import opendnssec-2.1.10-1.el9

.gitignore

@@ -1 +1 @@
-SOURCES/opendnssec-2.1.8.tar.gz
+SOURCES/opendnssec-2.1.10.tar.gz

.opendnssec.metadata

@@ -1 +1 @@
-d425f79f1378fc78d073097c02faf2b11a7bc2d1 SOURCES/opendnssec-2.1.8.tar.gz
+450313b710434d1d7531b5eb5c28a475646a49fb SOURCES/opendnssec-2.1.10.tar.gz

SOURCES/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch

@@ -0,0 +1,35 @@
+From 4d87db0f11bcdd5c54fadb92351b603bd07f76f8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 11:44:49 +0200
+Subject: [PATCH] Pass right remaining buffer size in hsm_hex_unparse to handle
+ string fortification
+
+When string fortification is in use (-DFORTIFY_SOURCE=3), GCC and glibc
+will cut few bytes off the string buffer for prevention of buffer
+overruns. As a result, hsm_hex_unparse() will call into snprintf() with
+a buffer length bigger than the size of the buffer as seen by the
+GCC/glibc pair.
+
+See also: https://pagure.io/freeipa/issue/9312
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ libhsm/src/lib/libhsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index 88dc79e31..8f1e0c3bc 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -1382,7 +1382,7 @@ hsm_hex_unparse(char *dst, const unsigned char *src, size_t len)
+     size_t i;
+ 
+     for (i = 0; i < len; i++) {
+-        snprintf(dst + (2*i), dst_len, "%02x", src[i]);
++        snprintf(dst + (2*i), dst_len - (2*i), "%02x", src[i]);
+     }
+     dst[len*2] = '\0';
+ }
+-- 
+2.39.0
+

SOURCES/1001-opendnssec-c99.patch

@@ -0,0 +1,83 @@
+Include <unistd.h> for the setresuid and setresgid functions,
+to avoid an implicit function declaration.
+
+Submitted upstream: <https://github.com/opendnssec/opendnssec/pull/843>
+
+diff --git a/configure b/configure
+index bf515cde3d4fab71..52d2885d6a6ef546 100755
+--- a/configure
++++ b/configure
+@@ -21101,6 +21101,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -21143,6 +21144,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+diff --git a/m4/acx_broken_setres.m4 b/m4/acx_broken_setres.m4
+index 374cee0b0b8ef196..467db9170a319170 100644
+--- a/m4/acx_broken_setres.m4
++++ b/m4/acx_broken_setres.m4
+@@ -4,6 +4,7 @@ AC_DEFUN([ACX_BROKEN_SETRES],[
+ 		AC_MSG_CHECKING(if setresuid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -20,6 +21,7 @@ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+ 		AC_MSG_CHECKING(if setresgid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+commit 27290c5fcd065a5a857d37236e7f79121e303d0a
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 18:43:53 2019 +0100
+
+    common: add missing util.h header
+
+diff --git a/common/scheduler/task.c b/common/scheduler/task.c
+index cfdbd2d101aae795..9c09dc1893363abe 100644
+--- a/common/scheduler/task.c
++++ b/common/scheduler/task.c
+@@ -39,6 +39,7 @@
+ #include "status.h"
+ #include "duration.h"
+ #include "file.h"
++#include "util.h"
+ #include "log.h"
+ 
+ static const char* task_str = "task";
+commit 5422819c17c02e6069328b2f5e4bef6fe5c179df
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 17:57:36 2019 +0100
+
+    enforcer: remove remove strptime build warning
+
+diff --git a/enforcer/src/daemon/time_leap_cmd.c b/enforcer/src/daemon/time_leap_cmd.c
+index f1ee21b87529c136..5baef1b6ff7c4cc2 100644
+--- a/enforcer/src/daemon/time_leap_cmd.c
++++ b/enforcer/src/daemon/time_leap_cmd.c
+@@ -26,8 +26,8 @@
+  *
+  */
+ 
+-#include <getopt.h>
+ #include "config.h"
++#include <getopt.h>
+ 
+ #include "file.h"
+ #include "duration.h"

SPECS/opendnssec.spec

@@ -3,8 +3,8 @@
 
 Summary: DNSSEC key and zone management software
 Name: opendnssec
-Version: 2.1.8
+Version: 2.1.10
-Release: 4%{?dist}
+Release: 1%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -17,6 +17,9 @@ Source6: opendnssec.cron
 Source7: opendnssec-2.1.sqlite_convert.sql
 Source8: opendnssec-2.1.sqlite_rpmversion.sql
 
+Patch1:    0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+Patch1001: 1001-opendnssec-c99.patch
+
 Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
 Requires: libxml2, libxslt sqlite
 BuildRequires: make
@@ -33,10 +36,8 @@ Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-%if 0%{?prever:1}
+
-# For building development snapshots
 Buildrequires: autoconf, automake, libtool, java
-%endif
 
 %description
 OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
@@ -45,6 +46,8 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%autopatch -p1
+
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in
 
@@ -178,6 +181,10 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
+* Thu Apr 27 2023 Rafael Guterres Jeffman <rjeffman@redhat.com> - 2.1.10-1
+- Upstream release 2.1.10.
+  Resolves: rhbz#1981324
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.8-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688