[pkgsrc/trunk]: pkgsrc/security/softhsm Adapt a fix for SA59651, similar to C...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/softhsm Adapt a fix for SA59651, similar to C...
From: he <he%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 16:45:49 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3b48c2f3c55b
branches:  trunk
changeset: 641794:3b48c2f3c55b
user:      he <he%pkgsrc.org@localhost>
date:      Tue Nov 18 13:40:56 2014 +0000

description:
Adapt a fix for SA59651, similar to CVE-2014-3209 from the
code branch fro SoftHSMv2: ensure created pkcs8 file is not
group- or world-readable.
Rename patch-aa to patch-Makefile.in, and add a comment.
Bump PKGREVISION.

diffstat:

 security/softhsm/Makefile                                  |   4 +-
 security/softhsm/distinfo                                  |   5 +-
 security/softhsm/patches/patch-Makefile.in                 |  31 ++++++++++++
 security/softhsm/patches/patch-aa                          |  29 -----------
 security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp |  35 ++++++++++++++
 5 files changed, 71 insertions(+), 33 deletions(-)

diffs (134 lines):

diff -r 0b6b78982be6 -r 3b48c2f3c55b security/softhsm/Makefile
--- a/security/softhsm/Makefile Tue Nov 18 13:30:35 2014 +0000
+++ b/security/softhsm/Makefile Tue Nov 18 13:40:56 2014 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.26 2014/10/07 16:47:14 adam Exp $
+# $NetBSD: Makefile,v 1.27 2014/11/18 13:40:56 he Exp $
 #
 
 DISTNAME=      softhsm-1.3.7
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security
 MASTER_SITES=  http://www.opendnssec.org/files/source/
 
diff -r 0b6b78982be6 -r 3b48c2f3c55b security/softhsm/distinfo
--- a/security/softhsm/distinfo Tue Nov 18 13:30:35 2014 +0000
+++ b/security/softhsm/distinfo Tue Nov 18 13:40:56 2014 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.12 2014/06/07 20:37:25 pettai Exp $
+$NetBSD: distinfo,v 1.13 2014/11/18 13:40:56 he Exp $
 
