From 8f54c26d19c293504c17836408d64508fbfa84d317ed889932dff7e6d44d9238 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Thu, 5 Sep 2024 09:10:04 +0000 Subject: [PATCH] - Backports from 1.2.5-dev - Add backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch Remove setcap call. - Add backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch Set capability in the systemd unit instead. - Add disable-user-group-generation.patch Disable user/group generation in the Makefile. Let systemd-sysusers handle this instead. - Update to 1.2.4 - Further changes are introduced to make the communication path between NQPTP and Shairport Sync resistant to outside interference. These changes have necessitated changing the SMI interface. The SMI interface is now at version 10, and Shairport Sync must also be updated to be compatible with it. - Update to 1.2.3 - Fix CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid control port message (boo#1213060) OBS-URL: https://build.opensuse.org/package/show/network:time/nqptp?expand=0&rev=4 --- ...8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch | 23 +++++++ ...1a88d21b854aaa461dc0f6c226d650309b91.patch | 68 +++++++++++++++++++ disable-user-group-generation.patch | 13 ++++ nqptp-1.2.4.tar.gz | 3 + nqptp-user.conf | 3 + nqptp.changes | 24 +++++++ nqptp.spec | 17 ++++- 7 files changed, 148 insertions(+), 3 deletions(-) create mode 100644 backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch create mode 100644 backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch create mode 100644 disable-user-group-generation.patch create mode 100644 nqptp-1.2.4.tar.gz create mode 100644 nqptp-user.conf diff --git a/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch b/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch new file mode 100644 index 0000000..4d3e5bb --- /dev/null +++ b/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch @@ -0,0 +1,23 @@ +From 050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7 Mon Sep 17 00:00:00 2001 +From: Hs_Yeah +Date: Tue, 19 Sep 2023 03:12:47 +0800 +Subject: [PATCH] Added AmbientCapabilities to nqptp.service.in + +Added AmbientCapabilities=CAP_NET_BIND_SERVICE +so that the systemd service can be used without the capability set on the built nqptp binary. +--- + nqptp.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nqptp.service.in b/nqptp.service.in +index 6f1eb0c..53e6a2e 100644 +--- a/nqptp.service.in ++++ b/nqptp.service.in +@@ -8,6 +8,7 @@ Before=shairport-sync.service + ExecStart=@prefix@/bin/nqptp + User=nqptp + Group=nqptp ++AmbientCapabilities=CAP_NET_BIND_SERVICE + + [Install] + WantedBy=multi-user.target diff --git a/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch b/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch new file mode 100644 index 0000000..b7f76e3 --- /dev/null +++ b/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch @@ -0,0 +1,68 @@ +From b5321a88d21b854aaa461dc0f6c226d650309b91 Mon Sep 17 00:00:00 2001 +From: Mike Brady <4265913+mikebrady@users.noreply.github.com> +Date: Tue, 19 Sep 2023 11:08:27 +0100 +Subject: [PATCH] Improve some of the error messages. Remove the setcap command + from Makefile.am, since we are now using an AmbientCapabilities setting in + the systemd service file. + +--- + Makefile.am | 5 +++-- + configure.ac | 2 +- + nqptp-utilities.c | 14 +++++--------- + nqptp.c | 2 +- + 4 files changed, 10 insertions(+), 13 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 78f36d7..d2b3992 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -19,8 +19,9 @@ endif + + install-exec-hook: + if BUILD_FOR_LINUX +-# NQPTP runs as user/group nqptp/nqptp on Linux and uses setcap to access ports 319 and 320 +- setcap 'cap_net_bind_service=+ep' $(bindir)/nqptp ++# Note: NQPTP runs as user/group nqptp/nqptp on Linux. ++# Access is given via AmbientCapabilities in the service file. ++# If you want to run it from the command line, e.g. for debugging, run it as root user. + # no installer for System V + if INSTALL_SYSTEMD_STARTUP + getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null +diff --git a/nqptp-utilities.c b/nqptp-utilities.c +index 9d6a95d..9964b22 100644 +--- a/nqptp-utilities.c ++++ b/nqptp-utilities.c +@@ -105,15 +105,11 @@ void open_sockets_at_port(const char *node, uint16_t port, + } + freeaddrinfo(info); + if (sockets_opened == 0) { +- if (port < 1024) +- die("unable to listen on port %d. The error is: \"%s\". NQPTP must run as root to access " +- "this port. Or is another PTP daemon -- possibly another instance on NQPTP -- running " +- "already?", +- port, strerror(errno)); +- else +- die("unable to listen on port %d. The error is: \"%s\". " +- "Is another instance on NQPTP running already?", +- port, strerror(errno)); ++ if (errno == EACCES) { ++ die("nqptp does not have permission to access port %u. It must (a) [Linux only] have been given CAP_NET_BIND_SERVICE capabilities using e.g. setcap or systemd's