_CPPFLAGS"; then +- python_path=`$PYTHON -c "import distutils.sysconfig; \ +- print (distutils.sysconfig.get_python_inc ());"` +- plat_python_path=`$PYTHON -c "import distutils.sysconfig; \ +- print (distutils.sysconfig.get_python_inc (plat_specific=1));"` ++ if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then ++ # sysconfig module has different functions ++ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \ ++ print (sysconfig.get_path ('include'));"` ++ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \ ++ print (sysconfig.get_path ('platinclude'));"` ++ else ++ # old distutils way ++ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \ ++ print (sysconfig.get_python_inc ());"` ++ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \ ++ print (sysconfig.get_python_inc (plat_specific=1));"` ++ fi + if test -n "${python_path}"; then + if test "${plat_python_path}" != "${python_path}"; then + python_path="-I$python_path -I$plat_python_path" +@@ -179,7 +196,7 @@ + + # join all versioning strings, on some systems + # major/minor numbers could be in different list elements +-from distutils.sysconfig import * ++from sysconfig import * + e = get_config_var('VERSION') + if e is not None: + print(e) +@@ -202,8 +219,8 @@ + ac_python_libdir=`cat< +Date: Tue, 24 Sep 2019 16:50:27 +0200 +Subject: [PATCH 1/2] * bugfix #70: heap Out-of-bound Read vulnerability in +rr_frm_str_internal reported by pokerfacett. + +From 4e9861576a600a5ecfa16ec2de853c90dd9ce276 Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Tue, 24 Sep 2019 16:51:09 +0200 +Subject: [PATCH 2/2] Fix #70 fix code. + +diff --git a/ldns-1.7.1/rr.c b/ldns-1.7.1/rr.c +index 6642aca7..adf67ae4 100644 +--- a/ldns-1.7.1/rr.c ++++ b/ldns-1.7.1/rr.c +@@ -365,15 +365,18 @@ ldns_rr_new_frm_str_internal(ldns_rr **newrr, const char *str, + ldns_buffer_remaining(rd_buf) > 0){ + + /* skip spaces */ +- while (*(ldns_buffer_current(rd_buf)) == ' ') { ++ while (ldns_buffer_remaining(rd_buf) > 0 && ++ *(ldns_buffer_current(rd_buf)) == ' ') { + ldns_buffer_skip(rd_buf, 1); + } + +- if (*(ldns_buffer_current(rd_buf)) == '\"') { ++ if (ldns_buffer_remaining(rd_buf) > 0 && ++ *(ldns_buffer_current(rd_buf)) == '\"') { + delimiters = "\"\0"; + ldns_buffer_skip(rd_buf, 1); + quoted = true; +- } else if (ldns_rr_descriptor_field_type(desc, r_cnt) ++ } ++ if (!quoted && ldns_rr_descriptor_field_type(desc, r_cnt) + == LDNS_RDF_TYPE_LONG_STR) { + + status = LDNS_STATUS_SYNTAX_RDATA_ERR; +-- +2.34.1 + + diff --git a/ldns.spec b/ldns.spec index 25a1579..191dde4 100644 --- a/ldns.spec +++ b/ldns.spec @@ -39,7 +39,7 @@ Summary: Low-level DNS(SEC) library with API Name: ldns Version: 1.7.1 -Release: 8%{?dist} +Release: 9%{?dist} License: BSD Url: https://www.nlnetlabs.nl/%{name}/ @@ -50,6 +50,12 @@ Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100 Patch1: ldns-1.7.0-multilib.patch # 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e Patch2: ldns-1.7.1-openssl-build.patch +# 2051211 - https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3 +Patch3: ldns-1.7.1-out-of-boud-read-vuln.patch +# https://github.com/autoconf-archive/autoconf-archive/commit/7f21e125bbe4e7c93d3bc86cda29c8b8e3b07d52 +# used 'platlib' instead of 'purelib' +Patch4: ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch + # Only needed for builds from svn snapshot %if 0%{snapshot} @@ -351,6 +357,10 @@ rm -rf doc/man %doc doc %changelog +* Thu Feb 24 2022 Richard Lescak - 1.7.1-9 +- Fix for CVE-2020-19860 ldns: heap overread vulnerability (#2051211) +- Added also patch for deprecated distutils Python module used in build + * Wed Oct 13 2021 Richard Lescak - 1.7.1-8 - Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445)