* Tue May 06 2014 Paul Wouters <pwouters@redhat.com> - 1.6.17-3

- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions - Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages - Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686 - Incorporate fixes from Tuomo Soini <tis@foobar.fi> - fix ldns internal provides and requires filter - fix perl-ldns requirement to include %%_isa - setup filters for perl and python bindings for internal stuff - split utils to separate package
2014-05-05 21:29:17 -04:00 · 2014-05-05 21:29:17 -04:00 · ec602fcb9f
commit ec602fcb9f
parent 62e67385b6
2 changed files with 164 additions and 77 deletions
--- a/ldns-1.6.17-keygen.patch
+++ b/ldns-1.6.17-keygen.patch
@ -0,0 +1,32 @@
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 316d60d..f4f0116 100644
+--- a/examples/ldns-keygen.c
+++ b/examples/ldns-keygen.c
+@@ -247,9 +247,14 @@ main(int argc, char *argv[])
+ 		LDNS_FREE(filename);
+ 	}
+ 
+	{
+	mode_t oldmask = umask();
+
+ 	/* print the priv key to stderr */
+ 	filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ 	snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
+
+	umask(077); /* ensure only owner can read private key */
+ 	file = fopen(filename, "w");
+ 	if (!file) {
+ 		fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+@@ -262,9 +267,12 @@ main(int argc, char *argv[])
+ 	} else {
+ 		ldns_key_print(file, key);
+ 		fclose(file);
+		umask(oldmask);
+ 		LDNS_FREE(filename);
+ 	}
+ 
+	}
+
+ 	/* print the DS to .ds */
+ 	if (algorithm != LDNS_SIGN_HMACMD5 &&
+ 		algorithm != LDNS_SIGN_HMACSHA1 &&
--- a/ldns.spec
+++ b/ldns.spec
@ -2,9 +2,18 @@
 %{?!with_perl:        %global with_perl        1}
 %{?!with_ecc:        %global with_ecc          1}

-%if %{with_python}
+%if %{with python}
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%{?filter_setup:
+%global _ldns_internal_filter /^_ldns[.]so.*/d;
+%filter_from_requires %{_ldns_internal_filter}
+%filter_from_provides %{_ldns_internal_filter}
+%filter_setup
+}
+%global _ldns_internal _ldns[.]so[.].*
+%global __requires_exclude ^(%{_ldns_internal})$
+%global __provides_exclude ^(%{_ldns_internal})$
 %endif

 %if %{with_perl}
@ -14,21 +23,33 @@
 Summary: Low-level DNS(SEC) library with API
 Name: ldns
 Version: 1.6.17
-Release: 2%{?dist}
+Release: 3%{?dist}
+
 License: BSD
 Url: http://www.nlnetlabs.nl/%{name}/
-Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
+Source0: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
 Patch1: ldns-1.6.17-multilib.patch
-Patch2: %{name}-1.6.16-dsa-key-failures.patch
+Patch2: ldns-1.6.16-dsa-key-failures.patch
+Patch3: ldns-1.6.17-keygen.patch
+
 Group: System Environment/Libraries
-BuildRequires: libpcap-devel, openssl-devel, gcc-c++, doxygen,
+# Only needed for builds from svn snapshot
+# BuildRequires: libtool
+# BuildRequires: autoconf
+# BuildRequires: automake
+
+BuildRequires: libpcap-devel
+BuildRequires: openssl-devel
+BuildRequires: gcc-c++
+BuildRequires: doxygen
+
 # for snapshots only
 # BuildRequires: libtool, autoconf, automake
-%if %{with_python}
-BuildRequires:  python-devel, swig
+%if %{with python}
+BuildRequires: python-devel, swig
 %endif
-%if %{with_perl}
-BuildRequires:  perl perl-ExtUtils-MakeMaker
+%if %{with perl}
+BuildRequires: perl-ExtUtils-MakeMaker
 %endif
 Requires: ca-certificates

@ -41,45 +62,53 @@ packets.
 %package devel
 Summary: Development package that includes the ldns header files
 Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}

 %description devel
 The devel package contains the ldns library and the include files

-%if %{with_python}
-%package python
+%package utils
+Summary: DNS(SEC) utilities for querying dns
+Group: Applications/System
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description utils
+Collection of tools to get, check or alter DNS(SEC) data.
+
+%if %{with python}
+%package -n python-ldns
 Summary: Python extensions for ldns
 Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}

-%description python
+%description -n python-ldns
 Python extensions for ldns
 %endif

-%if %{with_perl}
-%package perl
+%if %{with perl}
+%package -n perl-ldns
 Summary: Perl extensions for ldns
 Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires:  perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))

-%description perl
+%description -n perl-ldns
 Perl extensions for ldns
 %endif

 %package doc
 Summary: Documentation for the ldns library
 Group: Development/Libraries
-Requires: %{name}-devel = %{version}-%{release}
 BuildArch: noarch

 %description doc
 This package contains documentation for the ldns library

 %prep
-%setup -q 
+%setup -q
 %patch1 -p1
 %patch2 -p1 -b .dsa
+%patch3 -p1 -b .keygen
 # To built svn snapshots
 # rm config.guess config.sub ltmain.sh
 # aclocal
@ -87,59 +116,74 @@ This package contains documentation for the ldns library
 # autoreconf --install

