diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 12:54:09 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 12:54:09 +0000 |
| commit | 39a0663834fda2690f8b749de369700e7d995fdd (patch) | |
| tree | 2134cb181baf2094b8483250af096997a4d0a46c /main/ldns/CVE-2014-3209.patch | |
| parent | 6abfda6f33aa4e1558a40dacf9f9026f25375d21 (diff) | |
| download | aports-39a0663834fda2690f8b749de369700e7d995fdd.tar.bz2 aports-39a0663834fda2690f8b749de369700e7d995fdd.tar.xz | |
main/ldns: security fix for CVE-2014-3209
ref 2924
Diffstat (limited to 'main/ldns/CVE-2014-3209.patch')
| -rw-r--r-- | main/ldns/CVE-2014-3209.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/main/ldns/CVE-2014-3209.patch b/main/ldns/CVE-2014-3209.patch new file mode 100644 index 0000000000..83f8f0cbd7 --- /dev/null +++ b/main/ldns/CVE-2014-3209.patch @@ -0,0 +1,80 @@ +From 169f38c1e25750f935838b670871056428977e6b Mon Sep 17 00:00:00 2001 +From: Willem Toorop <willem@nlnetlabs.nl> +Date: Mon, 05 May 2014 22:46:08 +0200 +Subject: bugfix#573 ldns-keygen write private mode 0600 + +--- +diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c +index 1b8a00a..93a1ee7 100644 +--- a/examples/ldns-keygen.c ++++ b/examples/ldns-keygen.c +@@ -10,6 +10,9 @@ + + #include <ldns/ldns.h> + ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <fcntl.h> + #include <errno.h> + + #ifdef HAVE_SSL +@@ -48,6 +51,7 @@ int + main(int argc, char *argv[]) + { + int c; ++ int fd; + char *prog; + + /* default key size */ +@@ -254,21 +258,21 @@ main(int argc, char *argv[]) + /* print the priv key to stderr */ + filename = LDNS_XMALLOC(char, strlen(owner) + 21); + snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); +- file = fopen(filename, "w"); ++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/ ++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); ++ if (fd < 0) { ++ goto fail; ++ } ++ ++ file = fdopen(fd, "w"); + if (!file) { +- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); +- ldns_key_deep_free(key); +- free(owner); +- ldns_rr_free(pubkey); +- ldns_rr_free(ds); +- LDNS_FREE(filename); +- exit(EXIT_FAILURE); +- } else { +- ldns_key_print(file, key); +- fclose(file); +- LDNS_FREE(filename); ++ goto fail; + } + ++ ldns_key_print(file, key); ++ fclose(file); ++ LDNS_FREE(filename); ++ + /* print the DS to .ds */ + if (algorithm != LDNS_SIGN_HMACMD5 && + algorithm != LDNS_SIGN_HMACSHA1 && +@@ -300,6 +304,15 @@ main(int argc, char *argv[]) + ldns_rr_free(pubkey); + ldns_rr_free(ds); + exit(EXIT_SUCCESS); ++ ++fail: ++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); ++ ldns_key_deep_free(key); ++ free(owner); ++ ldns_rr_free(pubkey); ++ ldns_rr_free(ds); ++ LDNS_FREE(filename); ++ exit(EXIT_FAILURE); + } + #else + int +-- +cgit v0.9.2 |