Accepting request 652406 from home:darix:playground

- update to 2.0.10
  - Fix compiling on Alpine Linux.
  - Stop printf compiler warning on Alpine Linux due to rlim_t. 
  - manpage cosmetic.
  - Fix removing snmpd read threads when snmpd becomes unavailable.
  - Update to support libipset version 7.
  - Use ipset_printf for ipset messages so can go to log. 
  - When opening files for write, ensure files can only be read by
    root.  Issue #1048 referred to CVE-2018-19046 regarding files
    used for debugging purposes could potentially be read by non
    root users.  This commit ensures that such log files cannot be
    opened by non root users.
  - Disable fopen_safe() append mode by default If a non privileged
    user creates /tmp/keepalived.log and has it open for read (e.g.
    tail -f), then even though keepalived will change the owner to
    root and remove all read/write permissions from non owners, the
    application which already has the file open will be able to
    read the added log entries.  Accordingly, opening a file in
    append mode is disabled by default, and only enabled if
    --enable-smtp-alert-debug or --enable-log-file (which are
    debugging options and unset by default) are enabled.  This
    should further alleviate security concerns related to
    CVE-2018-19046.
  - vrrp: add support to constant time memcmp.  Just an update to
    use best practise security design pattern. While comparing
    password or hmac you need to ensure comparison function is time
    constant in order to figth against any timing attacks. We turn
    off potential compiler optimizations for this particular
    function to avoid any short circuit.
  - Make sure a non privileged user cannot read keepalived file
    output Ensure that when a file such as /tmp/keepalived.data is
    written, no non privileged can have a previous version of that
    file already open, thereby allowing them to read the data.
    This should fully resolve CVE-2018-19046.
- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
  update

OBS-URL: https://build.opensuse.org/request/show/652406
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=48