 %build
-%configure --disable-rpath --disable-static \
- --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+CFLAGS="%{optflags} -fPIC"
+CXXFLAGS="%{optflags} -fPIC"
+LDFLAGS="-Wl,-z,relro,-z,now -pie"
+export CFLAGS CXXFLAGS LDFLAGS
+%configure \
+  --disable-rpath \
+  --disable-static \
+%if %{with ecc}
+  --enable-gost \
+  --enable-ecdsa \
 %else
- --disable-gost --disable-ecdsa \
+  --disable-gost \
+  --disable-ecdsa \
 %endif
-%if %{with_python}
- --with-pyldns \
+%if %{with python}
+  --with-pyldns \
 %endif
+  --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+  --with-ca-path=/etc/pki/tls/certs/ \
  --with-trust-anchor=%{_sharedstatedir}/unbound/root.key

-(cd drill ; %configure --disable-rpath --disable-static \
-   --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+pushd drill
+%configure \
+  --disable-rpath \
+%if %{with ecc}
+  --enable-gost \
+  --enable-ecdsa \
 %else
- --disable-gost --disable-ecdsa \
+  --disable-gost \
+  --disable-ecdsa \
 %endif
-)
+  --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+  --with-ca-path=/etc/pki/tls/certs/ \
+  --with-trust-anchor=%{_sharedstatedir}/unbound/root.key
+popd

-(cd examples ; %configure --disable-rpath --disable-static \
-   --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \
-%if %{with_ecc}
- --enable-gost --enable-ecdsa \
+pushd examples
+%configure \
+  --disable-rpath \
+%if %{with ecc}
+  --enable-gost \
+  --enable-ecdsa \
 %else
- --disable-gost --disable-ecdsa \
+  --disable-gost \
+  --disable-ecdsa \
 %endif
-)
+  --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \
+  --with-ca-path=/etc/pki/tls/certs/ \
+  --with-trust-anchor=%{_sharedstatedir}/unbound/root.key
+popd

 # We cannot use the built-in --with-p5-dns-ldns
-%if %{with_perl}
-(
-   cd contrib/DNS-LDNS
-   perl Makefile.PL INSTALLDIRS=vendor INC="-I. -I../.."
-)
+%if %{with perl}
+  pushd contrib/DNS-LDNS
+  perl Makefile.PL INSTALLDIRS=vendor  INC="-I. -I../.."
+  make
+  popd
 %endif

-make %{?_smp_mflags} 
-( cd drill ; make %{?_smp_mflags} )
-( cd examples ; make %{?_smp_mflags} )
-%if %{with_perl}
-(
-   cd contrib/DNS-LDNS
-   make %{?_smp_mflags} LDLOADLIBS="-L../../lib -lldns"
-)
-%endif
+make %{?_smp_mflags}
+make -C drill %{?_smp_mflags}
+make -C examples %{?_smp_mflags}
 make %{?_smp_mflags} doc

 %install
 rm -rf %{buildroot}

-make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install 
+make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install
 make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install-doc

 # don't package xml files
@ -150,43 +194,48 @@ rm doc/doxyparse.pl
 rm -rf doc/man
 # remove .la files
 rm -rf %{buildroot}%{_libdir}/*.la %{buildroot}%{python_sitearch}/*.la
-
-(cd drill ; make DESTDIR=%{buildroot} install)
-(cd examples; make DESTDIR=%{buildroot} install)
-
-%if %{with_perl}
-(
-   cd contrib/DNS-LDNS
-   make  DESTDIR=%{buildroot} pure_install
-)
-chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so
-rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
+make -C drill DESTDIR=%{buildroot} install
+make -C examples DESTDIR=%{buildroot} install
+%if %{with perl}
+  make -C contrib/DNS-LDNS DESTDIR=%{buildroot} pure_install
+  chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so
+  rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
 %endif

-%files 
+%clean
+rm -rf %{buildroot}
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%doc README LICENSE
 %{_libdir}/libldns*so.*
+
+%files utils
 %{_bindir}/drill
 %{_bindir}/ldnsd
 %{_bindir}/ldns-chaos
 %{_bindir}/ldns-compare-zones
 %{_bindir}/ldns-[d-z]*
-%doc README LICENSE
-%{_mandir}/*/*.[1358]*
+%{_mandir}/man1/*

 %files devel
+%doc Changelog README
 %{_libdir}/libldns*so
 %{_bindir}/ldns-config
 %dir %{_includedir}/ldns
 %{_includedir}/ldns/*.h
-%doc Changelog README
+%{_mandir}/man3/*

-%if %{with_python}
-%files python
+%if %{with python}
+%files -n python-ldns
 %{python_sitearch}/*
 %endif

-%if %{with_perl}
-%files perl
+%if %{with perl}
+%files -n perl-ldns
 %{perl_vendorarch}/*
 %exclude %dir %{perl_vendorarch}/auto/
 %endif
@ -194,11 +243,17 @@ rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs}
 %files doc
 %doc doc

-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
 %changelog
+* Tue May 06 2014 Paul Wouters <pwouters@redhat.com> - 1.6.17-3
+- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
+- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages
+- Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686
+- Incorporate fixes from Tuomo Soini <tis@foobar.fi>
+- fix ldns internal provides and requires filter
+- fix perl-ldns requirement to include %%_isa
+- setup filters for perl and python bindings for internal stuff
+- split utils to separate package
+
 * Mon Mar 24 2014 Tomas Hozza <thozza@redhat.com> - 1.6.17-2
 - Fix error causing ldns to sometimes produce faulty DSA sign (#1077776)
 - Fix FTBFS due to perl modules