- Backports from 1.2.5-dev

- Add backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch Remove setcap call. - Add backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch Set capability in the systemd unit instead. - Add disable-user-group-generation.patch Disable user/group generation in the Makefile. Let systemd-sysusers handle this instead. - Update to 1.2.4 - Further changes are introduced to make the communication path between NQPTP and Shairport Sync resistant to outside interference. These changes have necessitated changing the SMI interface. The SMI interface is now at version 10, and Shairport Sync must also be updated to be compatible with it. - Update to 1.2.3 - Fix CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid control port message (boo#1213060) OBS-URL: https://build.opensuse.org/package/show/network:time/nqptp?expand=0&rev=4
2024-09-05 09:10:04 +00:00
parent 83117686e4
commit 8f54c26d19
7 changed files with 148 additions and 3 deletions
--- a/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch
+++ b/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch
@@ -0,0 +1,23 @@
+From 050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7 Mon Sep 17 00:00:00 2001
+From: Hs_Yeah <bYeahq@gmail.com>
+Date: Tue, 19 Sep 2023 03:12:47 +0800
+Subject: [PATCH] Added AmbientCapabilities to nqptp.service.in
+
+Added AmbientCapabilities=CAP_NET_BIND_SERVICE
+so that the systemd service can be used without the  capability set on the built nqptp binary.
+---
+ nqptp.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/nqptp.service.in b/nqptp.service.in
+index 6f1eb0c..53e6a2e 100644
+--- a/nqptp.service.in
+++ b/nqptp.service.in
+@@ -8,6 +8,7 @@ Before=shairport-sync.service
+ ExecStart=@prefix@/bin/nqptp
+ User=nqptp
+ Group=nqptp
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch
+++ b/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch
@@ -0,0 +1,68 @@
+From b5321a88d21b854aaa461dc0f6c226d650309b91 Mon Sep 17 00:00:00 2001
+From: Mike Brady <4265913+mikebrady@users.noreply.github.com>
+Date: Tue, 19 Sep 2023 11:08:27 +0100
+Subject: [PATCH] Improve some of the error messages. Remove the setcap command
+ from Makefile.am, since we are now using an AmbientCapabilities setting in
+ the systemd service file.
+
+---
+ Makefile.am       |  5 +++--
+ configure.ac      |  2 +-
+ nqptp-utilities.c | 14 +++++---------
+ nqptp.c           |  2 +-
+ 4 files changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 78f36d7..d2b3992 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -19,8 +19,9 @@ endif
+ 
+ install-exec-hook:
+ if BUILD_FOR_LINUX
+-# NQPTP runs as user/group nqptp/nqptp on Linux and uses setcap to access ports 319 and 320
+-	setcap 'cap_net_bind_service=+ep' $(bindir)/nqptp
+# Note: NQPTP runs as user/group nqptp/nqptp on Linux.
+# Access is given via AmbientCapabilities in the service file.
+# If you want to run it from the command line, e.g. for debugging, run it as root user.
+ # no installer for System V
+ if INSTALL_SYSTEMD_STARTUP
+ 	getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null
+diff --git a/nqptp-utilities.c b/nqptp-utilities.c
+index 9d6a95d..9964b22 100644
+--- a/nqptp-utilities.c
+++ b/nqptp-utilities.c
+@@ -105,15 +105,11 @@ void open_sockets_at_port(const char *node, uint16_t port,
+   }
+   freeaddrinfo(info);
+   if (sockets_opened == 0) {
+-    if (port < 1024)
+-      die("unable to listen on port %d. The error is: \"%s\". NQPTP must run as root to access "
+-          "this port. Or is another PTP daemon -- possibly another instance on NQPTP -- running "
+-          "already?",
+-          port, strerror(errno));
+-    else
+-      die("unable to listen on port %d. The error is: \"%s\". "
+-          "Is another instance on NQPTP running already?",
+-          port, strerror(errno));
+    if (errno == EACCES) {
+      die("nqptp does not have permission to access port %u. It must (a) [Linux only] have been given CAP_NET_BIND_SERVICE capabilities using e.g. setcap or systemd's AmbientCapabilities, or (b) run as root.", port);
+    } else {
+      die("nqptp is unable to listen on port %u. The error is: %d, \"%s\".", port, errno, strerror(errno));
+    }
+   }
+ }
+ 
+diff --git a/nqptp.c b/nqptp.c
+index e5f2988..a1a3c76 100644
+--- a/nqptp.c
+++ b/nqptp.c
+@@ -198,7 +198,7 @@ int main(int argc, char **argv) {
+   mode_t oldumask = umask(0);
+   shm_fd = shm_open(NQPTP_INTERFACE_NAME, O_RDWR | O_CREAT, 0644);
+   if (shm_fd == -1) {
+-    die("cannot open shared memory \"%s\".", NQPTP_INTERFACE_NAME);
+    die("nqptp cannot open the shared memory \"%s\" for writing. Is another copy of nqptp (e.g. an nqptp daemon) running already?", NQPTP_INTERFACE_NAME);
+   }
+   (void)umask(oldumask);
+ 
--- a/disable-user-group-generation.patch
+++ b/disable-user-group-generation.patch
@@ -0,0 +1,13 @@
+Index: nqptp-1.2.4/Makefile.am
+===================================================================
+--- nqptp-1.2.4.orig/Makefile.am
+++ nqptp-1.2.4/Makefile.am
+@@ -24,8 +24,6 @@ if BUILD_FOR_LINUX
+ # If you want to run it from the command line, e.g. for debugging, run it as root user.
+ # no installer for System V
+ if INSTALL_SYSTEMD_STARTUP
+-	getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null
+-	getent passwd nqptp &> /dev/null || useradd -r -M -g nqptp -s /usr/sbin/nologin nqptp &>/dev/null
+ 	[ -e $(DESTDIR)$(libdir)/systemd/system ] || mkdir -p $(DESTDIR)$(libdir)/systemd/system
+ # don't replace a service file if it already exists...
+ 	[ -e $(DESTDIR)$(libdir)/systemd/system/nqptp.service ] || cp nqptp.service $(DESTDIR)$(libdir)/systemd/system
--- a/nqptp-1.2.4.tar.gz
+++ b/nqptp-1.2.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1df1d5edd5b713010d6495b3abca4c1cf4ad8fa6029df0abeb9e4de8e0eb707a
+size 36885
--- a/nqptp-user.conf
+++ b/nqptp-user.conf
@@ -0,0 +1,3 @@
+# Type Name ID GECOS [HOME]
+g nqptp - -
+u nqptp - "nqptp daemon" /  /sbin/nologin
--- a/nqptp.changes
+++ b/nqptp.changes
@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Tue Sep  3 09:06:57 UTC 2024 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Backports from 1.2.5-dev
+  - Add backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch
+    Remove setcap call.
+  - Add backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch
+    Set capability in the systemd unit instead.
+
+- Add disable-user-group-generation.patch
+  Disable user/group generation in the Makefile.
+  Let systemd-sysusers handle this instead.
+
+- Update to 1.2.4
+  - Further changes are introduced to make the communication path between NQPTP
+    and Shairport Sync resistant to outside interference. These changes have
+    necessitated changing the SMI interface. The SMI interface is now at
+    version 10, and Shairport Sync must also be updated to be compatible with
+    it.
+
+- Update to 1.2.3
+  - Fix CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid
+    control port message (boo#1213060)
+
 -------------------------------------------------------------------
 Mon Jun 26 09:48:09 UTC 2023 - Martin Pluskal <mpluskal@suse.com>

