Bug#751750: pu: package ldns/1.6.13-1+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#751750: pu: package ldns/1.6.13-1+deb7u1
From: Ondřej Surý <ondrej@debian.org>
Date: Mon, 16 Jun 2014 11:45:40 +0200
Message-id: <[🔎] 20140616094540.28337.64323.reportbug@howl.nic.cz>
Reply-to: Ondřej Surý <ondrej@debian.org>, 751750@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi release team,

I have prepared security, but non-dsa, update to ldns that creates
private DNSSEC keys with default umask (CVE-2014-3209).

The patch is very simple and it has been prepared by
upstream.

$ diffstat ldns_1.6.13-1+deb7u1.debdiff
 changelog                                              |    7 +
 gbp.conf                                               |    2 
 patches/003_dont_require_libldns_la_for_pyldns.patch   |    6 -
 patches/fix-permissions-when-creating-new-dnskey.patch |   76 +++++++++++++++++
 patches/series                                         |    1 
 5 files changed, 88 insertions(+), 4 deletions(-)

The d/patches/003* update is just 'quilt refresh'.

$ cat ldns_1.6.13-1+deb7u1_amd64.changes
[...]
 ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
 .
   * [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
     umask (Closes: #746758)
[...]

It's not a critical issue (hence non-DSA), but it would be nice to
have this fixed in stable.

