pool/iputils
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 53414 from network:utilities

Browse Source 
Accepted submit request 53414 from user coolo

OBS-URL: https://build.opensuse.org/request/show/53414
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iputils?expand=0&rev=15
This commit is contained in:
Ruediger Oertel 2010-11-20 10:34:46 +00:00 committed by Git OBS Bridge
commit c6e6f0d485
9 changed files with 1283 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1103
ifenslave.c Normal file
View File

File diff suppressed because it is too large Load Diff

12
iputils-ADDLIB.diff
View File

@ -1,12 +0,0 @@
--- Makefile 2010-07-14 13:38:32.257045463 +0200
+++ Makefile 2010-07-14 13:39:00.482319644 +0200
@@ -4,8 +4,8 @@
DEFINES=
#options if you have a bind>=4.9.4 libresolv (or, maybe, glibc)
-LDLIBS=
ADDLIB=
+LDLIBS=-lresolv $(ADDLIB)
#options if you compile with libc5, and without a bind>=4.9.4 libresolv
# NOT AVAILABLE. Please, use libresolv.

16
iputils-arping-set_device_broadcast.diff
View File

@ -1,16 +0,0 @@
--- arping.c
+++ arping.c
@@ -335,8 +335,8 @@ void set_device_broadcast(char *device, unsigned char *ba, size_t balen)
exit(2);
}
- for (p = ba, ch = 0; p < ba + balen; p++, ch += 3)
- *p++ = strtoul(brdcast->value + ch * 3, NULL, 16);
+ for (p = ba, ch = 0; p < ba + balen; ch += 3)
+ *p++ = strtoul(brdcast->value + ch, NULL, 16);
return;
}
--
1.7.1

3
iputils-ifenslave.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8d05d05422bb7b96ec96c3ff61c07ad3fd2335e6599df960539386868aa33ee1
size 7737

118
iputils-s20101006-capabilities.diff Normal file
View File

@ -0,0 +1,118 @@
From 584838c9d4a496c4329e4c9a3d35520db00abb99 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 3 Nov 2010 17:43:42 +0100
Subject: [PATCH iputils] drop capabilities
dropping capabilities makes sure that ping also gets rid of privileges
gained via fscaps. Capabilities are also dropped when called as root so
the running ping process has no special privileges anymore at all even
in that case. Capabilities need to be dropped after setuid() otherwise a
setuid ping would not have the privileges to drop root privileges anymore!
---
Makefile | 6 ++++++
ping.c | 16 ++++++++++++++++
ping6.c | 16 ++++++++++++++++
3 files changed, 38 insertions(+), 0 deletions(-)
diff --git a/Makefile b/Makefile
index d9a5ca5..6629ebf 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,12 @@ DEFINES=
#options if you have a bind>=4.9.4 libresolv (or, maybe, glibc)
LDLIBS=
ADDLIB=
+CAPABILITIES=
+
+ifeq ($(CAPABILITIES),1)
+DEFINES += -DHAVE_CAPABILITIES
+LDLIBS += -lcap
+endif
#options if you compile with libc5, and without a bind>=4.9.4 libresolv
# NOT AVAILABLE. Please, use libresolv.
diff --git a/ping.c b/ping.c
index eacb29d..fa91163 100644
--- a/ping.c
+++ b/ping.c
@@ -62,6 +62,9 @@ char copyright[] =
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
#ifndef ICMP_FILTER
#define ICMP_FILTER 1
@@ -122,6 +125,9 @@ main(int argc, char **argv)
u_char *packet;
char *target, hnamebuf[MAX_HOSTNAMELEN];
char rspace[3 + 4 * NROUTES + 1]; /* record route space */
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
socket_errno = errno;
@@ -132,6 +138,16 @@ main(int argc, char **argv)
exit(-1);
}
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+ cap_free(caps);
+#endif
+
source.sin_family = AF_INET;
preload = 1;
diff --git a/ping6.c b/ping6.c
index c5ff881..bfc0769 100644
--- a/ping6.c
+++ b/ping6.c
@@ -72,6 +72,9 @@ char copyright[] =
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
#include <resolv.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
#include "ping6_niquery.h"
@@ -528,6 +531,9 @@ int main(int argc, char *argv[])
int csum_offset, sz_opt;
#endif
static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
socket_errno = errno;
@@ -538,6 +544,16 @@ int main(int argc, char *argv[])
exit(-1);
}
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+ cap_free(caps);
+#endif
+
source.sin6_family = AF_INET6;
memset(&firsthop, 0, sizeof(firsthop));
firsthop.sin6_family = AF_INET6;
--
1.7.1

3
iputils-s20101006.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fd3af46c80ebb99607c2ca1f2a3608b6fe828e25bbec6e54f2afd25f6ddb6ee7
size 94386

