From ec602fcb9f95d5dd7a498437de05508d9e07a7df Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 5 May 2014 21:29:17 -0400 Subject: [PATCH] * Tue May 06 2014 Paul Wouters - 1.6.17-3 - CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions - Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages - Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686 - Incorporate fixes from Tuomo Soini - fix ldns internal provides and requires filter - fix perl-ldns requirement to include %%_isa - setup filters for perl and python bindings for internal stuff - split utils to separate package --- ldns-1.6.17-keygen.patch | 32 ++++++ ldns.spec | 209 ++++++++++++++++++++++++--------------- 2 files changed, 164 insertions(+), 77 deletions(-) create mode 100644 ldns-1.6.17-keygen.patch diff --git a/ldns-1.6.17-keygen.patch b/ldns-1.6.17-keygen.patch new file mode 100644 index 0000000..1c010f6 --- /dev/null +++ b/ldns-1.6.17-keygen.patch @@ -0,0 +1,32 @@ +diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c +index 316d60d..f4f0116 100644 +--- a/examples/ldns-keygen.c ++++ b/examples/ldns-keygen.c +@@ -247,9 +247,14 @@ main(int argc, char *argv[]) + LDNS_FREE(filename); + } + ++ { ++ mode_t oldmask = umask(); ++ + /* print the priv key to stderr */ + filename = LDNS_XMALLOC(char, strlen(owner) + 21); + snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); ++ ++ umask(077); /* ensure only owner can read private key */ + file = fopen(filename, "w"); + if (!file) { + fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); +@@ -262,9 +267,12 @@ main(int argc, char *argv[]) + } else { + ldns_key_print(file, key); + fclose(file); ++ umask(oldmask); + LDNS_FREE(filename); + } + ++ } ++ + /* print the DS to .ds */ + if (algorithm != LDNS_SIGN_HMACMD5 && + algorithm != LDNS_SIGN_HMACSHA1 && diff --git a/ldns.spec b/ldns.spec index dda078d..9b60395 100644 --- a/ldns.spec +++ b/ldns.spec @@ -2,9 +2,18 @@ %{?!with_perl: %global with_perl 1} %{?!with_ecc: %global with_ecc 1} -%if %{with_python} +%if %{with python} %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +%{?filter_setup: +%global _ldns_internal_filter /^_ldns[.]so.*/d; +%filter_from_requires %{_ldns_internal_filter} +%filter_from_provides %{_ldns_internal_filter} +%filter_setup +} +%global _ldns_internal _ldns[.]so[.].* +%global __requires_exclude ^(%{_ldns_internal})$ +%global __provides_exclude ^(%{_ldns_internal})$ %endif %if %{with_perl} @@ -14,21 +23,33 @@ Summary: Low-level DNS(SEC) library with API Name: ldns Version: 1.6.17 -Release: 2%{?dist} +Release: 3%{?dist} + License: BSD Url: http://www.nlnetlabs.nl/%{name}/ -Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz +Source0: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz Patch1: ldns-1.6.17-multilib.patch -Patch2: %{name}-1.6.16-dsa-key-failures.patch +Patch2: ldns-1.6.16-dsa-key-failures.patch +Patch3: ldns-1.6.17-keygen.patch + Group: System Environment/Libraries -BuildRequires: libpcap-devel, openssl-devel, gcc-c++, doxygen, +# Only needed for builds from svn snapshot +# BuildRequires: libtool +# BuildRequires: autoconf +# BuildRequires: automake + +BuildRequires: libpcap-devel +BuildRequires: openssl-devel +BuildRequires: gcc-c++ +BuildRequires: doxygen + # for snapshots only # BuildRequires: libtool, autoconf, automake -%if %{with_python} -BuildRequires: python-devel, swig +%if %{with python} +BuildRequires: python-devel, swig %endif -%if %{with_perl} -BuildRequires: perl perl-ExtUtils-MakeMaker +%if %{with perl} +BuildRequires: perl-ExtUtils-MakeMaker %endif Requires: ca-certificates @@ -41,45 +62,53 @@ packets. %package devel Summary: Development package that includes the ldns header files Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} %description devel The devel package contains the ldns library and the include files -%if %{with_python} -%package python +%package utils +Summary: DNS(SEC) utilities for querying dns +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description utils +Collection of tools to get, check or alter DNS(SEC) data. + +%if %{with python} +%package -n python-ldns Summary: Python extensions for ldns Group: Applications/System -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} -%description python +%description -n python-ldns Python extensions for ldns %endif -%if %{with_perl} -%package perl +%if %{with perl} +%package -n perl-ldns Summary: Perl extensions for ldns Group: Applications/System -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) -%description perl +%description -n perl-ldns Perl extensions for ldns %endif %package doc Summary: Documentation for the ldns library Group: Development/Libraries -Requires: %{name}-devel = %{version}-%{release} BuildArch: noarch %description doc This package contains documentation for the ldns library %prep -%setup -q +%setup -q %patch1 -p1 %patch2 -p1 -b .dsa +%patch3 -p1 -b .keygen # To built svn snapshots # rm config.guess config.sub ltmain.sh # aclocal @@ -87,59 +116,74 @@ This package contains documentation for the ldns library # autoreconf --install %build -%configure --disable-rpath --disable-static \ - --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \ -%if %{with_ecc} - --enable-gost --enable-ecdsa \ +CFLAGS="%{optflags} -fPIC" +CXXFLAGS="%{optflags} -fPIC" +LDFLAGS="-Wl,-z,relro,-z,now -pie" +export CFLAGS CXXFLAGS LDFLAGS +%configure \ + --disable-rpath \ + --disable-static \ +%if %{with ecc} + --enable-gost \ + --enable-ecdsa \ %else - --disable-gost --disable-ecdsa \ + --disable-gost \ + --disable-ecdsa \ %endif -%if %{with_python} - --with-pyldns \ +%if %{with python} + --with-pyldns \ %endif + --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \ + --with-ca-path=/etc/pki/tls/certs/ \ --with-trust-anchor=%{_sharedstatedir}/unbound/root.key -(cd drill ; %configure --disable-rpath --disable-static \ - --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \ -%if %{with_ecc} - --enable-gost --enable-ecdsa \ +pushd drill +%configure \ + --disable-rpath \ +%if %{with ecc} + --enable-gost \ + --enable-ecdsa \ %else - --disable-gost --disable-ecdsa \ + --disable-gost \ + --disable-ecdsa \ %endif -) + --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \ + --with-ca-path=/etc/pki/tls/certs/ \ + --with-trust-anchor=%{_sharedstatedir}/unbound/root.key +popd -(cd examples ; %configure --disable-rpath --disable-static \ - --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt --with-ca-path=/etc/pki/tls/certs/ \ -%if %{with_ecc} - --enable-gost --enable-ecdsa \ +pushd examples +%configure \ + --disable-rpath \ +%if %{with ecc} + --enable-gost \ + --enable-ecdsa \ %else - --disable-gost --disable-ecdsa \ + --disable-gost \ + --disable-ecdsa \ %endif -) + --with-ca-file=/etc/pki/tls/certs/ca-bundle.trust.crt \ + --with-ca-path=/etc/pki/tls/certs/ \ + --with-trust-anchor=%{_sharedstatedir}/unbound/root.key +popd # We cannot use the built-in --with-p5-dns-ldns -%if %{with_perl} -( - cd contrib/DNS-LDNS - perl Makefile.PL INSTALLDIRS=vendor INC="-I. -I../.." -) +%if %{with perl} + pushd contrib/DNS-LDNS + perl Makefile.PL INSTALLDIRS=vendor INC="-I. -I../.." + make + popd %endif -make %{?_smp_mflags} -( cd drill ; make %{?_smp_mflags} ) -( cd examples ; make %{?_smp_mflags} ) -%if %{with_perl} -( - cd contrib/DNS-LDNS - make %{?_smp_mflags} LDLOADLIBS="-L../../lib -lldns" -) -%endif +make %{?_smp_mflags} +make -C drill %{?_smp_mflags} +make -C examples %{?_smp_mflags} make %{?_smp_mflags} doc %install rm -rf %{buildroot} -make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install +make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install-doc # don't package xml files @@ -150,43 +194,48 @@ rm doc/doxyparse.pl rm -rf doc/man # remove .la files rm -rf %{buildroot}%{_libdir}/*.la %{buildroot}%{python_sitearch}/*.la - -(cd drill ; make DESTDIR=%{buildroot} install) -(cd examples; make DESTDIR=%{buildroot} install) - -%if %{with_perl} -( - cd contrib/DNS-LDNS - make DESTDIR=%{buildroot} pure_install -) -chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so -rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs} +make -C drill DESTDIR=%{buildroot} install +make -C examples DESTDIR=%{buildroot} install +%if %{with perl} + make -C contrib/DNS-LDNS DESTDIR=%{buildroot} pure_install + chmod 755 %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/LDNS.so + rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs} %endif -%files +%clean +rm -rf %{buildroot} + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%doc README LICENSE %{_libdir}/libldns*so.* + +%files utils %{_bindir}/drill %{_bindir}/ldnsd %{_bindir}/ldns-chaos %{_bindir}/ldns-compare-zones %{_bindir}/ldns-[d-z]* -%doc README LICENSE -%{_mandir}/*/*.[1358]* +%{_mandir}/man1/* %files devel +%doc Changelog README %{_libdir}/libldns*so %{_bindir}/ldns-config %dir %{_includedir}/ldns %{_includedir}/ldns/*.h -%doc Changelog README +%{_mandir}/man3/* -%if %{with_python} -%files python +%if %{with python} +%files -n python-ldns %{python_sitearch}/* %endif -%if %{with_perl} -%files perl +%if %{with perl} +%files -n perl-ldns %{perl_vendorarch}/* %exclude %dir %{perl_vendorarch}/auto/ %endif @@ -194,11 +243,17 @@ rm -f %{buildroot}%{perl_vendorarch}/auto/DNS/LDNS/{.packlist,LDNS.bs} %files doc %doc doc -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - %changelog +* Tue May 06 2014 Paul Wouters - 1.6.17-3 +- CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions +- Fix 1017958 - 32 and 64 bit ldns conflicts on some manual pages +- Fix rhbz#1062874 - cannot install ldns.x86_64 in parallel to ldns.i686 +- Incorporate fixes from Tuomo Soini +- fix ldns internal provides and requires filter +- fix perl-ldns requirement to include %%_isa +- setup filters for perl and python bindings for internal stuff +- split utils to separate package + * Mon Mar 24 2014 Tomas Hozza - 1.6.17-2 - Fix error causing ldns to sometimes produce faulty DSA sign (#1077776) - Fix FTBFS due to perl modules