Fix fortification issues

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2023-01-30 12:00:33 +02:00 · 2023-01-30 12:00:33 +02:00 · ca78a1bdbf
commit ca78a1bdbf
parent 4dd7781f5f
2 changed files with 43 additions and 1 deletions
--- a/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+++ b/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
@ -0,0 +1,35 @@
+From 4d87db0f11bcdd5c54fadb92351b603bd07f76f8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 11:44:49 +0200
+Subject: [PATCH] Pass right remaining buffer size in hsm_hex_unparse to handle
+ string fortification
+
+When string fortification is in use (-DFORTIFY_SOURCE=3), GCC and glibc
+will cut few bytes off the string buffer for prevention of buffer
+overruns. As a result, hsm_hex_unparse() will call into snprintf() with
+a buffer length bigger than the size of the buffer as seen by the
+GCC/glibc pair.
+
+See also: https://pagure.io/freeipa/issue/9312
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ libhsm/src/lib/libhsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index 88dc79e31..8f1e0c3bc 100644
+--- a/libhsm/src/lib/libhsm.c
+++ b/libhsm/src/lib/libhsm.c
+@@ -1382,7 +1382,7 @@ hsm_hex_unparse(char *dst, const unsigned char *src, size_t len)
+     size_t i;
+ 
+     for (i = 0; i < len; i++) {
+-        snprintf(dst + (2*i), dst_len, "%02x", src[i]);
+        snprintf(dst + (2*i), dst_len - (2*i), "%02x", src[i]);
+     }
+     dst[len*2] = '\0';
+ }
+-- 
+2.39.0
+
--- a/opendnssec.spec
+++ b/opendnssec.spec
@ -4,7 +4,7 @@
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 2.1.10
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@ -16,6 +16,7 @@ Source5: tmpfiles-opendnssec.conf
 Source6: opendnssec.cron
 Source7: opendnssec-2.1.sqlite_convert.sql
 Source8: opendnssec-2.1.sqlite_rpmversion.sql
+Patch1: 0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch

 Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
 Requires: libxml2, libxslt sqlite
@ -45,6 +46,8 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm

 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%patch1 -p1
+
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in

@ -178,6 +181,10 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service

 %changelog
+* Mon Jan 30 2023 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.10-5
+- Fix fortification issues leading to crash in FreeIPA setup
+  Upstream PR: https://github.com/opendnssec/opendnssec/pull/842
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild