Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi release team,
I have prepared security, but non-dsa, update to ldns that creates
private DNSSEC keys with default umask (CVE-2014-3209).
The patch is very simple and it has been prepared by
upstream.
$ diffstat ldns_1.6.13-1+deb7u1.debdiff
changelog | 7 +
gbp.conf | 2
patches/003_dont_require_libldns_la_for_pyldns.patch | 6 -
patches/fix-permissions-when-creating-new-dnskey.patch | 76 +++++++++++++++++
patches/series | 1
5 files changed, 88 insertions(+), 4 deletions(-)
The d/patches/003* update is just 'quilt refresh'.
$ cat ldns_1.6.13-1+deb7u1_amd64.changes
[...]
ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
.
* [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
umask (Closes: #746758)
[...]
It's not a critical issue (hence non-DSA), but it would be nice to
have this fixed in stable.
Thanks,
Ondrej
- -- System Information:
Debian Release: 7.5
APT prefers stable
APT policy: (900, 'stable'), (800, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTnrzEAAoJEAyZtw70/LsHHOEP/0zuu4TRRoR1u7ZlBGN93KRt
jk5ccf0PeybhGykP67/P3QxvDP+CYJBCCP1N2mJxQIcYdRzmxmy5UxUo5J2fs4hk
wuJXAZSWvFi8fB93Wg8049+rli6Ve1XRVSIhVfb/aBs+RdGmZygHooEzIeD5uSWP
006QoEd1Tasx4a0bzikIDkzCyxCHkpiYxmM9Us8XF2wzweHXN6WV5A6C8ogF+Zsh
fTKhKzDf/4wocisQ+jP75uJXGApb/D9dsQEzv8aRf3yRGEvB8vih+Qswuvvi6LLR
1U7i3FDl+PoBGt7r8M124Tbw19dIudbSfloyuWBwXVv1Slk8DwzmqiHnmwEZKcAv
u9RBMQu79kJkhwUUpJ0YPpkNQFk6Uz4a/GY0b/eXHkD0PEJUmIMe8gDiN5VIzxMG
BBn4fvy05J2q8y1Aakwts6h0G1Fg5oDGqd2bUbZTPjrU2GGa9/NNFhHLObd8ihC+
Jew+BznWom4Lv8LGn8Ck7lgdLv9VJeq6UUdq2vvTnDrvvV36+T7Csq9v2jn3mU2h
I6QngY0x/ZI1tBv+Wh1x7izRS9NgYnekGUIBkMIZgm4Mz32nV6P8jVdgl3q3Am1/
/R5ETKRBPGD6pNy3B/zCQ9VcpSSUhfNC1ouGebfKkqOiPHbJrD2K0QcLO6uEQchI
Sz3nCYlPsyiQBfH9l4Ur
=L4LE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Jun 2014 11:06:52 +0200
Source: ldns
Binary: libldns1 libldns1-dbg libldns-dev ldnsutils python-ldns
Architecture: source amd64
Version: 1.6.13-1+deb7u1
Distribution: stable-security
Urgency: medium
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
ldnsutils - ldns library for DNS programming
libldns-dev - ldns library for DNS programming
libldns1 - ldns library for DNS programming
libldns1-dbg - ldns library for DNS programming (debug symbols)
python-ldns - Python bindings for the ldns library for DNS programming
Closes: 746758
Changes:
ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
.
