apache2-mod_nss/mod_nss-bnc863518-reopen_dev_tty.diff

Index: nss_engine_pphrase.c
===================================================================
--- nss_engine_pphrase.c.orig	2016-03-14 12:33:49.139529734 +0100
+++ nss_engine_pphrase.c	2016-03-14 12:40:42.603094487 +0100
@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu
     char line[1024];
     unsigned char phrase[200];
     int infd = fileno(input);
+    int tmpfd;
     int isTTY = isatty(infd);
 
     token_name = PK11_GetTokenName(slot);
@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu
     if (pwdstr)
         return pwdstr;
 
+    /* It happens that stdin is not opened with O_RDONLY. Better make sure
+     * it is and re-open /dev/tty.
+     */
+    close(infd); /* is 0 normally. open(2) will return first available. */
+    tmpfd = open("/dev/tty", O_RDONLY);
+    if( tmpfd == -1) {
+	fprintf(output, "Cannot open /dev/tty for reading the passphrase.\n");
+	nss_die();
+    }
+    if(tmpfd != infd) {
+	if( dup2(tmpfd, infd) != infd) {
+	    fprintf(output, "Problem duplicating /dev/tty file descriptor.\n");
+	    close(tmpfd);
+	    nss_die();
+	}
+	close(tmpfd);
+    }
+
     for (;;) {
         /* Prompt for password */
         if (isTTY) {
Accepting request 375069 from home:vitezslav_cizek:branches:Apache:Modules - use a whitelist approach for keeping directives in the migration script (bsc#961907) * modify mod_nss_migrate.pl - fix test: add NSSPassPhraseDialog, point it to plain file - update to 1.0.13 Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec OBS-URL: https://build.opensuse.org/request/show/375069 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22 2016-03-30 16:57:58 +02:00			`Index: nss_engine_pphrase.c`
			`===================================================================`
			`--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100`
			`+++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100`
			`@@ -228,6 +228,7 @@ static char nss_get_password(FILE inpu`
Accepting request 242385 from home:draht:branches:mozilla:Factory - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. OBS-URL: https://build.opensuse.org/request/show/242385 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10 2014-07-25 16:00:54 +02:00			`char line[1024];`
			`unsigned char phrase[200];`
			`int infd = fileno(input);`
			`+ int tmpfd;`
			`int isTTY = isatty(infd);`

			`token_name = PK11_GetTokenName(slot);`
Accepting request 375069 from home:vitezslav_cizek:branches:Apache:Modules - use a whitelist approach for keeping directives in the migration script (bsc#961907) * modify mod_nss_migrate.pl - fix test: add NSSPassPhraseDialog, point it to plain file - update to 1.0.13 Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec OBS-URL: https://build.opensuse.org/request/show/375069 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22 2016-03-30 16:57:58 +02:00			`@@ -327,6 +328,24 @@ static char nss_get_password(FILE inpu`
Accepting request 242385 from home:draht:branches:mozilla:Factory - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. OBS-URL: https://build.opensuse.org/request/show/242385 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10 2014-07-25 16:00:54 +02:00			`if (pwdstr)`
			`return pwdstr;`
Accepting request 375069 from home:vitezslav_cizek:branches:Apache:Modules - use a whitelist approach for keeping directives in the migration script (bsc#961907) * modify mod_nss_migrate.pl - fix test: add NSSPassPhraseDialog, point it to plain file - update to 1.0.13 Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec OBS-URL: https://build.opensuse.org/request/show/375069 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22 2016-03-30 16:57:58 +02:00
Accepting request 242385 from home:draht:branches:mozilla:Factory - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. OBS-URL: https://build.opensuse.org/request/show/242385 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10 2014-07-25 16:00:54 +02:00			`+ /* It happens that stdin is not opened with O_RDONLY. Better make sure`
			`+ * it is and re-open /dev/tty.`
			`+ */`
			`+ close(infd); /* is 0 normally. open(2) will return first available. */`
			`+ tmpfd = open("/dev/tty", O_RDONLY);`
			`+ if( tmpfd == -1) {`
			`+ fprintf(output, "Cannot open /dev/tty for reading the passphrase.\n");`
			`+ nss_die();`
			`+ }`
			`+ if(tmpfd != infd) {`
			`+ if( dup2(tmpfd, infd) != infd) {`
			`+ fprintf(output, "Problem duplicating /dev/tty file descriptor.\n");`
			`+ close(tmpfd);`
			`+ nss_die();`
			`+ }`
			`+ close(tmpfd);`
			`+ }`
			`+`
			`for (;;) {`
			`/* Prompt for password */`
			`if (isTTY) {`