Hello community, here is the log from the commit of package libcap-ng.2831 for openSUSE:13.1:Update checked in at 2014-05-30 16:50:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/libcap-ng.2831 (Old) and /work/SRC/openSUSE:13.1:Update/.libcap-ng.2831.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap-ng.2831" Changes: -------- New Changes file: --- /dev/null 2014-05-19 01:51:27.372033255 +0200 +++ /work/SRC/openSUSE:13.1:Update/.libcap-ng.2831.new/libcap-ng-python.changes 2014-05-30 16:50:37.000000000 +0200 @@ -0,0 +1,85 @@ +------------------------------------------------------------------- +Thu Mar 14 09:30:13 UTC 2013 - [email protected] + +- use source url + +------------------------------------------------------------------- +Wed Mar 13 22:44:29 UTC 2013 - [email protected] + +- version 0.7.3 +- Make file opens use the cloexec flag (Cristian RodrÃguez) +- Add CAP_BLOCK_SUSPEND +- Fix possible segfaults when CAP_LAST_CAP is larger than the lookup table +- In pscap, don't drop capabilities when running with capabilities +- Add CAP_COMPROMISE_KERNEL +- Define FTW_CONTINUE in case its not defined in libc +- Use glibc for xattr.h if available +- Make sure stderr is used consistently in utils +- Fix logic causing file based capabilities to not be supported when it should + +------------------------------------------------------------------- +Sun Feb 12 17:24:55 UTC 2012 - [email protected] + +- Move libraries back to %{_libdir}, /usr merge project + +------------------------------------------------------------------- +Wed Oct 5 15:06:00 UTC 2011 - [email protected] + +- cross-build workaround: make sure no attempt is made to build + python stuff even if it's installed on the host system + +------------------------------------------------------------------- +Wed Aug 31 01:49:59 UTC 2011 - [email protected] + +- Update to version 0.6.6 +- Add CAP_SYSLOG and CAP_WAKE_ALARM (needed for newish kernels) + +------------------------------------------------------------------- +Mon Nov 8 14:06:01 UTC 2010 - [email protected] + +- fix requires + +------------------------------------------------------------------- +Wed Nov 3 21:56:17 UTC 2010 - [email protected] + +- update to 0.6.5: + * works around a problem in the Linux 2.6.36 kernel headers + * fixes a segfault when using filecap on a specific file + +------------------------------------------------------------------- +Thu Oct 14 11:18:28 UTC 2010 - [email protected] + +- split out python packages now that libcap-ng is used in many + low level tools it creates cycles + +------------------------------------------------------------------- +Thu May 6 17:55:55 UTC 2010 - [email protected] + +- update to 0.6.4: + * the library now uses kernel thread ID for capget/set calls + * a display problem of filesystem based capabilities was fixed + * netcap now prints device name for packet socket apps + +- add baselibs.conf to build libcap-ng0-32bit + +------------------------------------------------------------------- +Fri Mar 12 10:01:51 UTC 2010 - [email protected] + +- update to 0.6.3: + * in netcap and pscap use the effective uid + * in capng_change_id, only retain setpcap if clearing the bounding set + +- add rpmlintrc to disable false positive warnings + +- symlink license files on openSUSE + +------------------------------------------------------------------- +Wed Mar 10 16:02:51 UTC 2010 - [email protected] + +- fixed Requires of python subpackage + +------------------------------------------------------------------- +Fri Feb 26 12:14:04 UTC 2010 - [email protected] + +- imported package from Fedora (version 0.6.2) + New Changes file: --- /dev/null 2014-05-19 01:51:27.372033255 +0200 +++ /work/SRC/openSUSE:13.1:Update/.libcap-ng.2831.new/libcap-ng.changes 2014-05-30 16:50:37.000000000 +0200 @@ -0,0 +1,92 @@ +------------------------------------------------------------------- +Tue May 20 15:11:50 UTC 2014 - [email protected] + +- fix for CVE-2014-3215 (bnc#876832) + * use PR_SET_NO_NEW_PRIVS to prevent gain of new privileges + * added libcap-ng-CVE-2014-3215.patch + +------------------------------------------------------------------- +Thu Mar 14 09:30:04 UTC 2013 - [email protected] + +- use source url + +------------------------------------------------------------------- +Wed Mar 13 22:44:29 UTC 2013 - [email protected] + +- version 0.7.3 +- Make file opens use the cloexec flag (Cristian RodrÃguez) +- Add CAP_BLOCK_SUSPEND +- Fix possible