Hello community,
here is the log from the commit of package NetworkManager-openconnect for
openSUSE:Factory checked in at 2012-04-12 09:42:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/NetworkManager-openconnect (Old)
and /work/SRC/openSUSE:Factory/.NetworkManager-openconnect.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "NetworkManager-openconnect", Maintainer is ""
Changes:
--------
---
/work/SRC/openSUSE:Factory/NetworkManager-openconnect/NetworkManager-openconnect.changes
2012-03-29 11:41:40.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.NetworkManager-openconnect.new/NetworkManager-openconnect.changes
2012-04-12 09:42:52.000000000 +0200
@@ -1,0 +2,8 @@
+Fri Mar 30 11:03:57 UTC 2012 - [email protected]
+
+- Add NetworkManager-openconnect-0.9.4-dropping_privs_check.patch:
+ check for success when dropping privileges. This issue was raised
+ by the security team in bnc#732915, comments 13-16. Patch taken
+ from upstream.
+
+-------------------------------------------------------------------
New:
----
NetworkManager-openconnect-0.9.4-dropping_privs_check.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ NetworkManager-openconnect.spec ++++++
--- /var/tmp/diff_new_pack.zozNVf/_old 2012-04-12 09:42:53.000000000 +0200
+++ /var/tmp/diff_new_pack.zozNVf/_new 2012-04-12 09:42:53.000000000 +0200
@@ -24,6 +24,8 @@
Group: Productivity/Networking/System
Url: http://www.gnome.org/projects/NetworkManager
Source0:
http://download.gnome.org/sources/NetworkManager-openconnect/0.9/%{name}-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM
NetworkManager-openconnect-0.9.4-dropping_privs_check.patch bnc#732915
[email protected] -- Taken from git, add check for success when dropping
privs
+Patch0: NetworkManager-openconnect-0.9.4-dropping_privs_check.patch
BuildRequires: intltool
BuildRequires: openconnect-devel
BuildRequires: translation-update-upstream
@@ -61,6 +63,7 @@
%lang_package
%prep
%setup -q
+%patch0 -p1
translation-update-upstream
%build
++++++ NetworkManager-openconnect-0.9.4-dropping_privs_check.patch ++++++
>From f88cd27978fd8d4bcdfee96c6150b418719effb9 Mon Sep 17 00:00:00 2001
From: David Woodhouse <[email protected]>
Date: Thu, 29 Mar 2012 12:15:06 +0000
Subject: Check for success when dropping privs.
If the nm-openconnect user exists, but setuid/setgid fails, then abort.
Error handling is somewhat suboptimal here, since it's done in the
pre-spawn function in the child. But it should never happen anyway; the
only reason we're looking at it is because this code path was
(correctly) highlighted in a security review.
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index a5d95ce..168d154 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -213,8 +213,11 @@ nm_openconnect_secrets_validate (NMSettingVPN *s_vpn,
GError **error)
static void openconnect_drop_child_privs(gpointer user_data)
{
if (tun_name) {
- initgroups(NM_OPENCONNECT_USER, tun_group);
- setuid((uid_t)tun_owner);
+ if (initgroups(NM_OPENCONNECT_USER, tun_group) ||
+ setgid(tun_group) || setuid(tun_owner)) {
+ g_warning ("Failed to drop privileges when spawning
openconnect");
+ exit (1);
+ }
}
}
--
cgit v0.9.0.2
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