b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch

@@ -1,217 +0,0 @@
-From b7a98f9265ffb5927c4d54c9a30726c76e65bb52 Mon Sep 17 00:00:00 2001
-From: Quentin Armitage <quentin@armitage.org.uk>
-Date: Sat, 10 Nov 2018 19:03:47 +0000
-Subject: [PATCH] Update to support libipset version 7
-
-Issue #1058 reported that keepalived failed to build with libipset
-version 7. This commit updates keepalived to detect if the version
-of the keepalived libraries is pre v7 or not, and compiles
-appropriately.
-
-Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
----
- configure.ac                    | 21 ++++++++++++
- keepalived/include/vrrp_ipset.h |  2 +-
- keepalived/vrrp/vrrp_ipset.c    | 58 ++++++++++++++++++++++++++++++---
- keepalived/vrrp/vrrp_iptables.c |  2 +-
- 4 files changed, 76 insertions(+), 7 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index ecec32a2..708b04fe 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1212,6 +1212,27 @@ if test .${enable_libiptc} != .no -a .$enable_vrrp != .no; then
- 		 [AC_DEFINE([LIBIPSET_H_ADD_IP_SET_H_GUARD], [1], [Define to add guard _IP_SET_H before including <libipset/linux_ip_set.h>])])
- 	      ])
- 	  fi
-+
-+	  if test $USE_LIBIPSET = Yes; then
-+	    AC_MSG_CHECKING([for libipset version 7 or later])
-+	    AC_COMPILE_IFELSE([AC_LANG_SOURCE(
-+	      [[
-+	        #include <libipset/session.h>
-+
-+		void test_func(void)
-+		{
-+		  ipset_session_init(NULL, NULL);
-+		}
-+	      ]])],
-+	      [
-+	        AC_MSG_RESULT([yes])
-+	      ],
-+	      [
-+	        AC_MSG_RESULT([no])
-+	        AC_DEFINE([LIBIPSET_PRE_V7_COMPAT], [ 1 ], [Define to 1 if libipset library version prior to v7])
-+	        add_system_opt[LIBIPSET_PRE_V7]
-+	      ])
-+	  fi
- 	])
-       LIBS="$SAV_LIBS"
-     fi
-diff --git a/keepalived/include/vrrp_ipset.h b/keepalived/include/vrrp_ipset.h
-index 5a1a9562..5d83b21a 100644
---- a/keepalived/include/vrrp_ipset.h
-+++ b/keepalived/include/vrrp_ipset.h
-@@ -29,7 +29,7 @@
- bool add_ipsets(bool);
- bool remove_ipsets(void);
- bool has_ipset_setname(void*, const char *);
--bool ipset_init(void);
-+bool ipset_initialise(void);
- void* ipset_session_start(void);
- void ipset_session_end(void*);
- void ipset_entry(void*, int cmd, const ip_address_t*);
-diff --git a/keepalived/vrrp/vrrp_ipset.c b/keepalived/vrrp/vrrp_ipset.c
-index 4b3ab7cd..dbe248eb 100644
---- a/keepalived/vrrp/vrrp_ipset.c
-+++ b/keepalived/vrrp/vrrp_ipset.c
-@@ -43,6 +43,9 @@
- #endif
- #include <libipset/session.h>
- #include <libipset/types.h>
-+#ifndef LIBIPSET_PRE_V7_COMPAT
-+#include <libipset/ipset.h>
-+#endif
- #include <netinet/in.h>
- #include <linux/types.h>	/* For __beXX types in userland */
- #include <linux/netfilter.h>	/* For nf_inet_addr */
-@@ -60,11 +63,18 @@
- #include <dlfcn.h>
- 
- /* The addresses of the functions we want */
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- struct ipset_session* (*ipset_session_init_addr)(ipset_outfn outfn);
-+#else
-+struct ipset_session* (*ipset_session_init_addr)(ipset_print_outfn outfn, void *p);
-+#endif
- int (*ipset_session_fini_addr)(struct ipset_session *session);
- struct ipset_data* (*ipset_session_data_addr)(const struct ipset_session *session);
--const char* (*ipset_session_error_addr)(const struct ipset_session *session);
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- int (*ipset_envopt_parse_addr)(struct ipset_session *session, int env, const char *str);
-+#else
-+void (*ipset_envopt_set_addr)(struct ipset_session *session, int env);
-+#endif
- const struct ipset_type* (*ipset_type_get_addr)(struct ipset_session *session, enum ipset_cmd cmd);
- int (*ipset_data_set_addr)(struct ipset_data *data, enum ipset_opt opt, const void *value);
- int (*ipset_cmd_addr)(struct ipset_session *session, enum ipset_cmd cmd, uint32_t lineno);
-@@ -74,8 +84,11 @@ void (*ipset_load_types_addr)(void);
- #define ipset_session_init (*ipset_session_init_addr)
- #define ipset_session_fini (*ipset_session_fini_addr)
- #define ipset_session_data (*ipset_session_data_addr)
--#define ipset_session_error (*ipset_session_error_addr)
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- #define ipset_envopt_parse (*ipset_envopt_parse_addr)
-+#else
-+#define ipset_envopt_set (*ipset_envopt_set_addr)
-+#endif
- #define ipset_type_get (*ipset_type_get_addr)
- #define ipset_data_set (*ipset_data_set_addr)
- /* Unfortunately ipset_cmd conflicts with struct ipset_cmd */
-@@ -87,6 +100,22 @@ static void* libipset_handle;
- #define ipset_cmd1 ipset_cmd
- #endif
- 
-+#ifndef LIBIPSET_PRE_V7_COMPAT
-+static int
-+ipset_printf(__attribute ((__unused__)) struct ipset_session *session, void *p, const char *fmt, ...)
-+{
-+	va_list args;
-+
-+	log_message(LOG_INFO, "libipset message from %s", (const char *)p);
-+
-+	va_start(args, fmt);
-+	vlog_message(LOG_INFO, fmt, args);
-+	va_end(args);
-+
-+	return 0;
-+}
-+#endif
-+
- static bool
- do_ipset_cmd(struct ipset_session* session, enum ipset_cmd cmd, const char *setname,
- 		const ip_address_t *addr, uint32_t timeout, const char* iface)
-@@ -162,7 +191,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i
- {
- 	struct ipset_session *session;
- 
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- 	session = ipset_session_init(printf);
-+#else
-+	session = ipset_session_init(ipset_printf, "create_sets");
-+#endif
- 	if (!session) {
- 		log_message(LOG_INFO, "Cannot initialize ipset session.");
- 		return false;
-@@ -171,7 +204,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i
- 	/* If we aren't reloading, don't worry if sets already exists. With the
- 	 * IPSET_ENV_EXIST option set, any existing entries in the set are removed. */
- 	if (!reload)
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- 		ipset_envopt_parse(session, IPSET_ENV_EXIST, NULL);
-+#else
-+		ipset_envopt_set(session, IPSET_ENV_EXIST);
-+#endif
- 
- 	if (block_ipv4) {
- 		if (!reload || !has_ipset_setname(session, addr4))
-@@ -220,7 +257,7 @@ bool set_match_loaded(void)
- 	return found;
- }
- 
--bool ipset_init(void)
-+bool ipset_initialise(void)
- {
- #ifdef _LIBIPSET_DYNAMIC_
- 	if (libipset_handle)
-@@ -252,8 +289,11 @@ bool ipset_init(void)
- 	if (!(ipset_session_init_addr = dlsym(libipset_handle, "ipset_session_init")) ||
- 	    !(ipset_session_fini_addr = dlsym(libipset_handle, "ipset_session_fini")) ||
- 	    !(ipset_session_data_addr = dlsym(libipset_handle,"ipset_session_data")) ||
--	    !(ipset_session_error_addr = dlsym(libipset_handle,"ipset_session_error")) ||
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- 	    !(ipset_envopt_parse_addr = dlsym(libipset_handle,"ipset_envopt_parse")) ||
-+#else
-+	    !(ipset_envopt_set_addr = dlsym(libipset_handle,"ipset_envopt_set")) ||
-+#endif
- 	    !(ipset_type_get_addr = dlsym(libipset_handle,"ipset_type_get")) ||
- 	    !(ipset_data_set_addr = dlsym(libipset_handle,"ipset_data_set")) ||
- 	    !(ipset_cmd_addr = dlsym(libipset_handle,"ipset_cmd")) ||
-@@ -285,7 +325,11 @@ bool remove_ipsets(void)
- 		return true;
- #endif
- 
-+#ifdef LIBIPSET_PRE_V7_COMPAT
- 	session = ipset_session_init(printf);
-+#else
-+	session = ipset_session_init(ipset_printf, "remove_ipsets");
-+#endif
- 	if (!session) {
- 		log_message(LOG_INFO, "Cannot initialize ipset session.");
- 		return false;
-@@ -311,7 +355,11 @@ bool add_ipsets(bool reload)
- 
- void* ipset_session_start(void)
- {
--	return ipset_session_init(NULL);
-+#ifdef LIBIPSET_PRE_V7_COMPAT
-+	return ipset_session_init(printf);
-+#else
-+	return ipset_session_init(ipset_printf, "session_start");
-+#endif
- }
- 
- void ipset_session_end(void* vsession)
-diff --git a/keepalived/vrrp/vrrp_iptables.c b/keepalived/vrrp/vrrp_iptables.c
-index 874b0d0b..9b05ca66 100644
---- a/keepalived/vrrp/vrrp_iptables.c
-+++ b/keepalived/vrrp/vrrp_iptables.c
-@@ -468,7 +468,7 @@ iptables_init_lib(void)
- #endif
- 
- #ifdef _HAVE_LIBIPSET_
--	if (global_data->using_ipsets && !ipset_init())
-+	if (global_data->using_ipsets && !ipset_initialise())
- 		global_data->using_ipsets = false;
- #endif
- 

