main/ldns: upgrade to 1.6.17 and security fix for CVE-2014-3209

fixes #2926

2 files changed, 90 insertions, 3 deletions

diff --git a/main/ldns/APKBUILD b/main/ldns/APKBUILD
index 75041a6339..e5e7941272 100644
--- a/main/ldns/APKBUILD
+++ b/main/ldns/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ldns
-pkgver=1.6.16
+pkgver=1.6.17
 pkgrel=0
 pkgdesc="Lowlevel DNS(SEC) library"
 url="http://nlnetlabs.nl/projects/ldns/"
@@ -12,7 +12,9 @@ depends_dev="openssl-dev"
 makedepends="$depends_dev perl"
 install=""
 subpackages="$pkgname-dev $pkgname-doc drill $pkgname-tools"
-source="http://nlnetlabs.nl/downloads/ldns/ldns-$pkgver.tar.gz"
+source="http://nlnetlabs.nl/downloads/ldns/ldns-$pkgver.tar.gz
+	CVE-2014-3209.patch
+	"
 
 _builddir="$srcdir"/ldns-$pkgver
 prepare() {
@@ -62,4 +64,9 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="9ab2b402127cf24dffefaacbb727cad7  ldns-1.6.16.tar.gz"
+md5sums="a79423bcc4129e6d59b616b1cae11e5e  ldns-1.6.17.tar.gz
+6923f96397cee285a8b390af6362c62c  CVE-2014-3209.patch"
+sha256sums="8b88e059452118e8949a2752a55ce59bc71fa5bc414103e17f5b6b06f9bcc8cd  ldns-1.6.17.tar.gz
+12fe00517756fd6923d992e694471fb9e521c279e99fa4e0fb395ef10e5165eb  CVE-2014-3209.patch"
+sha512sums="5de42b4b8622591db51efb0956735deee9cd5e0bee12249a03b65c5b45d7c51bf9c2edb310ef9d7431af49aef77d968bfa2455a7dedfa80cde3d433436c83785  ldns-1.6.17.tar.gz
+cc17fff95a61db8427c3496c0b0a4d991126b3b331a04f79496acb6fcca63ec47606acbcebd3578a944c0f4e3eaf6aff16a908a6dae3fe954751a1bec3ccecc8  CVE-2014-3209.patch"
diff --git a/main/ldns/CVE-2014-3209.patch b/main/ldns/CVE-2014-3209.patch
new file mode 100644
index 0000000000..83f8f0cbd7
--- /dev/null
+++ b/main/ldns/CVE-2014-3209.patch
@@ -0,0 +1,80 @@
+From 169f38c1e25750f935838b670871056428977e6b Mon Sep 17 00:00:00 2001
+From: Willem Toorop <willem@nlnetlabs.nl>
+Date: Mon, 05 May 2014 22:46:08 +0200
+Subject: bugfix#573 ldns-keygen write private mode 0600
+
+---
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 1b8a00a..93a1ee7 100644
+--- a/examples/ldns-keygen.c
++++ b/examples/ldns-keygen.c
+@@ -10,6 +10,9 @@
+ 
+ #include <ldns/ldns.h>
+ 
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ #include <errno.h>
+ 
+ #ifdef HAVE_SSL
+@@ -48,6 +51,7 @@ int
+ main(int argc, char *argv[])
+ {
+ 	int c;
++	int fd;
+ 	char *prog;
+ 
+ 	/* default key size */
+@@ -254,21 +258,21 @@ main(int argc, char *argv[])
+ 	/* print the priv key to stderr */
+ 	filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ 	snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
+-	file = fopen(filename, "w");
++	/* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
++	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
++	if (fd < 0) {
++		goto fail;
++	}
++
++	file = fdopen(fd, "w");
+ 	if (!file) {
+-		fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+-		ldns_key_deep_free(key);
+-		free(owner);
+-		ldns_rr_free(pubkey);
+-		ldns_rr_free(ds);
+-		LDNS_FREE(filename);
+-		exit(EXIT_FAILURE);
+-	} else {
+-		ldns_key_print(file, key);
+-		fclose(file);
+-		LDNS_FREE(filename);
++		goto fail;
+ 	}
+ 
++	ldns_key_print(file, key);
++	fclose(file);
++	LDNS_FREE(filename);
++
+ 	/* print the DS to .ds */
+ 	if (algorithm != LDNS_SIGN_HMACMD5 &&
+ 		algorithm != LDNS_SIGN_HMACSHA1 &&
+@@ -300,6 +304,15 @@ main(int argc, char *argv[])
+ 	ldns_rr_free(pubkey);
+ 	ldns_rr_free(ds);
+ 	exit(EXIT_SUCCESS);
++
++fail:
++	fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
++	ldns_key_deep_free(key);
++	free(owner);
++	ldns_rr_free(pubkey);
++	ldns_rr_free(ds);
++	LDNS_FREE(filename);
++	exit(EXIT_FAILURE);
+ }
+ #else
+ int
+--
+cgit v0.9.2