Accepting request 872987 from GNOME:Next
- Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Rebase avahi-daemon-check-dns-suse.patch, and drop privileges when invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720). - Add sudo to requires: used to drop privileges. OBS-URL: https://build.opensuse.org/request/show/872987 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=182
This commit is contained in:
parent
cbc274f781
commit
bdcdeadf85
@ -1,5 +1,5 @@
|
||||
--- avahi-daemon-check-dns.sh.debian 2012-03-04 05:24:07.000000000 +0100
|
||||
+++ avahi-daemon-check-dns.sh 2012-05-23 20:06:27.121923772 +0200
|
||||
--- avahi-daemon-check-dns.sh.debian 2021-01-27 15:28:07.832795734 -0600
|
||||
+++ avahi-daemon-check-dns.sh 2021-01-27 15:39:35.364471899 -0600
|
||||
@@ -5,15 +5,15 @@
|
||||
|
||||
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||
@ -13,48 +13,16 @@
|
||||
+AVAHI_DAEMON_DETECT_LOCAL=yes
|
||||
|
||||
-test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon
|
||||
+test -f /etc/sysconfig/avahi-daemon && . /etc/sysconfig/avahi-daemon
|
||||
+test -f /etc/sysconfig/avahi && . /etc/sysconfig/avahi
|
||||
|
||||
-if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "1" ]; then
|
||||
+if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "yes" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@@ -96,12 +96,8 @@
|
||||
# no unicast .local conflict, so remove the tag and start avahi again
|
||||
if [ -e ${DISABLE_TAG} ]; then
|
||||
rm -f ${DISABLE_TAG}
|
||||
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
||||
- invoke-rc.d avahi-daemon start || true
|
||||
- else
|
||||
- if [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
- /etc/init.d/avahi-daemon start || true
|
||||
- fi
|
||||
+ if [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
+ /etc/init.d/avahi-daemon start || true
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@@ -110,14 +106,8 @@
|
||||
[ -e ${DISABLE_TAG} ] && return
|
||||
|
||||
if [ -x /etc/init.d/avahi-daemon ]; then
|
||||
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
||||
- invoke-rc.d --force avahi-daemon stop || true
|
||||
- else
|
||||
- if [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
- /etc/init.d/avahi-daemon stop || true
|
||||
- fi
|
||||
- fi
|
||||
- if [ -x /usr/bin/logger ]; then
|
||||
+ /etc/init.d/avahi-daemon stop || true
|
||||
+ if [ -x /bin/logger ]; then
|
||||
logger -p daemon.warning -t avahi <<EOF
|
||||
Avahi detected that your currently configured local DNS server serves
|
||||
a domain .local. This is inherently incompatible with Avahi and thus
|
||||
--- avahi-daemon.if-up.debian 2012-03-04 05:24:07.000000000 +0100
|
||||
+++ avahi-daemon.if-up 2012-05-24 19:38:04.347420848 +0200
|
||||
@@ -3,7 +3,7 @@
|
||||
--- avahi-daemon.if-up.debian 2021-01-27 16:09:50.922179542 -0600
|
||||
+++ avahi-daemon.if-up 2021-01-27 16:11:54.942842665 -0600
|
||||
@@ -3,10 +3,10 @@
|
||||
# Don't run the avahi-daemon unicast local check while bringing up
|
||||
# the loopback device; it's not necessary until we bring up a real network
|
||||
# device
|
||||
@ -63,3 +31,7 @@
|
||||
|
||||
# If we have an unicast .local domain, we immediately disable avahi to avoid
|
||||
# conflicts with the multicast IP4LL .local domain
|
||||
if [ -x /usr/lib/avahi/avahi-daemon-check-dns.sh ] ; then
|
||||
- exec /usr/lib/avahi/avahi-daemon-check-dns.sh
|
||||
+ sudo -u avahi -g avahi /usr/lib/avahi/avahi-daemon-check-dns.sh
|
||||
fi
|
||||
|
@ -24,6 +24,19 @@ ensure_rundir() {
|
||||
fi
|
||||
}
|
||||
|
||||
log_disable_warning() {
|
||||
if [ -x /usr/bin/logger ]; then
|
||||
logger -p daemon.warning -t avahi <<EOF
|
||||
Avahi detected that your currently configured local DNS server serves
|
||||
a domain .local. This is inherently incompatible with Avahi and thus
|
||||
Avahi stopped itself. If you want to use Avahi in this network, please
|
||||
contact your administrator and convince him to use a different DNS domain,
|
||||
since .local should be used exclusively for Zeroconf technology.