 SHA1 (softhsm-1.3.7.tar.gz) = e8bf4269472f9e63d1dfeda238b1d542d6c036f2
 RMD160 (softhsm-1.3.7.tar.gz) = bb11177520ca2fd62200a9b23d66c1b32eeb5104
 Size (softhsm-1.3.7.tar.gz) = 438437 bytes
-SHA1 (patch-aa) = 480865e0a50759d582380573c0254bcdb517ddfe
+SHA1 (patch-Makefile.in) = ab9a9db898e4c1600bf9d5b28b27759e33c204b3
+SHA1 (patch-src_bin_softhsm-keyconv.cpp) = 07f7ebe070047cfbbee461595effe2c7de9caef6
diff -r 0b6b78982be6 -r 3b48c2f3c55b security/softhsm/patches/patch-Makefile.in
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/softhsm/patches/patch-Makefile.in        Tue Nov 18 13:40:56 2014 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-Makefile.in,v 1.1 2014/11/18 13:40:57 he Exp $
+
+Tweak install-data-hook target.
+
+--- Makefile.in.orig   2012-05-09 18:41:49.000000000 +0000
++++ Makefile.in
+@@ -271,6 +271,7 @@ sharedstatedir = @sharedstatedir@
+ softhsmdbdir = @softhsmdbdir@
+ srcdir = @srcdir@
+ sysconfdir = @sysconfdir@
++EGDIR = @EGDIR@
+ target_alias = @target_alias@
+ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+@@ -869,11 +870,11 @@ uninstall-man: uninstall-man5
+ 
+ 
+ install-data-hook:
+-      test -d ${DESTDIR}${sysconfdir} || \
+-              ${INSTALL} -d ${DESTDIR}${sysconfdir}
+-      test -f ${DESTDIR}${sysconfdir}/softhsm.conf || \
+-              ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}
+-      ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}/softhsm.conf.sample
++      test -d ${DESTDIR}${EGDIR} || \
++              ${INSTALL} -d ${DESTDIR}${EGDIR}
++      test -f ${DESTDIR}${EGDIR}/softhsm.conf || \
++              ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}
++      ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}/softhsm.conf.sample
+       test -d ${DESTDIR}${softhsmdbdir} || \
+               ${INSTALL} -d -m 700 ${DESTDIR}${softhsmdbdir}
+ 
diff -r 0b6b78982be6 -r 3b48c2f3c55b security/softhsm/patches/patch-aa
--- a/security/softhsm/patches/patch-aa Tue Nov 18 13:30:35 2014 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,29 +0,0 @@
-$NetBSD: patch-aa,v 1.3 2012/05/23 10:05:44 pettai Exp $
-
---- Makefile.in.orig   2012-05-09 18:41:49.000000000 +0000
-+++ Makefile.in
-@@ -271,6 +271,7 @@ sharedstatedir = @sharedstatedir@
- softhsmdbdir = @softhsmdbdir@
- srcdir = @srcdir@
- sysconfdir = @sysconfdir@
-+EGDIR = @EGDIR@
- target_alias = @target_alias@
- top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
-@@ -869,11 +870,11 @@ uninstall-man: uninstall-man5
- 
- 
- install-data-hook:
--      test -d ${DESTDIR}${sysconfdir} || \
--              ${INSTALL} -d ${DESTDIR}${sysconfdir}
--      test -f ${DESTDIR}${sysconfdir}/softhsm.conf || \
--              ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}
--      ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir}/softhsm.conf.sample
-+      test -d ${DESTDIR}${EGDIR} || \
-+              ${INSTALL} -d ${DESTDIR}${EGDIR}
-+      test -f ${DESTDIR}${EGDIR}/softhsm.conf || \
-+              ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}
-+      ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${EGDIR}/softhsm.conf.sample
-       test -d ${DESTDIR}${softhsmdbdir} || \
-               ${INSTALL} -d -m 700 ${DESTDIR}${softhsmdbdir}
- 
diff -r 0b6b78982be6 -r 3b48c2f3c55b security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp        Tue Nov 18 13:40:56 2014 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-src_bin_softhsm-keyconv.cpp,v 1.1 2014/11/18 13:40:57 he Exp $
+
+Adapt fix for SA59651, similar to CVE-2014-3209, from
+https://github.com/bellgrim/SoftHSMv2/commit/492447cd4a2be449e99fb9ad2519ea3277aaad28
+Ensure created pkcs8 file is not group- or world-readable.
+
+--- src/bin/softhsm-keyconv.cpp.orig   2014-05-28 05:59:14.000000000 +0000
++++ src/bin/softhsm-keyconv.cpp
+@@ -48,6 +48,10 @@
+ #include <iostream>
+ #include <fstream>
+ #include <stdint.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ 
+ void usage() {
+   printf("Converting between BIND .private-key format and PKCS#8 key file format.\n");
+@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_pa
+     return 1;
+   }
+ 
++  // Create and set file permissions if the file does not exist.
++  int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++          out_path, errno);
++    return 1;
++  }
++  ::close(fd);
++
+   // Save the the key to the disk
+   switch(algorithm) {
+     case DNS_KEYALG_ERROR:

Prev by Date: [pkgsrc/pkgsrc-2015Q1]: pkgsrc/doc pullup #4690
Next by Date: [pkgsrc/trunk]: pkgsrc/devel/p5-Ouch Update to 0.0409. From the changelog:
Previous by Thread: [pkgsrc/pkgsrc-2015Q1]: pkgsrc/doc pullup #4690
Next by Thread: [pkgsrc/trunk]: pkgsrc/devel/p5-Ouch Update to 0.0409. From the changelog:
Indexes:

Home | Main Index | Thread Index | Old Index