* [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
umask (Closes: #746758)
Checksums-Sha1:
0cd068beec757941ae438c3d76b6c831ec766688 2156 ldns_1.6.13-1+deb7u1.dsc
c44d5da534124964ef6d55b40b3ce1a2805b4ccd 13732
ldns_1.6.13-1+deb7u1.debian.tar.gz
eb2b8ed91d993c91bf7a9c8f8670c997c0a0d7a0 167120
libldns1_1.6.13-1+deb7u1_amd64.deb
c3b0d6a660d71d5ba3eb79cc27f333c5f456c9e0 349548
libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
125b4269da30779f87e02d87afdf00bb62da4400 599848
libldns-dev_1.6.13-1+deb7u1_amd64.deb
c3fa167226fa501dc120383c29084dbe9cdd5d9c 173250
ldnsutils_1.6.13-1+deb7u1_amd64.deb
39538bc2c88bd003a1cf417c02dd3290170d971d 425520
python-ldns_1.6.13-1+deb7u1_amd64.deb
Checksums-Sha256:
da11b2ca8116db749036dc122bf233f4c40120645e7b08eda8098eaf159eba96 2156
ldns_1.6.13-1+deb7u1.dsc
1ee0314ec9053aa12d235c47a9e02a6f6d28176970cf7f014096b3793a641941 13732
ldns_1.6.13-1+deb7u1.debian.tar.gz
2ad7be1d289477ce5eca042865769ae1e844b64f4502ecdca62d635f6f3edcad 167120
libldns1_1.6.13-1+deb7u1_amd64.deb
1da2fd310567b4b0c62ddb2e57a74db3349f62446ef9c0f0569d38932a025243 349548
libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
5e3a3d791818778425e2e7b54d8f159e9ac4fd1c31a2a9ec321735e1312300ee 599848
libldns-dev_1.6.13-1+deb7u1_amd64.deb
3cc3e63dec881f494ac53abe55200ebb39f12fa678d428de959ee751089c8d2e 173250
ldnsutils_1.6.13-1+deb7u1_amd64.deb
f00adda1ccdd0998bcd7c0ef4f5fe4cfae272de6413ff809f9a988e8db0b5d2e 425520
python-ldns_1.6.13-1+deb7u1_amd64.deb
Files:
de6b6c825529fc8164752dbbb0d53895 2156 net extra ldns_1.6.13-1+deb7u1.dsc
5b514cbfb13b79667f363a9def119504 13732 net extra
ldns_1.6.13-1+deb7u1.debian.tar.gz
5c0289e15d8e326d17ef6af533ba0f30 167120 libs extra
libldns1_1.6.13-1+deb7u1_amd64.deb
a8a39ef222e676de21e6be49b3eea2f4 349548 debug extra
libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
07d3b14f84c492a3a88a537c68e714fc 599848 libdevel extra
libldns-dev_1.6.13-1+deb7u1_amd64.deb
d58eff26702f0cc68f26ee211e257a3e 173250 net extra
ldnsutils_1.6.13-1+deb7u1_amd64.deb
01c84d2da624ed58f77168e9b39fba0b 425520 python extra
python-ldns_1.6.13-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTmsLHAAoJEAyZtw70/LsHq8gP/RyD0iS1XS/+K4laYQcBJnF4
LeADiuPCiy7gmmZ/VxJ9EmdyGax+x/ZOjrz4H3g+ctgLKKZ82AUMZ/3+VDmT4bsT
smZTrx9ASXGr9V+XlxryoiZ5S4dNehIOrXVhnSUTw1ZvLDsyHUlJIpGdPaLD8hX7
cwScGCOaS1EIJIKk5PQhvFpmW9iZInjuGWUDEpDVx0It8tQIu3Z/z04YUCGWvTHv
o6Ho4zNpYYneXDp3yIqVJrQq2Q8KPLuTtcivejQDaL+XN9RfN+RSN2POAWftPCIv
ZVFxk9g0vg4IaQQjWKvA/4tuLkTSeEZTCU2Bt/zg3q8h8FSzIxWM2MhdD5i6r9Ho
bohYhwEyu7M0/2no24fQINrdSkV8cE8dcMElJWJbMbxrQ/3OEOLT8JNMgsZAD2ZG
lIYm3O7QbK0tTNInyzeRjKve05wRelcUz5GHTS6eUw953o9Uukx6sfGPQ3kqzls7
B1Ey+6Jg7Q06RECw7RjsV588D96Ky4TM3L4l4zJqW4zRbLmBhKZSrE+asnhRISjh
qWhIANNKqEge+L9bup0sDS4lWvjUIxIbPVpE6Z/8600ecF7CdZmsqrmmddNQlVgv
gQFVnsRwATXv3+jDPFmKDMftClUOpH/IoTA5TNL082SDH/RDTx0eGU0wCYM6NFAu
FHBJRaQC1arPIqeVSqlA
=XiSC
-----END PGP SIGNATURE-----
diff -Nru ldns-1.6.13/debian/changelog ldns-1.6.13/debian/changelog