|
||||
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
|
||||
dns_reachable() {
|
||||
# If there are no nameserver entries in resolv.conf there is no dns reachable
|
||||
$(grep -q nameserver /etc/resolv.conf) || return 1;
|
||||
@ -31,12 +44,17 @@ dns_reachable() {
|
||||
# If there is no local nameserver and no we have no global ip addresses
|
||||
# then we can't reach any nameservers
|
||||
if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then
|
||||
if [ -x "$(which ip)" ]; then
|
||||
ADDRS=$(ip addr show scope global | grep inet)
|
||||
ROUTES=$(ip route show 0.0.0.0/0)
|
||||
elif [ -x "$(which ifconfig)" -a -x "$(which route)" ]; then
|
||||
# Get addresses of all running interfaces
|
||||
ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
|
||||
# Filter out all local addresses
|
||||
ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
|
||||
# Check we have a default route
|
||||
ROUTES=$(route -n | grep '^0.0.0.0 ')
|
||||
fi
|
||||
if [ -z "${ADDRS}" -o -z "${ROUTES}" ] ; then
|
||||
return 1;
|
||||
fi
|
||||
@ -55,7 +73,8 @@ dns_has_local() {
|
||||
fi
|
||||
fi
|
||||
|
||||
OUT=`LC_ALL=C host -t soa local. 2>&1`
|
||||
# Use timeout when calling host as workaround for LP: #1752411
|
||||
OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1`
|
||||
if [ $? -eq 0 ] ; then
|
||||
if echo "$OUT" | egrep -vq 'has no|not found'; then
|
||||
return 0
|
||||
@ -96,37 +115,23 @@ enable_avahi () {
|
||||
# no unicast .local conflict, so remove the tag and start avahi again
|
||||
if [ -e ${DISABLE_TAG} ]; then
|
||||
rm -f ${DISABLE_TAG}
|
||||
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
||||
invoke-rc.d avahi-daemon start || true
|
||||
else
|
||||
if [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
if [ -d /run/systemd/system ]; then
|
||||
systemctl start avahi-daemon.socket avahi-daemon.service || true
|
||||
elif [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
/etc/init.d/avahi-daemon start || true
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
disable_avahi () {
|
||||
[ -e ${DISABLE_TAG} ] && return
|
||||
|
||||
if [ -x /etc/init.d/avahi-daemon ]; then
|
||||
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
||||
invoke-rc.d --force avahi-daemon stop || true
|
||||
else
|
||||
if [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
if [ -d /run/systemd/system ]; then
|
||||
systemctl stop avahi-daemon.socket avahi-daemon.service || true
|
||||
log_disable_warning
|
||||
elif [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||
/etc/init.d/avahi-daemon stop || true
|
||||
fi
|
||||
fi
|
||||
if [ -x /usr/bin/logger ]; then
|
||||
logger -p daemon.warning -t avahi <<EOF
|
||||
Avahi detected that your currently configured local DNS server serves
|
||||
a domain .local. This is inherently incompatible with Avahi and thus
|
||||
Avahi disabled itself. If you want to use Avahi in this network, please
|
||||
contact your administrator and convince him to use a different DNS domain,
|
||||
since .local should be used exclusively for Zeroconf technology.
|
||||
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
|
||||
EOF
|
||||
fi
|
||||
log_disable_warning
|
||||
fi
|
||||
ensure_rundir
|
||||
touch ${DISABLE_TAG}
|
||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
||||
Group: System/Daemons
|
||||
URL: http://www.avahi.org/
|
||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||
Source1: avahi-daemon-check-dns.sh
|
||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||
Source4: avahi-glib-gettext.m4
|
||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: nss-mdns
|
||||
Requires: sudo
|
||||
Requires(pre): shadow
|
||||
#
|
||||
# mDNSResponder was used for <= 10.2:
|
||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
||||
Group: Development/Languages/Mono
|
||||
URL: http://www.avahi.org/
|
||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||
Source1: avahi-daemon-check-dns.sh
|
||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||
Source4: avahi-glib-gettext.m4
|
||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: nss-mdns
|
||||
Requires: sudo
|
||||
Requires(pre): shadow
|
||||
#
|
||||
# mDNSResponder was used for <= 10.2:
|
||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
||||
Group: System/Daemons
|
||||
URL: http://www.avahi.org/
|
||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||
Source1: avahi-daemon-check-dns.sh
|
||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||
Source4: avahi-glib-gettext.m4
|
||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: nss-mdns
|
||||
Requires: sudo
|
||||
Requires(pre): shadow
|
||||
#
|
||||
# mDNSResponder was used for <= 10.2:
|
||||
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 16 22:37:35 UTC 2021 - Michael Gorse <mgorse@suse.com>
|
||||
|
||||
- Update avahi-daemon-check-dns.sh from Debian. Our previous
|
||||
version relied on ifconfig, route, and init.d.
|
||||
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
|
||||
when invoking avahi-daemon-check-dns.sh (boo#1180827
|
||||
CVE-2021-26720).
|
||||
- Add sudo to requires: used to drop privileges.
|
||||
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 10 20:09:43 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
@ -52,7 +52,7 @@ License: LGPL-2.1-or-later
|
||||
Group: System/Daemons
|
||||
URL: http://www.avahi.org/
|
||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||
Source1: avahi-daemon-check-dns.sh
|
||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||
Source4: avahi-glib-gettext.m4
|
||||
@ -105,6 +105,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: nss-mdns
|
||||
Requires: sudo
|
||||
Requires(pre): shadow
|
||||
#
|
||||
# mDNSResponder was used for <= 10.2:
|
||||
|
Loading…
Reference in New Issue
Block a user