Hello community, here is the log from the commit of package libgssglue for openSUSE:Factory checked in at 2013-07-30 18:37:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgssglue (Old) and /work/SRC/openSUSE:Factory/.libgssglue.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgssglue" Changes: -------- --- /work/SRC/openSUSE:Factory/libgssglue/libgssglue.changes 2013-04-17 07:14:05.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libgssglue.new/libgssglue.changes 2013-07-30 18:37:38.000000000 +0200 @@ -1,0 +2,10 @@ +Mon Jul 29 08:24:54 UTC 2013 - [email protected] + +- Updated to 0.4 release + Use secure_getenv instead of getenv for setuid + programs (bnc#694598 CVE-2011-2709 bnc#831805) + +- secure-getenv.patch: updated patch to use the now available + secure_getenv() instead. + +------------------------------------------------------------------- Old: ---- libgssglue-0.3.tar.gz New: ---- libgssglue-0.4.tar.gz secure-getenv.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgssglue.spec ++++++ --- /var/tmp/diff_new_pack.nN8xi6/_old 2013-07-30 18:37:39.000000000 +0200 +++ /var/tmp/diff_new_pack.nN8xi6/_new 2013-07-30 18:37:39.000000000 +0200 @@ -21,7 +21,7 @@ Summary: Generic GSSAPI Library License: BSD-3-Clause and MIT Group: Development/Libraries/C and C++ -Version: 0.3 +Version: 0.4 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -31,6 +31,7 @@ Source: http://www.citi.umich.edu/projects/nfsv4/linux/%{name}/%{name}-%{version}.tar.gz Source1: baselibs.conf Patch0: config-guess-sub-update.patch +Patch1: secure-getenv.patch %description This library exports a gssapi interface, but does not implement any @@ -63,6 +64,7 @@ %prep %setup -q %patch0 +%patch1 -p1 %build autoconf ++++++ libgssglue-0.3.tar.gz -> libgssglue-0.4.tar.gz ++++++ ++++ 16177 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libgssglue-0.3/ChangeLog new/libgssglue-0.4/ChangeLog --- old/libgssglue-0.3/ChangeLog 2011-06-22 17:12:01.000000000 +0200 +++ new/libgssglue-0.4/ChangeLog 2012-05-08 19:52:05.000000000 +0200 @@ -1,3 +1,10 @@ +2012-05-08: kwc + Release 0.4 + Changes since libgssglue-0.3: + - Fix for CVE-2011-2709 + Patch from Marcus Meissner + Note: Although https://bugzilla.novell.com/show_bug.cgi?id=694598 + mentions mount.nfs, libgssglue is not used by mount.nfs. 2011-06-22: kwc Release 0.3 Changes since libgssglue-0.2: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libgssglue-0.3/configure.in new/libgssglue-0.4/configure.in --- old/libgssglue-0.3/configure.in 2011-06-22 17:08:07.000000000 +0200 +++ new/libgssglue-0.4/configure.in 2012-05-08 19:42:18.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT(libgssglue, 0.3, [email protected]) +AC_INIT(libgssglue, 0.4, [email protected]) AC_CONFIG_SRCDIR([src/g_accept_sec_context.c]) AM_INIT_AUTOMAKE AM_PROG_LIBTOOL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libgssglue-0.3/src/g_initialize.c new/libgssglue-0.4/src/g_initialize.c --- old/libgssglue-0.3/src/g_initialize.c 2009-08-12 16:52:36.000000000 +0200 +++ new/libgssglue-0.4/src/g_initialize.c 2012-05-08 19:40:21.000000000 +0200 @@ -195,7 +195,8 @@ void *dl; gss_mechanism (*sym)(void), mech; - if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL) + if ((getuid() != geteuid()) || + ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { @@ -271,7 +272,8 @@ void *dl; gss_mechanism (*sym)(void), mech; - if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL) + if ((getuid() != geteuid()) || + ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { ++++++ secure-getenv.patch ++++++ Index: libgssglue-0.4/src/g_initialize.c =================================================================== --- libgssglue-0.4.orig/src/g_initialize.c +++ libgssglue-0.4/src/g_initialize.c @@ -26,6 +26,7 @@ * This function will initialize the gssapi mechglue library */ +#define _GNU_SOURCE #include "mglueP.h" #include <stdlib.h> @@ -195,8 +196,7 @@ static void solaris_initialize () void *dl; gss_mechanism (*sym)(void), mech; - if ((getuid() != geteuid()) || - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { @@ -272,8 +272,7 @@ static void linux_initialize () void *dl; gss_mechanism (*sym)(void), mech; - if ((getuid() != geteuid()) || - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
