aboutsummaryrefslogtreecommitdiffstats
path: root/main/ldns/CVE-2014-3209.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/ldns/CVE-2014-3209.patch')
-rw-r--r--main/ldns/CVE-2014-3209.patch80
1 files changed, 80 insertions, 0 deletions
diff --git a/main/ldns/CVE-2014-3209.patch b/main/ldns/CVE-2014-3209.patch
new file mode 100644
index 0000000000..83f8f0cbd7
--- /dev/null
+++ b/main/ldns/CVE-2014-3209.patch
@@ -0,0 +1,80 @@
+From 169f38c1e25750f935838b670871056428977e6b Mon Sep 17 00:00:00 2001
+From: Willem Toorop <willem@nlnetlabs.nl>
+Date: Mon, 05 May 2014 22:46:08 +0200
+Subject: bugfix#573 ldns-keygen write private mode 0600
+
+---
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 1b8a00a..93a1ee7 100644
+--- a/examples/ldns-keygen.c
++++ b/examples/ldns-keygen.c
+@@ -10,6 +10,9 @@
+
+ #include <ldns/ldns.h>
+
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ #include <errno.h>
+
+ #ifdef HAVE_SSL
+@@ -48,6 +51,7 @@ int
+ main(int argc, char *argv[])
+ {
+ int c;
++ int fd;
+ char *prog;
+
+ /* default key size */
+@@ -254,21 +258,21 @@ main(int argc, char *argv[])
+ /* print the priv key to stderr */
+ filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
+- file = fopen(filename, "w");
++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
++ if (fd < 0) {
++ goto fail;
++ }
++
++ file = fdopen(fd, "w");
+ if (!file) {
+- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+- ldns_key_deep_free(key);
+- free(owner);
+- ldns_rr_free(pubkey);
+- ldns_rr_free(ds);
+- LDNS_FREE(filename);
+- exit(EXIT_FAILURE);
+- } else {
+- ldns_key_print(file, key);
+- fclose(file);
+- LDNS_FREE(filename);
++ goto fail;
+ }
+
++ ldns_key_print(file, key);
++ fclose(file);
++ LDNS_FREE(filename);
++
+ /* print the DS to .ds */
+ if (algorithm != LDNS_SIGN_HMACMD5 &&
+ algorithm != LDNS_SIGN_HMACSHA1 &&
+@@ -300,6 +304,15 @@ main(int argc, char *argv[])
+ ldns_rr_free(pubkey);
+ ldns_rr_free(ds);
+ exit(EXIT_SUCCESS);
++
++fail:
++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
++ ldns_key_deep_free(key);
++ free(owner);
++ ldns_rr_free(pubkey);
++ ldns_rr_free(ds);
++ LDNS_FREE(filename);
++ exit(EXIT_FAILURE);
+ }
+ #else
+ int
+--
+cgit v0.9.2
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-24 14:04:05 +0000