--- ldns-1.6.13/debian/changelog 2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/changelog 2014-06-13 11:07:12.000000000 +0200
@@ -1,3 +1,10 @@
+ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
+
+ * [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
+ umask (Closes: #746758)
+
+ -- Ondřej Surý <ond...@debian.org> Fri, 13 Jun 2014 11:06:52 +0200
+
ldns (1.6.13-1) unstable; urgency=low
[ Daniel Baumann ]
diff -Nru ldns-1.6.13/debian/gbp.conf ldns-1.6.13/debian/gbp.conf
--- ldns-1.6.13/debian/gbp.conf 2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/gbp.conf 2014-06-13 11:07:12.000000000 +0200
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian-sid
+debian-branch = master-wheezy
debian-tag = debian/%(version)s
upstream-branch = upstream
upstream-tag = upstream/%(version)s
diff -Nru ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch
--- ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch 2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch 2014-06-13 11:07:12.000000000 +0200
@@ -1,6 +1,6 @@
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -224,7 +224,7 @@ $(pywrapdir)/ldns_wrapper.c: $(PYLDNS_I_
+--- ldns.orig/Makefile.in
++++ ldns/Makefile.in
+@@ -233,7 +233,7 @@ $(pywrapdir)/ldns_wrapper.c: $(PYLDNS_I_
ldns_wrapper.lo: $(pywrapdir)/ldns_wrapper.c ldns/config.h
$(COMP_LIB) -I./include/ldns $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $< -o $@
diff -Nru ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch
--- ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch 1970-01-01 01:00:00.000000000 +0100
+++ ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch 2014-06-13 11:07:12.000000000 +0200
@@ -0,0 +1,76 @@
+From 169f38c1e25750f935838b670871056428977e6b Mon Sep 17 00:00:00 2001
+From: Willem Toorop <wil...@nlnetlabs.nl>
+Date: Mon, 05 May 2014 22:46:08 +0200
+Subject: bugfix#573 ldns-keygen write private mode 0600
+
+---
+--- ldns.orig/examples/ldns-keygen.c
++++ ldns/examples/ldns-keygen.c
+@@ -10,6 +10,9 @@
+
+ #include <ldns/ldns.h>
+
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ #include <errno.h>
+
+ #ifdef HAVE_SSL
+@@ -48,6 +51,7 @@ int
+ main(int argc, char *argv[])
+ {
+ int c;
++ int fd;
+ char *prog;
+
+ /* default key size */
+@@ -250,21 +254,21 @@ main(int argc, char *argv[])
+ /* print the priv key to stderr */
+ filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
+- file = fopen(filename, "w");
++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
++ if (fd < 0) {
++ goto fail;
++ }
++
++ file = fdopen(fd, "w");
+ if (!file) {
+- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+- ldns_key_deep_free(key);
+- free(owner);
+- ldns_rr_free(pubkey);
+- ldns_rr_free(ds);
+- LDNS_FREE(filename);
+- exit(EXIT_FAILURE);
+- } else {
+- ldns_key_print(file, key);
+- fclose(file);
+- LDNS_FREE(filename);
++ goto fail;
+ }
+
++ ldns_key_print(file, key);
++ fclose(file);
++ LDNS_FREE(filename);
++
+ /* print the DS to .ds */