keepalived-2.0.10.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40e0e55afed9ca313d621a9c5878579696fafb5504dab521aadaf20ba6e7f597
+size 927631

keepalived-2.0.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3930b2e43bc8e7109ddb17d32f88cdd58071f2a9a41efa55852ca9ee26cd52c5
-size 924455

keepalived.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Wed Nov 28 12:27:13 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.0.10
+  - Fix compiling on Alpine Linux.
+  - Stop printf compiler warning on Alpine Linux due to rlim_t. 
+  - manpage cosmetic.
+  - Fix removing snmpd read threads when snmpd becomes unavailable.
+  - Update to support libipset version 7.
+  - Use ipset_printf for ipset messages so can go to log. 
+  - When opening files for write, ensure files can only be read by
+    root.  Issue #1048 referred to CVE-2018-19046 regarding files
+    used for debugging purposes could potentially be read by non
+    root users.  This commit ensures that such log files cannot be
+    opened by non root users.
+  - Disable fopen_safe() append mode by default If a non privileged
+    user creates /tmp/keepalived.log and has it open for read (e.g.
+    tail -f), then even though keepalived will change the owner to
+    root and remove all read/write permissions from non owners, the
+    application which already has the file open will be able to
+    read the added log entries.  Accordingly, opening a file in
+    append mode is disabled by default, and only enabled if
+    --enable-smtp-alert-debug or --enable-log-file (which are
+    debugging options and unset by default) are enabled.  This
+    should further alleviate security concerns related to
+    CVE-2018-19046.
+  - vrrp: add support to constant time memcmp.  Just an update to
+    use best practise security design pattern. While comparing
+    password or hmac you need to ensure comparison function is time
+    constant in order to figth against any timing attacks. We turn
+    off potential compiler optimizations for this particular
+    function to avoid any short circuit.
+  - Make sure a non privileged user cannot read keepalived file
+    output Ensure that when a file such as /tmp/keepalived.data is
+    written, no non privileged can have a previous version of that
+    file already open, thereby allowing them to read the data.
+    This should fully resolve CVE-2018-19046.
+- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
+  update
+
 -------------------------------------------------------------------
 Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
 

keepalived.spec

@@ -34,7 +34,7 @@
 %bcond_without json
 
 Name:           keepalived
-Version:        2.0.9
+Version:        2.0.10
 Release:        0
 Summary:        A keepalive facility for Linux
 License:        GPL-2.0-or-later
@@ -45,7 +45,6 @@ Source2:        keepalive-rpmlintrc
 Patch1:         keepalive-init.patch
 # PATCH-FIX-UPSTREAM: https://github.com/acassen/keepalived/commit/947248af144bcab6376ccddab8dc40f313b14281.patch
 Patch2:         linux-4.15.patch
-Patch3:         b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch
 BuildRequires:  libnfnetlink-devel
 %if %{with json}
 BuildRequires:  libjson-c-devel
@@ -86,12 +85,6 @@ BuildRequires:  systemd-rpm-macros
 %else
 Requires(pre):  %insserv_prereq
 %endif
-# remove when you remove b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
 This project provides facilities for load balancing and high-availability to
@@ -109,11 +102,9 @@ resilient infrastructures.
 %setup -q
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 chmod 644 doc/samples/*
 
 %build
-autoreconf -fi
 export STRIP=true
 export CPPFLAGS="$(pkg-config --cflags libnfnetlink libiptc libipset xtables)"
 export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN"