Hello community, here is the log from the commit of package openvas-scanner for openSUSE:Factory checked in at 2011-11-07 14:28:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvas-scanner (Old) and /work/SRC/openSUSE:Factory/.openvas-scanner.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvas-scanner", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/openvas-scanner/openvas-scanner.changes 2011-09-23 12:21:01.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openvas-scanner.new/openvas-scanner.changes 2011-11-07 14:28:08.000000000 +0100 @@ -1,0 +2,6 @@ +Fri Nov 4 20:41:28 UTC 2011 - [email protected] + +- Updated to 3.2.5 + * The optional use of the external tool "ovaldi" has been made more secure. + +------------------------------------------------------------------- Old: ---- openvas-scanner-3.2.4.tar.gz ovas-scanner-add-needed.patch New: ---- debian.series openvas-scanner-3.2.4-linking.patch openvas-scanner-3.2.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvas-scanner.spec ++++++ --- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100 +++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100 @@ -15,21 +15,20 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: openvas-scanner -Version: 3.2.4 -Release: 3 +Version: 3.2.5 +Release: 1.0 License: GPLv2 Group: Productivity/Networking/Security -Url: http://www.openvas.org +URL: http://www.openvas.org Source0: %{name}-%{version}.tar.gz Source1: openvassd.logrotate Source2: debian.openvas-scanner.default Source3: openvassd.init.suse Source4: openvassd.init.fedora Source5: openvassd.init.mandriva +Patch0: openvas-scanner-3.2.4-linking.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?mandriva_version} @@ -53,7 +52,6 @@ Requires: openssl Requires: rsync Summary: The Scanner Module for OpenVAS -Patch: ovas-scanner-add-needed.patch %description This is the scanner module for the Open Vulnerability Assessment System (OpenVAS). @@ -61,7 +59,7 @@ %prep %setup -q -%patch +%patch0 %build %if 0%{?mandriva_version} @@ -190,4 +188,3 @@ %else %config(noreplace) %{_sysconfdir}/sysconfig/openvas-scanner %endif -%changelog ++++++ debian.changelog ++++++ --- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100 +++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100 @@ -1,3 +1,10 @@ +openvas-scanner (3.2.5-1) UNRELEASED; urgency=low + + * New upstream release + - The optional use of the external tool "ovaldi" has been made more secure. + + -- Stephan Kleine <[email protected]> Fri, 04 Nov 2011 21:42:26 +0100 + openvas-scanner (3.2.4-1) UNRELEASED; urgency=low * New upstream release ++++++ debian.series ++++++ openvas-scanner-3.2.4-linking.patch -p0 ++++++ openvas-scanner-3.2.4-linking.patch ++++++ Index: src/CMakeLists.txt =================================================================== --- src/CMakeLists.txt.orig 2011-06-08 14:22:08.000000000 +0200 +++ src/CMakeLists.txt 2011-10-16 17:10:29.093020840 +0200 @@ -133,7 +133,7 @@ endif (NVT_TIMEOUT) set_target_properties (openvassd PROPERTIES LINK_FLAGS "${LIB_TEMP} ${GLIB_LDFLAGS} ${OPENVAS_LDFLAGS}") -target_link_libraries (openvassd gnutls dl gcrypt) +target_link_libraries (openvassd dl gcrypt glib-2.0 gnutls openvas_base openvas_hg openvas_misc) set_target_properties (openvassd PROPERTIES COMPILE_FLAGS "${HEADER_TEMP} ${OPENVAS_CFLAGS} ${GLIB_CFLAGS}") ++++++ openvas-scanner-3.2.4.tar.gz -> openvas-scanner-3.2.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/CHANGES new/openvas-scanner-3.2.5/CHANGES --- old/openvas-scanner-3.2.4/CHANGES 2011-06-08 14:22:08.000000000 +0200 +++ new/openvas-scanner-3.2.5/CHANGES 2011-11-03 09:50:51.000000000 +0100 @@ -1,3 +1,19 @@ +openvas-scanner 3.2.5 (2011-11-03) + +This is the fifth maintenance release of the openvas-scanner 3.2 module for the +Open Vulnerability Assessment System release 4 (OpenVAS-4). + +This release addresses a security issue related to the optional use of the +external tool "ovaldi" by making file ownership and location more secure. This +fixes the issue described in OSVDB-75177. + +Many thanks to everyone who has contributed to this release: +Michael Wiegand. + +Main changes compared to 3.2.4: +* The optional use of the external tool "ovaldi" has been made more secure. + + openvas-scanner 3.2.4 (2011-06-08) This is the fourth maintenance release of the openvas-scanner 3.2 module for the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/CMakeLists.txt new/openvas-scanner-3.2.5/CMakeLists.txt --- old/openvas-scanner-3.2.4/CMakeLists.txt 2011-06-08 14:22:08.000000000 +0200 +++ new/openvas-scanner-3.2.5/CMakeLists.txt 2011-11-03 09:50:51.000000000 +0100 @@ -79,7 +79,7 @@ set (CPACK_TOPLEVEL_TAG "") set (CPACK_PACKAGE_VERSION_MAJOR "3") set (CPACK_PACKAGE_VERSION_MINOR "2") -set (CPACK_PACKAGE_VERSION_PATCH "4${SVN_REVISION}") +set (CPACK_PACKAGE_VERSION_PATCH "5${SVN_REVISION}") set (CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}") set (CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}") set (CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/ChangeLog new/openvas-scanner-3.2.5/ChangeLog --- old/openvas-scanner-3.2.4/ChangeLog 2011-06-08 14:22:08.000000000 +0200 +++ new/openvas-scanner-3.2.5/ChangeLog 2011-11-03 09:50:51.000000000 +0100 @@ -1,3 +1,23 @@ +2011-11-03 Michael Wiegand <[email protected]> + + Preparing the openvas-scanner 3.2.5 release. + + * CHANGES: Updated. + +2011-09-23 Michael Wiegand <[email protected]> + + * src/oval_plugins.c (ovaldi_launch): Tighten security for ovaldi + launch: Ensure file names are not easily guessable, drop privileges + early and place files in a randomly named temporary directory after + privileges have been dropped. Improve cleanup after ovaldi launch. + Backport from trunk, originally committed in SVN r11599. + +2011-06-08 Michael Wiegand <[email protected]> + + Post release version bump. + + * CMakeLists.txt: Set to version to 3.2.5. + 2011-06-08 Michael Wiegand <[email protected]> Preparing the openvas-scanner 3.2.4 release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/doc/openvassd.8 new/openvas-scanner-3.2.5/doc/openvassd.8 --- old/openvas-scanner-3.2.4/doc/openvassd.8 2011-06-08 14:22:08.000000000 +0200 +++ new/openvas-scanner-3.2.5/doc/openvassd.8 2011-11-03 09:50:51.000000000 +0100 @@ -23,7 +23,7 @@ .TP .BI "-c " <config-file> ", --config-file=" <config-file> Use the alternate configuration file instead of -.I /home/michael/vol1/openvas-testing-release/etc/openvas/openvassd.conf +.I /home/michael/openvas-testing-backports/etc/openvas/openvassd.conf .TP .BI "-a " <address> ", --listen=" <address> @@ -81,12 +81,12 @@ The default .B openvassd configuration file, -.I /home/michael/vol1/openvas-testing-release/etc/openvas/openvassd.conf +.I /home/michael/openvas-testing-backports/etc/openvas/openvassd.conf contains these options: .IP plugins_folder Contains the location of the plugins folder. This is usually -/home/michael/vol1/openvas-testing-release/var/lib/openvas/plugins, but you may change this. +/home/michael/openvas-testing-backports/var/lib/openvas/plugins, but you may change this. .IP logfile path to the logfile. You can enter .I syslog @@ -159,7 +159,7 @@ .SH USERS MANAGEMENT The utility openvas-adduser(8) creates new openvassd users. Each openvassd user -is attributed a "home", in /home/michael/vol1/openvas-testing-release/var/lib/openvas/users/<username>. This home contains the following directories : +is attributed a "home", in /home/michael/openvas-testing-backports/var/lib/openvas/users/<username>. This home contains the following directories : .IP auth/ This directory contains the authentication information for this user. It might contain the file 'dname' if the user is authenticating using a certificate, or 'hash' (or 'passwd') if the user is authenticating using a password. The file 'hash' contains a MD5 hash of the user password, as well as a random seed. The file 'password' should contain the password in clear text. @@ -175,7 +175,7 @@ When a user attempts to log in, openvassd first checks that the directory -/home/michael/vol1/openvas-testing-release/var/lib/openvas/users/<username> exists, then hashes the password sent by the user with the random salt found in <username>/auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then openvassd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in <username>/dname. +/home/michael/openvas-testing-backports/var/lib/openvas/users/<username> exists, then hashes the password sent by the user with the random salt found in <username>/auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then openvassd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in <username>/dname. To remove a given user, use the command openvas-rmuser(8). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/src/oval_plugins.c new/openvas-scanner-3.2.5/src/oval_plugins.c --- old/openvas-scanner-3.2.4/src/oval_plugins.c 2011-06-08 14:22:08.000000000 +0200 +++ new/openvas-scanner-3.2.5/src/oval_plugins.c 2011-11-03 09:50:51.000000000 +0100 @@ -34,6 +34,7 @@ #include <sys/types.h> /* for getpwnam() */ #include <pwd.h> /* for getpwnam() */ #include <signal.h> /* for signal() */ +#include <stdlib.h> /* for mkdtemp */ #include <openvas/nasl/nasl.h> #include <openvas/misc/network.h> /* for internal_send */ @@ -44,6 +45,8 @@ #include <openvas/misc/proctitle.h> /* for setproctitle */ #include <openvas/base/nvti.h> /* for nvti_t */ +#include <openvas/base/drop_privileges.h> /* for drop_privileges */ +#include <openvas/base/openvas_file.h> /* for openvas_file_remove_recurse */ #include <glib.h> #include <glib/gstdio.h> @@ -580,21 +583,34 @@ gchar *folder = g_strndup ((char *) arg_get_value (g_args, "name"), strlen ((char *) arg_get_value (g_args, "name")) - strlen (basename)); + GError *error; + gchar *tmpdirtemplate; + char *tmpdir; + + int drop_priv_res = OPENVAS_DROP_PRIVILEGES_OK; + drop_priv_res = drop_privileges (NULL, &error); + if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_OK) + { + if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT) + { + log_write ("Failed to drop privileges for ovaldi launch!"); + g_error_free (error); + return; + } + g_error_free (error); + } - /** @todo What frees this? */ - sc_filename = g_strconcat (folder, "sc-out.xml", NULL); - log_write ("SC Filename: %s\n", sc_filename); - /** @todo What if some other process does an ovaldi scan? */ - results_filename = "/tmp/results.xml"; + tmpdirtemplate = g_strdup_printf ("%s/openvasovalXXXXXX", g_get_tmp_dir ()); + tmpdir = mkdtemp (tmpdirtemplate); - if (g_file_test (results_filename, G_FILE_TEST_EXISTS)) + if (tmpdir == NULL) { - log_write - ("Found existing results file in %s, deleting it to avoid conflicts.", - results_filename); - g_unlink (results_filename); + log_write ("Failed to create temporary directory!"); + return; } + sc_filename = g_strconcat (tmpdir, "/sc-out.xml", NULL); + sc_file = fopen (sc_filename, "w"); if (sc_file == NULL) { @@ -978,6 +994,8 @@ if (sc_file != NULL) fclose (sc_file); + results_filename = g_strconcat (tmpdir, "/results.xml", NULL); + gchar **argv = (gchar **) g_malloc (11 * sizeof (gchar *)); argv[0] = g_strdup ("ovaldi"); argv[1] = g_strdup ("-m"); // Do not check OVAL MD5 signature @@ -993,7 +1011,7 @@ // log_write ("Launching ovaldi with: %s\n", g_strjoinv (" ", argv)); if (g_spawn_sync - (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, oval_drop_privileges, NULL, NULL, NULL, + (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL, NULL, NULL)) { GMarkupParser parser; @@ -1073,6 +1091,10 @@ } g_strfreev (argv); g_free (result_string); + g_free (results_filename); + g_free (sc_filename); + openvas_file_remove_recurse (tmpdir); + g_free (tmpdir); } pl_class_t oval_plugin_class = { ++++++ openvas-scanner.dsc ++++++ --- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100 +++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100 @@ -2,13 +2,13 @@ Source: openvas-scanner Binary: openvas-scanner Architecture: any -Version: 3.2.4-1 +Version: 3.2.5-1 Maintainer: Stephan Kleine <[email protected]> Homepage: http://www.openvas.org/ Standards-Version: 3.8.0 Build-Depends: debhelper (>= 6), devscripts, dpatch, cmake, hardening-wrapper, libopenvas4-dev, libwrap0-dev, pkg-config, po-debconf Files: - 776ce4e1000137c9aec7863372c8c876 373800 openvas-scanner-3.2.4.orig.tar.gz - 131e6720b0526ade9405eade0d9150ac 56625 openvas-scanner-3.2.4.diff.gz + 776ce4e1000137c9aec7863372c8c876 373800 openvas-scanner-3.2.5.orig.tar.gz + 131e6720b0526ade9405eade0d9150ac 56625 openvas-scanner-3.2.5.diff.gz -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