+ if (algorithm != LDNS_SIGN_HMACMD5 &&
+ algorithm != LDNS_SIGN_HMACSHA1 &&
+@@ -296,6 +300,15 @@ main(int argc, char *argv[])
+ ldns_rr_free(pubkey);
+ ldns_rr_free(ds);
+ exit(EXIT_SUCCESS);
++
++fail:
++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
++ ldns_key_deep_free(key);
++ free(owner);
++ ldns_rr_free(pubkey);
++ ldns_rr_free(ds);
++ LDNS_FREE(filename);
++ exit(EXIT_FAILURE);
+ }
+ #else
+ int
diff -Nru ldns-1.6.13/debian/patches/series ldns-1.6.13/debian/patches/series
--- ldns-1.6.13/debian/patches/series 2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/patches/series 2014-06-13 11:07:12.000000000 +0200
@@ -1,2 +1,3 @@
001_manpages_whatis.patch
003_dont_require_libldns_la_for_pyldns.patch
+fix-permissions-when-creating-new-dnskey.patch
ldns_1.6.13-1+deb7u1.debian.tar.gz
Description: application/gzip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (quilt) Source: ldns Binary: libldns1, libldns1-dbg, libldns-dev, ldnsutils, python-ldns Architecture: any Version: 1.6.13-1+deb7u1 Maintainer: Ondřej Surý <ond...@debian.org> Standards-Version: 3.9.2 Vcs-Browser: http://git.debian.org/?p=pkg-nlnetlabs/ldns.git Vcs-Git: git://git.debian.org/pkg-nlnetlabs/ldns.git Build-Depends: quilt (>= 0.46-7~), debhelper (>= 7.0.50~), autotools-dev, libssl-dev, libtool, libpcap-dev, doxygen, python-all-dev, swig, python-support, hardening-wrapper, chrpath, autoconf, automake, pkg-config Package-List: ldnsutils deb net extra libldns-dev deb libdevel extra libldns1 deb libs extra libldns1-dbg deb debug extra python-ldns deb python extra Checksums-Sha1: 859f633d10b763f06b602e2113828cbbd964c7eb 1066139 ldns_1.6.13.orig.tar.gz c44d5da534124964ef6d55b40b3ce1a2805b4ccd 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz Checksums-Sha256: e50622f68908ac57eeef1b2f94bf2cf4d6b1dd309b4e613dce36139d89f15680 1066139 ldns_1.6.13.orig.tar.gz 1ee0314ec9053aa12d235c47a9e02a6f6d28176970cf7f014096b3793a641941 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz Files: bcada4f2e62aa40fcdd5d73aec46f284 1066139 ldns_1.6.13.orig.tar.gz 5b514cbfb13b79667f363a9def119504 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz Python-Version: >= 2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTmsK9AAoJEAyZtw70/LsH2rMP/3awR+2mx8Ax+FGVzBCYNSw3 WRvffTIcou8XXDyRTnO3P3bEw2W9xg3lssFD3LMPXBCGoXb/D1JDgoX6y+llz+ff I7aJPJYqJgykqR7URXhIpJKiOBASb4eoQQhLE5cl7Nc7BdX3vUILFcNT5nwvnfWo wKARlPIFxwhDPntXMWseTPj9jCB3Bbw7dAHQfJNVLnhCHQ082QRjKS6wEgbhp5fS VEGVhCHPRvTPo+LYYXpPvX4oLL7t5cWlAHP2cS4ko15yIo7KqLygkEhY3jSaNgCL KTxdEVkYRKeQhCvaGwOtXdlQear/rGy3s91o7oZbYu++pUKx0cIEiaJI0Eo8UyA2 dPJrngLQluGVp4D7TtOhFNQCZiG9lj8XO+pQVJEhHqPcVQoQYeXtwLDYPdEu0H7R hE0F6sZRra9DGWmvmI6pkooBQ52SXVkt4Sky3lmPWsfjEYZJE68AjBjThuU1CGq0 XJleQIm4cRj+HA92Zr+PZDFUUK6hAdhnu5qfT90KMbeIBTM9tjvpruIt0QxIU3ZT /VruuahBBAPfzoox89Xg7LVR2jlcllBHMmdIIaUoM0XioGl2hGMFj3QbQI4HffAz gCqzyub7LIx1mR/w8PqEh5kHXrSvQHlkOnLen/Jg7IPUfM/SaH5tGSLdmTi6RXPB f5spuNOtcF477IRKCHpk =y6X4 -----END PGP SIGNATURE-----
