Accepting request 53414 from network:utilities

Accepted submit request 53414 from user coolo OBS-URL: https://build.opensuse.org/request/show/53414 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iputils?expand=0&rev=15
2010-11-20 10:34:46 +00:00 · 2010-11-20 10:34:46 +00:00 · c6e6f0d485
commit c6e6f0d485
parent 5a4278e64e c7740699a8
9 changed files with 1283 additions and 60 deletions
--- a/ifenslave.c
+++ b/ifenslave.c
--- a/iputils-ADDLIB.diff
+++ b/iputils-ADDLIB.diff
@ -1,12 +0,0 @@
--- Makefile	2010-07-14 13:38:32.257045463 +0200
-+++ Makefile	2010-07-14 13:39:00.482319644 +0200
-@@ -4,8 +4,8 @@
- DEFINES= 
- 
- #options if you have a bind>=4.9.4 libresolv (or, maybe, glibc)
-LDLIBS=
- ADDLIB=
-+LDLIBS=-lresolv $(ADDLIB)
- 
- #options if you compile with libc5, and without a bind>=4.9.4 libresolv
- # NOT AVAILABLE. Please, use libresolv.
--- a/iputils-arping-set_device_broadcast.diff
+++ b/iputils-arping-set_device_broadcast.diff
@ -1,16 +0,0 @@
--- arping.c
-+++ arping.c
-@@ -335,8 +335,8 @@ void set_device_broadcast(char *device, unsigned char *ba, size_t balen)
- 		exit(2);
- 	}
- 
-	for (p = ba, ch = 0; p < ba + balen; p++, ch += 3)
-		*p++ = strtoul(brdcast->value + ch * 3, NULL, 16);
-+	for (p = ba, ch = 0; p < ba + balen; ch += 3)
-+		*p++ = strtoul(brdcast->value + ch, NULL, 16);
- 
- 	return;
- }
-- 
-1.7.1
-
--- a/iputils-ifenslave.tar.bz2
+++ b/iputils-ifenslave.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d05d05422bb7b96ec96c3ff61c07ad3fd2335e6599df960539386868aa33ee1
-size 7737
--- a/iputils-s20101006-capabilities.diff
+++ b/iputils-s20101006-capabilities.diff
@ -0,0 +1,118 @@
+From 584838c9d4a496c4329e4c9a3d35520db00abb99 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 3 Nov 2010 17:43:42 +0100
+Subject: [PATCH iputils] drop capabilities
+
+dropping capabilities makes sure that ping also gets rid of privileges
+gained via fscaps. Capabilities are also dropped when called as root so
+the running ping process has no special privileges anymore at all even
+in that case. Capabilities need to be dropped after setuid() otherwise a
+setuid ping would not have the privileges to drop root privileges anymore!
+---
+ Makefile |    6 ++++++
+ ping.c   |   16 ++++++++++++++++
+ ping6.c  |   16 ++++++++++++++++
+ 3 files changed, 38 insertions(+), 0 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index d9a5ca5..6629ebf 100644
+--- a/Makefile
+++ b/Makefile
+@@ -6,6 +6,12 @@ DEFINES=
+ #options if you have a bind>=4.9.4 libresolv (or, maybe, glibc)
+ LDLIBS=
+ ADDLIB=
+CAPABILITIES=
+
+ifeq ($(CAPABILITIES),1)
+DEFINES += -DHAVE_CAPABILITIES
+LDLIBS += -lcap
+endif
+ 
+ #options if you compile with libc5, and without a bind>=4.9.4 libresolv
+ # NOT AVAILABLE. Please, use libresolv.
+diff --git a/ping.c b/ping.c
+index eacb29d..fa91163 100644
+--- a/ping.c
+++ b/ping.c
+@@ -62,6 +62,9 @@ char copyright[] =
+ 
+ #include <netinet/ip.h>
+ #include <netinet/ip_icmp.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+ 
+ #ifndef ICMP_FILTER
+ #define ICMP_FILTER	1
+@@ -122,6 +125,9 @@ main(int argc, char **argv)
+ 	u_char *packet;
+ 	char *target, hnamebuf[MAX_HOSTNAMELEN];
+ 	char rspace[3 + 4 * NROUTES + 1];	/* record route space */
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
+ 
+ 	icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ 	socket_errno = errno;
+@@ -132,6 +138,16 @@ main(int argc, char **argv)
+ 		exit(-1);
+ 	}
+ 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
+ 	source.sin_family = AF_INET;
+ 
+ 	preload = 1;
+diff --git a/ping6.c b/ping6.c
+index c5ff881..bfc0769 100644
+--- a/ping6.c
+++ b/ping6.c
+@@ -72,6 +72,9 @@ char copyright[] =
+ #include <netinet/ip6.h>
+ #include <netinet/icmp6.h>
+ #include <resolv.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+ 
+ #include "ping6_niquery.h"
+ 
+@@ -528,6 +531,9 @@ int main(int argc, char *argv[])
+ 	int csum_offset, sz_opt;
+ #endif
+ 	static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
+ 
+ 	icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ 	socket_errno = errno;
+@@ -538,6 +544,16 @@ int main(int argc, char *argv[])
+ 		exit(-1);
+ 	}
+ 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
+ 	source.sin6_family = AF_INET6;
+ 	memset(&firsthop, 0, sizeof(firsthop));
+ 	firsthop.sin6_family = AF_INET6;
+-- 
+1.7.1
+
--- a/iputils-s20101006.tar.bz2
+++ b/iputils-s20101006.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd3af46c80ebb99607c2ca1f2a3608b6fe828e25bbec6e54f2afd25f6ddb6ee7
+size 94386
--- a/iputils.changes
+++ b/iputils.changes
@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Fri Nov 19 09:55:18 UTC 2010 - coolo@novell.com
+
+- remove no longer needed patches
+
+-------------------------------------------------------------------
+Mon Nov  8 10:32:37 UTC 2010 - lnussel@suse.de
+
+- fix capabilities patch: first switch uid then drop caps.
+
+-------------------------------------------------------------------
+Wed Nov  3 14:31:09 UTC 2010 - lnussel@suse.de
+
+- update to version s20100418
+  * ping,ping6: avoid gethostbyaddr during ping flood.
+  * arping: Set correct broadcast address.
+  * tracepath: Fix some small typos in tracepath.sgml.
+  * ping: Fix resource consumption triggered by specially crafted ICMP
+    Echo Reply (CVE-2010-2529)
+- don't install fscaps, rely on /etc/permissions handling instead
+- compile using -fno-strict-aliasing
+- drop capabilities unconditionally (bnc#645423)
+- spec file cleanup
+
+-------------------------------------------------------------------
+Mon Oct 11 03:56:55 UTC 2010 - reddwarf@opensuse.org
+
+- Use POSIX capabilities instead of SUID for ping
+
 -------------------------------------------------------------------
 Tue Sep  7 20:35:03 UTC 2010 - aj@suse.de