29
iputils.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Fri Nov 19 09:55:18 UTC 2010 - coolo@novell.com
- remove no longer needed patches
-------------------------------------------------------------------
Mon Nov 8 10:32:37 UTC 2010 - lnussel@suse.de
- fix capabilities patch: first switch uid then drop caps.
-------------------------------------------------------------------
Wed Nov 3 14:31:09 UTC 2010 - lnussel@suse.de
- update to version s20100418
* ping,ping6: avoid gethostbyaddr during ping flood.
* arping: Set correct broadcast address.
* tracepath: Fix some small typos in tracepath.sgml.
* ping: Fix resource consumption triggered by specially crafted ICMP
Echo Reply (CVE-2010-2529)
- don't install fscaps, rely on /etc/permissions handling instead
- compile using -fno-strict-aliasing
- drop capabilities unconditionally (bnc#645423)
- spec file cleanup
-------------------------------------------------------------------
Mon Oct 11 03:56:55 UTC 2010 - reddwarf@opensuse.org
- Use POSIX capabilities instead of SUID for ping
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 7 20:35:03 UTC 2010 - aj@suse.de Tue Sep 7 20:35:03 UTC 2010 - aj@suse.de

56
iputils.spec
View File

@ -25,47 +25,44 @@ BuildRequires: sysfsutils-devel
%else %else
BuildRequires: sysfsutils BuildRequires: sysfsutils
%endif %endif
Summary: IPv4and IPv6 Networking Utilities BuildRequires: libcap-devel
Version: s20100418 Summary: IPv4 and IPv6 Networking Utilities
Release: 2 Version: s20101006
Release: 1
License: BSD3c ; GPLv2+ License: BSD3c ; GPLv2+
Group: Productivity/Networking/Other Group: Productivity/Networking/Other
Provides: nkitb
Obsoletes: nkitb
Url: http://www.skbuff.net/iputils Url: http://www.skbuff.net/iputils
Source: iputils.tar.bz2 Source: http://www.skbuff.net/iputils/iputils-%{version}.tar.bz2
Source1: iputils-ifenslave.tar.bz2 # XXX: from linux/Documentation/networking/ifenslave.c
Patch1: %name-pingnamelookuponce.diff Source1: ifenslave.c
Patch2: %name-traceroute6-stdint.diff Patch1: iputils-pingnamelookuponce.diff
Patch3: %name-ifenslave.diff Patch2: iputils-traceroute6-stdint.diff
Patch4: %name-arping-set_device_broadcast.diff Patch3: iputils-ifenslave.diff
Patch5: %name-ADDLIB.diff Patch6: iputils-s20101006-capabilities.diff
Prefix: %_prefix
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: permissions
%description %description
This package contains some small network tools for IPv4 and IPv6 like This package contains some small network tools for IPv4 and IPv6 like
rdisc, ping6, traceroute6, tracepath, and tracepath6. rdisc, ping6, traceroute6, tracepath, and tracepath6.
Authors:
--------
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
%prep %prep
%setup -q -n %name -b1 %setup -q
cp -a %SOURCE1 .
%patch1 %patch1
%patch2 %patch2
%patch3 %patch3
%patch4 #patch4
%patch5 #patch5
%patch6 -p1
mkdir linux mkdir linux
touch linux/autoconf.h touch linux/autoconf.h
%build %build
make %{?_smp_mflags} KERNEL_INCLUDE=$PWD DEFINES='%optflags -fpie' ADDLIB='-pie' make %{?_smp_mflags} KERNEL_INCLUDE=$PWD \
CCOPT='%optflags -fno-strict-aliasing -fpie -D_GNU_SOURCE' \
LDLIBS='-pie -lcap -lresolv' \
CAPABILITIES=1
gcc $RPM_OPT_FLAGS -o ifenslave ifenslave.c gcc $RPM_OPT_FLAGS -o ifenslave ifenslave.c
make man make man
@ -94,14 +91,21 @@ install -m 644 doc/rdisc.8 $RPM_BUILD_ROOT%_mandir/man8/
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%post
%run_permissions
%verifyscript
%verify_permissions -e /bin/ping
%verify_permissions -e /bin/ping6
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc RELNOTES %doc RELNOTES
/sbin/arping /sbin/arping
/sbin/ifenslave /sbin/ifenslave
/sbin/clockdiff /sbin/clockdiff
%attr(4755,root,root) /bin/ping %verify(not mode) %attr(4755,root,root) /bin/ping
%attr(4755,root,root) /bin/ping6 %verify(not mode) %attr(4755,root,root) /bin/ping6
/bin/ipg /bin/ipg
/sbin/tracepath /sbin/tracepath
/sbin/tracepath6 /sbin/tracepath6

3
iputils.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:183d4f767dab69dc7cf3782e0ded63cc5066bfc102a981ec4766334ff33d0ae1
size 115376