Thanks,
Ondrej

- -- System Information:
Debian Release: 7.5
  APT prefers stable
  APT policy: (900, 'stable'), (800, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTnrzEAAoJEAyZtw70/LsHHOEP/0zuu4TRRoR1u7ZlBGN93KRt
jk5ccf0PeybhGykP67/P3QxvDP+CYJBCCP1N2mJxQIcYdRzmxmy5UxUo5J2fs4hk
wuJXAZSWvFi8fB93Wg8049+rli6Ve1XRVSIhVfb/aBs+RdGmZygHooEzIeD5uSWP
006QoEd1Tasx4a0bzikIDkzCyxCHkpiYxmM9Us8XF2wzweHXN6WV5A6C8ogF+Zsh
fTKhKzDf/4wocisQ+jP75uJXGApb/D9dsQEzv8aRf3yRGEvB8vih+Qswuvvi6LLR
1U7i3FDl+PoBGt7r8M124Tbw19dIudbSfloyuWBwXVv1Slk8DwzmqiHnmwEZKcAv
u9RBMQu79kJkhwUUpJ0YPpkNQFk6Uz4a/GY0b/eXHkD0PEJUmIMe8gDiN5VIzxMG
BBn4fvy05J2q8y1Aakwts6h0G1Fg5oDGqd2bUbZTPjrU2GGa9/NNFhHLObd8ihC+
Jew+BznWom4Lv8LGn8Ck7lgdLv9VJeq6UUdq2vvTnDrvvV36+T7Csq9v2jn3mU2h
I6QngY0x/ZI1tBv+Wh1x7izRS9NgYnekGUIBkMIZgm4Mz32nV6P8jVdgl3q3Am1/
/R5ETKRBPGD6pNy3B/zCQ9VcpSSUhfNC1ouGebfKkqOiPHbJrD2K0QcLO6uEQchI
Sz3nCYlPsyiQBfH9l4Ur
=L4LE
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Jun 2014 11:06:52 +0200
Source: ldns
Binary: libldns1 libldns1-dbg libldns-dev ldnsutils python-ldns
Architecture: source amd64
Version: 1.6.13-1+deb7u1
Distribution: stable-security
Urgency: medium
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 ldnsutils  - ldns library for DNS programming
 libldns-dev - ldns library for DNS programming
 libldns1   - ldns library for DNS programming
 libldns1-dbg - ldns library for DNS programming (debug symbols)
 python-ldns - Python bindings for the ldns library for DNS programming
Closes: 746758
Changes: 
 ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
 .
   * [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
     umask (Closes: #746758)
Checksums-Sha1: 
 0cd068beec757941ae438c3d76b6c831ec766688 2156 ldns_1.6.13-1+deb7u1.dsc
 c44d5da534124964ef6d55b40b3ce1a2805b4ccd 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz
 eb2b8ed91d993c91bf7a9c8f8670c997c0a0d7a0 167120 libldns1_1.6.13-1+deb7u1_amd64.deb
 c3b0d6a660d71d5ba3eb79cc27f333c5f456c9e0 349548 libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
 125b4269da30779f87e02d87afdf00bb62da4400 599848 libldns-dev_1.6.13-1+deb7u1_amd64.deb
 c3fa167226fa501dc120383c29084dbe9cdd5d9c 173250 ldnsutils_1.6.13-1+deb7u1_amd64.deb
 39538bc2c88bd003a1cf417c02dd3290170d971d 425520 python-ldns_1.6.13-1+deb7u1_amd64.deb
Checksums-Sha256: 
 da11b2ca8116db749036dc122bf233f4c40120645e7b08eda8098eaf159eba96 2156 ldns_1.6.13-1+deb7u1.dsc
 1ee0314ec9053aa12d235c47a9e02a6f6d28176970cf7f014096b3793a641941 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz
 2ad7be1d289477ce5eca042865769ae1e844b64f4502ecdca62d635f6f3edcad 167120 libldns1_1.6.13-1+deb7u1_amd64.deb
 1da2fd310567b4b0c62ddb2e57a74db3349f62446ef9c0f0569d38932a025243 349548 libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
 5e3a3d791818778425e2e7b54d8f159e9ac4fd1c31a2a9ec321735e1312300ee 599848 libldns-dev_1.6.13-1+deb7u1_amd64.deb
 3cc3e63dec881f494ac53abe55200ebb39f12fa678d428de959ee751089c8d2e 173250 ldnsutils_1.6.13-1+deb7u1_amd64.deb
 f00adda1ccdd0998bcd7c0ef4f5fe4cfae272de6413ff809f9a988e8db0b5d2e 425520 python-ldns_1.6.13-1+deb7u1_amd64.deb
Files: 
 de6b6c825529fc8164752dbbb0d53895 2156 net extra ldns_1.6.13-1+deb7u1.dsc
 5b514cbfb13b79667f363a9def119504 13732 net extra ldns_1.6.13-1+deb7u1.debian.tar.gz
 5c0289e15d8e326d17ef6af533ba0f30 167120 libs extra libldns1_1.6.13-1+deb7u1_amd64.deb
 a8a39ef222e676de21e6be49b3eea2f4 349548 debug extra libldns1-dbg_1.6.13-1+deb7u1_amd64.deb
 07d3b14f84c492a3a88a537c68e714fc 599848 libdevel extra libldns-dev_1.6.13-1+deb7u1_amd64.deb
 d58eff26702f0cc68f26ee211e257a3e 173250 net extra ldnsutils_1.6.13-1+deb7u1_amd64.deb
 01c84d2da624ed58f77168e9b39fba0b 425520 python extra python-ldns_1.6.13-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTmsLHAAoJEAyZtw70/LsHq8gP/RyD0iS1XS/+K4laYQcBJnF4
LeADiuPCiy7gmmZ/VxJ9EmdyGax+x/ZOjrz4H3g+ctgLKKZ82AUMZ/3+VDmT4bsT
smZTrx9ASXGr9V+XlxryoiZ5S4dNehIOrXVhnSUTw1ZvLDsyHUlJIpGdPaLD8hX7
cwScGCOaS1EIJIKk5PQhvFpmW9iZInjuGWUDEpDVx0It8tQIu3Z/z04YUCGWvTHv
o6Ho4zNpYYneXDp3yIqVJrQq2Q8KPLuTtcivejQDaL+XN9RfN+RSN2POAWftPCIv
ZVFxk9g0vg4IaQQjWKvA/4tuLkTSeEZTCU2Bt/zg3q8h8FSzIxWM2MhdD5i6r9Ho
bohYhwEyu7M0/2no24fQINrdSkV8cE8dcMElJWJbMbxrQ/3OEOLT8JNMgsZAD2ZG
lIYm3O7QbK0tTNInyzeRjKve05wRelcUz5GHTS6eUw953o9Uukx6sfGPQ3kqzls7
B1Ey+6Jg7Q06RECw7RjsV588D96Ky4TM3L4l4zJqW4zRbLmBhKZSrE+asnhRISjh
qWhIANNKqEge+L9bup0sDS4lWvjUIxIbPVpE6Z/8600ecF7CdZmsqrmmddNQlVgv
gQFVnsRwATXv3+jDPFmKDMftClUOpH/IoTA5TNL082SDH/RDTx0eGU0wCYM6NFAu
FHBJRaQC1arPIqeVSqlA
=XiSC
-----END PGP SIGNATURE-----

diff -Nru ldns-1.6.13/debian/changelog ldns-1.6.13/debian/changelog
--- ldns-1.6.13/debian/changelog	2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/changelog	2014-06-13 11:07:12.000000000 +0200
@@ -1,3 +1,10 @@
+ldns (1.6.13-1+deb7u1) stable-security; urgency=medium
+
+  * [CVE-2014-3209]: fix ldns-keygen writing private DNSKEYs with default
+    umask (Closes: #746758)
+
+ -- Ondřej Surý <ondrej@debian.org>  Fri, 13 Jun 2014 11:06:52 +0200
+
 ldns (1.6.13-1) unstable; urgency=low
 