--- a/iputils.spec
+++ b/iputils.spec
@ -25,47 +25,44 @@ BuildRequires:  sysfsutils-devel
 %else
 BuildRequires:  sysfsutils
 %endif
+BuildRequires:  libcap-devel
 Summary:        IPv4 and IPv6 Networking Utilities
-Version:        s20100418
-Release:        2
+Version:        s20101006
+Release:        1
 License:        BSD3c ; GPLv2+
 Group:          Productivity/Networking/Other
-Provides:       nkitb
-Obsoletes:      nkitb
 Url:            http://www.skbuff.net/iputils
-Source:         iputils.tar.bz2
-Source1:        iputils-ifenslave.tar.bz2
-Patch1:         %name-pingnamelookuponce.diff
-Patch2:         %name-traceroute6-stdint.diff
-Patch3:         %name-ifenslave.diff
-Patch4:         %name-arping-set_device_broadcast.diff
-Patch5:         %name-ADDLIB.diff
-Prefix:         %_prefix
+Source:         http://www.skbuff.net/iputils/iputils-%{version}.tar.bz2
+# XXX: from linux/Documentation/networking/ifenslave.c
+Source1:        ifenslave.c
+Patch1:         iputils-pingnamelookuponce.diff
+Patch2:         iputils-traceroute6-stdint.diff
+Patch3:         iputils-ifenslave.diff
+Patch6:         iputils-s20101006-capabilities.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+PreReq:         permissions

 %description
 This package contains some small network tools for IPv4 and IPv6 like
 rdisc, ping6, traceroute6, tracepath, and tracepath6.

-
-
-Authors:
--------
-    Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
-	YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
-
 %prep
-%setup -q -n %name -b1
+%setup -q
+cp -a %SOURCE1 . 
 %patch1
 %patch2
 %patch3
-%patch4
-%patch5
+#patch4
+#patch5
+%patch6 -p1
 mkdir linux
 touch linux/autoconf.h

 %build
-make %{?_smp_mflags} KERNEL_INCLUDE=$PWD DEFINES='%optflags -fpie' ADDLIB='-pie'
+make %{?_smp_mflags} KERNEL_INCLUDE=$PWD \
+	CCOPT='%optflags -fno-strict-aliasing -fpie -D_GNU_SOURCE' \
+	LDLIBS='-pie -lcap -lresolv' \
+	CAPABILITIES=1
 gcc $RPM_OPT_FLAGS -o ifenslave ifenslave.c

 make man
@ -94,14 +91,21 @@ install  -m 644 doc/rdisc.8		$RPM_BUILD_ROOT%_mandir/man8/
 %clean
 rm -rf $RPM_BUILD_ROOT

+%post
+%run_permissions
+
+%verifyscript
+%verify_permissions -e /bin/ping
+%verify_permissions -e /bin/ping6
+
 %files
 %defattr(-,root,root)
 %doc RELNOTES
 /sbin/arping
 /sbin/ifenslave
 /sbin/clockdiff
-%attr(4755,root,root) /bin/ping
-%attr(4755,root,root) /bin/ping6
+%verify(not mode) %attr(4755,root,root) /bin/ping
+%verify(not mode) %attr(4755,root,root) /bin/ping6
 /bin/ipg
 /sbin/tracepath
 /sbin/tracepath6
--- a/iputils.tar.bz2
+++ b/iputils.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:183d4f767dab69dc7cf3782e0ded63cc5066bfc102a981ec4766334ff33d0ae1
-size 115376