--- a/nqptp.spec
+++ b/nqptp.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package nqptp
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,16 +17,24 @@


 Name:           nqptp
-Version:        1.2.1
+Version:        1.2.4
 Release:        0
 Summary:        Not Quite PTP
 License:        GPL-2.0-only
 URL:            https://github.com/mikebrady/nqptp
 Source0:        https://github.com/mikebrady/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Source1:        nqptp-user.conf
+# Backported from 1.2.5-dev:
+Patch0:         backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch
+# Backported from 1.2.5-dev:
+Patch1:         backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch
+Patch2:         disable-user-group-generation.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
 %{?systemd_ordering}
+%sysusers_requires

 %description
 nqptp is a daemon that monitors timing data from any PTP clocks – up to 64 – it
@@ -37,18 +45,20 @@ It is a companion application to Shairport Sync and provides timing information
 for AirPlay 2 operation.

 %prep
-%autosetup
+%autosetup -p1

 %build
 autoreconf -i -f
 %configure --with-systemd-startup
 %make_build
+%sysusers_generate_pre %{SOURCE1} nqptp nqptp-user.conf

 %install
 %make_install
 mkdir -p %{buildroot}%{_unitdir}
 mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \
   %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/nqptp.conf

 %pre
 %service_add_pre %{name}.service
@@ -67,5 +77,6 @@ mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \
 %doc README.md RELEASE_NOTES.md
 %{_bindir}/%{name}
 %{_unitdir}/%{name}.service
+%{_sysusersdir}/nqptp.conf

 %changelog