AmbientCapabilities, or (b) run as root.", port); ++ } else { ++ die("nqptp is unable to listen on port %u. The error is: %d, \"%s\".", port, errno, strerror(errno)); ++ } + } + } + +diff --git a/nqptp.c b/nqptp.c +index e5f2988..a1a3c76 100644 +--- a/nqptp.c ++++ b/nqptp.c +@@ -198,7 +198,7 @@ int main(int argc, char **argv) { + mode_t oldumask = umask(0); + shm_fd = shm_open(NQPTP_INTERFACE_NAME, O_RDWR | O_CREAT, 0644); + if (shm_fd == -1) { +- die("cannot open shared memory \"%s\".", NQPTP_INTERFACE_NAME); ++ die("nqptp cannot open the shared memory \"%s\" for writing. Is another copy of nqptp (e.g. an nqptp daemon) running already?", NQPTP_INTERFACE_NAME); + } + (void)umask(oldumask); + diff --git a/disable-user-group-generation.patch b/disable-user-group-generation.patch new file mode 100644 index 0000000..7430f76 --- /dev/null +++ b/disable-user-group-generation.patch @@ -0,0 +1,13 @@ +Index: nqptp-1.2.4/Makefile.am +=================================================================== +--- nqptp-1.2.4.orig/Makefile.am ++++ nqptp-1.2.4/Makefile.am +@@ -24,8 +24,6 @@ if BUILD_FOR_LINUX + # If you want to run it from the command line, e.g. for debugging, run it as root user. + # no installer for System V + if INSTALL_SYSTEMD_STARTUP +- getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null +- getent passwd nqptp &> /dev/null || useradd -r -M -g nqptp -s /usr/sbin/nologin nqptp &>/dev/null + [ -e $(DESTDIR)$(libdir)/systemd/system ] || mkdir -p $(DESTDIR)$(libdir)/systemd/system + # don't replace a service file if it already exists... + [ -e $(DESTDIR)$(libdir)/systemd/system/nqptp.service ] || cp nqptp.service $(DESTDIR)$(libdir)/systemd/system diff --git a/nqptp-1.2.4.tar.gz b/nqptp-1.2.4.tar.gz new file mode 100644 index 0000000..344f0e5 --- /dev/null +++ b/nqptp-1.2.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1df1d5edd5b713010d6495b3abca4c1cf4ad8fa6029df0abeb9e4de8e0eb707a +size 36885 diff --git a/nqptp-user.conf b/nqptp-user.conf new file mode 100644 index 0000000..dc414dd --- /dev/null +++ b/nqptp-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +g nqptp - - +u nqptp - "nqptp daemon" / /sbin/nologin diff --git a/nqptp.changes b/nqptp.changes index 2913aa5..daa3418 100644 --- a/nqptp.changes +++ b/nqptp.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Tue Sep 3 09:06:57 UTC 2024 - Wolfgang Frisch + +- Backports from 1.2.5-dev + - Add backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch + Remove setcap call. + - Add backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch + Set capability in the systemd unit instead. + +- Add disable-user-group-generation.patch + Disable user/group generation in the Makefile. + Let systemd-sysusers handle this instead. + +- Update to 1.2.4 + - Further changes are introduced to make the communication path between NQPTP + and Shairport Sync resistant to outside interference. These changes have + necessitated changing the SMI interface. The SMI interface is now at + version 10, and Shairport Sync must also be updated to be compatible with + it. + +- Update to 1.2.3 + - Fix CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid + control port message (boo#1213060) + ------------------------------------------------------------------- Mon Jun 26 09:48:09 UTC 2023 - Martin Pluskal diff --git a/nqptp.spec b/nqptp.spec index 3c9f0d3..7625c6f 100644 --- a/nqptp.spec +++ b/nqptp.spec @@ -1,7 +1,7 @@ # # spec file for package nqptp # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,16 +17,24 @@ Name: nqptp -Version: 1.2.1 +Version: 1.2.4 Release: 0 Summary: Not Quite PTP License: GPL-2.0-only URL: https://github.com/mikebrady/nqptp Source0: https://github.com/mikebrady/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +Source1: nqptp-user.conf +# Backported from 1.2.5-dev: +Patch0: backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch +# Backported from 1.2.5-dev: +Patch1: backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch +Patch2: disable-user-group-generation.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools %{?systemd_ordering} +%sysusers_requires %description nqptp is a daemon that monitors timing data from any PTP clocks – up to 64 – it @@ -37,18 +45,20 @@ It is a companion application to Shairport Sync and provides timing information for AirPlay 2 operation. %prep -%autosetup +%autosetup -p1 %build autoreconf -i -f %configure --with-systemd-startup %make_build +%sysusers_generate_pre %{SOURCE1} nqptp nqptp-user.conf %install %make_install mkdir -p %{buildroot}%{_unitdir} mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \ %{buildroot}%{_unitdir}/%{name}.service +install -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/nqptp.conf %pre %service_add_pre %{name}.service @@ -67,5 +77,6 @@ mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \ %doc README.md RELEASE_NOTES.md %{_bindir}/%{name} %{_unitdir}/%{name}.service +%{_sysusersdir}/nqptp.conf %changelog