   [ Daniel Baumann ]
diff -Nru ldns-1.6.13/debian/gbp.conf ldns-1.6.13/debian/gbp.conf
--- ldns-1.6.13/debian/gbp.conf	2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/gbp.conf	2014-06-13 11:07:12.000000000 +0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian-sid
+debian-branch = master-wheezy
 debian-tag = debian/%(version)s
 upstream-branch = upstream
 upstream-tag = upstream/%(version)s
diff -Nru ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch
--- ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch	2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/patches/003_dont_require_libldns_la_for_pyldns.patch	2014-06-13 11:07:12.000000000 +0200
@@ -1,6 +1,6 @@
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -224,7 +224,7 @@ $(pywrapdir)/ldns_wrapper.c: $(PYLDNS_I_
+--- ldns.orig/Makefile.in
++++ ldns/Makefile.in
+@@ -233,7 +233,7 @@ $(pywrapdir)/ldns_wrapper.c: $(PYLDNS_I_
  ldns_wrapper.lo: $(pywrapdir)/ldns_wrapper.c ldns/config.h
  	$(COMP_LIB) -I./include/ldns $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $< -o $@
  
diff -Nru ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch
--- ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch	1970-01-01 01:00:00.000000000 +0100
+++ ldns-1.6.13/debian/patches/fix-permissions-when-creating-new-dnskey.patch	2014-06-13 11:07:12.000000000 +0200
@@ -0,0 +1,76 @@
+From 169f38c1e25750f935838b670871056428977e6b Mon Sep 17 00:00:00 2001
+From: Willem Toorop <willem@nlnetlabs.nl>
+Date: Mon, 05 May 2014 22:46:08 +0200
+Subject: bugfix#573 ldns-keygen write private mode 0600
+
+---
+--- ldns.orig/examples/ldns-keygen.c
++++ ldns/examples/ldns-keygen.c
+@@ -10,6 +10,9 @@
+ 
+ #include <ldns/ldns.h>
+ 
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ #include <errno.h>
+ 
+ #ifdef HAVE_SSL
+@@ -48,6 +51,7 @@ int
+ main(int argc, char *argv[])
+ {
+ 	int c;
++	int fd;
+ 	char *prog;
+ 
+ 	/* default key size */
+@@ -250,21 +254,21 @@ main(int argc, char *argv[])
+ 	/* print the priv key to stderr */
+ 	filename = LDNS_XMALLOC(char, strlen(owner) + 21);
+ 	snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key));
+-	file = fopen(filename, "w");
++	/* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/
++	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
++	if (fd < 0) {
++		goto fail;
++	}
++
++	file = fdopen(fd, "w");
+ 	if (!file) {
+-		fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+-		ldns_key_deep_free(key);
+-		free(owner);
+-		ldns_rr_free(pubkey);
+-		ldns_rr_free(ds);
+-		LDNS_FREE(filename);
+-		exit(EXIT_FAILURE);
+-	} else {
+-		ldns_key_print(file, key);
+-		fclose(file);
+-		LDNS_FREE(filename);
++		goto fail;
+ 	}
+ 
++	ldns_key_print(file, key);
++	fclose(file);
++	LDNS_FREE(filename);
++
+ 	/* print the DS to .ds */
+ 	if (algorithm != LDNS_SIGN_HMACMD5 &&
+ 		algorithm != LDNS_SIGN_HMACSHA1 &&
+@@ -296,6 +300,15 @@ main(int argc, char *argv[])
+ 	ldns_rr_free(pubkey);
+ 	ldns_rr_free(ds);
+ 	exit(EXIT_SUCCESS);
++
++fail:
++	fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
++	ldns_key_deep_free(key);
++	free(owner);
++	ldns_rr_free(pubkey);
++	ldns_rr_free(ds);
++	LDNS_FREE(filename);
++	exit(EXIT_FAILURE);
+ }
+ #else
+ int
diff -Nru ldns-1.6.13/debian/patches/series ldns-1.6.13/debian/patches/series
--- ldns-1.6.13/debian/patches/series	2012-05-28 09:40:48.000000000 +0200
+++ ldns-1.6.13/debian/patches/series	2014-06-13 11:07:12.000000000 +0200
@@ -1,2 +1,3 @@
 001_manpages_whatis.patch
 003_dont_require_libldns_la_for_pyldns.patch
+fix-permissions-when-creating-new-dnskey.patch

Attachment: ldns_1.6.13-1+deb7u1.debian.tar.gz
Description: application/gzip

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 3.0 (quilt)
Source: ldns
Binary: libldns1, libldns1-dbg, libldns-dev, ldnsutils, python-ldns
Architecture: any
Version: 1.6.13-1+deb7u1
Maintainer: Ondřej Surý <ondrej@debian.org>
Standards-Version: 3.9.2
Vcs-Browser: http://git.debian.org/?p=pkg-nlnetlabs/ldns.git
Vcs-Git: git://git.debian.org/pkg-nlnetlabs/ldns.git
Build-Depends: quilt (>= 0.46-7~), debhelper (>= 7.0.50~), autotools-dev, libssl-dev, libtool, libpcap-dev, doxygen, python-all-dev, swig, python-support, hardening-wrapper, chrpath, autoconf, automake, pkg-config
Package-List: 
 ldnsutils deb net extra
 libldns-dev deb libdevel extra
 libldns1 deb libs extra
 libldns1-dbg deb debug extra
 python-ldns deb python extra
Checksums-Sha1: 
 859f633d10b763f06b602e2113828cbbd964c7eb 1066139 ldns_1.6.13.orig.tar.gz
 c44d5da534124964ef6d55b40b3ce1a2805b4ccd 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz
Checksums-Sha256: 
 e50622f68908ac57eeef1b2f94bf2cf4d6b1dd309b4e613dce36139d89f15680 1066139 ldns_1.6.13.orig.tar.gz
 1ee0314ec9053aa12d235c47a9e02a6f6d28176970cf7f014096b3793a641941 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz
Files: 
 bcada4f2e62aa40fcdd5d73aec46f284 1066139 ldns_1.6.13.orig.tar.gz
 5b514cbfb13b79667f363a9def119504 13732 ldns_1.6.13-1+deb7u1.debian.tar.gz
Python-Version: >= 2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTmsK9AAoJEAyZtw70/LsH2rMP/3awR+2mx8Ax+FGVzBCYNSw3
WRvffTIcou8XXDyRTnO3P3bEw2W9xg3lssFD3LMPXBCGoXb/D1JDgoX6y+llz+ff
I7aJPJYqJgykqR7URXhIpJKiOBASb4eoQQhLE5cl7Nc7BdX3vUILFcNT5nwvnfWo
wKARlPIFxwhDPntXMWseTPj9jCB3Bbw7dAHQfJNVLnhCHQ082QRjKS6wEgbhp5fS
VEGVhCHPRvTPo+LYYXpPvX4oLL7t5cWlAHP2cS4ko15yIo7KqLygkEhY3jSaNgCL
KTxdEVkYRKeQhCvaGwOtXdlQear/rGy3s91o7oZbYu++pUKx0cIEiaJI0Eo8UyA2
dPJrngLQluGVp4D7TtOhFNQCZiG9lj8XO+pQVJEhHqPcVQoQYeXtwLDYPdEu0H7R
hE0F6sZRra9DGWmvmI6pkooBQ52SXVkt4Sky3lmPWsfjEYZJE68AjBjThuU1CGq0
XJleQIm4cRj+HA92Zr+PZDFUUK6hAdhnu5qfT90KMbeIBTM9tjvpruIt0QxIU3ZT
/VruuahBBAPfzoox89Xg7LVR2jlcllBHMmdIIaUoM0XioGl2hGMFj3QbQI4HffAz
gCqzyub7LIx1mR/w8PqEh5kHXrSvQHlkOnLen/Jg7IPUfM/SaH5tGSLdmTi6RXPB
f5spuNOtcF477IRKCHpk
=y6X4
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Processed: Re: Bug#751750: pu: package ldns/1.6.13-1+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#751750: pu: package ldns/1.6.13-1+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#751750: pu: package ldns/1.6.13-1+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#748535: transition: gnutls28
Next by Date: NEW changes in stable-new
Previous by thread: Bug#733564: pu: apache2 with ECDHE support
Next by thread: Processed: Re: Bug#751750: pu: package ldns/1.6.13-1+deb7u1
Index(es):
- Date
- Thread