segfaults when CAP_LAST_CAP is larger than the lookup table +- In pscap, don't drop capabilities when running with capabilities +- Add CAP_COMPROMISE_KERNEL +- Define FTW_CONTINUE in case its not defined in libc +- Use glibc for xattr.h if available +- Make sure stderr is used consistently in utils +- Fix logic causing file based capabilities to not be supported when it should + +------------------------------------------------------------------- +Sun Feb 12 17:24:55 UTC 2012 - [email protected] + +- Move libraries back to %{_libdir}, /usr merge project + +------------------------------------------------------------------- +Wed Oct 5 15:06:00 UTC 2011 - [email protected] + +- cross-build workaround: make sure no attempt is made to build + python stuff even if it's installed on the host system + +------------------------------------------------------------------- +Wed Aug 31 01:49:59 UTC 2011 - [email protected] + +- Update to version 0.6.6 +- Add CAP_SYSLOG and CAP_WAKE_ALARM (needed for newish kernels) + +------------------------------------------------------------------- +Mon Nov 8 14:06:01 UTC 2010 - [email protected] + +- fix requires + +------------------------------------------------------------------- +Wed Nov 3 21:56:17 UTC 2010 - [email protected] + +- update to 0.6.5: + * works around a problem in the Linux 2.6.36 kernel headers + * fixes a segfault when using filecap on a specific file + +------------------------------------------------------------------- +Thu Oct 14 11:18:28 UTC 2010 - [email protected] + +- split out python packages now that libcap-ng is used in many + low level tools it creates cycles + +------------------------------------------------------------------- +Thu May 6 17:55:55 UTC 2010 - [email protected] + +- update to 0.6.4: + * the library now uses kernel thread ID for capget/set calls + * a display problem of filesystem based capabilities was fixed + * netcap now prints device name for packet socket apps + +- add baselibs.conf to build libcap-ng0-32bit + +------------------------------------------------------------------- +Fri Mar 12 10:01:51 UTC 2010 - [email protected] + +- update to 0.6.3: + * in netcap and pscap use the effective uid + * in capng_change_id, only retain setpcap if clearing the bounding set + +- add rpmlintrc to disable false positive warnings + +- symlink license files on openSUSE + +------------------------------------------------------------------- +Wed Mar 10 16:02:51 UTC 2010 - [email protected] + +- fixed Requires of python subpackage + +------------------------------------------------------------------- +Fri Feb 26 12:14:04 UTC 2010 - [email protected] + +- imported package from Fedora (version 0.6.2) + New: ---- baselibs.conf libcap-ng-0.7.3.tar.gz libcap-ng-CVE-2014-3215.patch libcap-ng-python.changes libcap-ng-python.spec libcap-ng.changes libcap-ng.rpmlintrc libcap-ng.spec pre_checkin.sh ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcap-ng-python.spec ++++++ # # spec file for package libcap-ng-python # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Summary: An alternate POSIX capabilities library License: LGPL-2.1+ Group: System/Libraries Name: libcap-ng-python Version: 0.7.3 Release: 0 %define soname 0 %define rname libcap-ng Url: http://people.redhat.com/sgrubb/libcap-ng Source0: http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz Source1: pre_checkin.sh Source2: baselibs.conf Source99: libcap-ng.rpmlintrc BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: kernel-headers >= 2.6.11 BuildRequires: libattr-devel BuildRequires: pkg-config BuildRequires: python-base %description Libcap-ng is a library that makes using posix capabilities easier %if "%{name}" == "%{rname}" %package -n %{name}%{soname} Summary: An alternate POSIX capabilities library License: LGPL-2.1+ Group: System/Libraries %description -n %{name}%{soname} Libcap-ng is a library that makes using posix capabilities easier %package devel Summary: Header files for libcap-ng library License: LGPL-2.1+ Group: Development/Libraries/C and C++ Requires: %{name}%{soname} = %{version} Requires: kernel-headers >= 2.6.11 Requires: pkgconfig %description devel The libcap-ng-devel package contains the files needed for developing applications that need to use the libcap-ng library. %package utils Summary: Utilities for analysing and setting file capabilities License: GPL-2.0+ Group: System/Base %description utils The libcap-ng-utils package contains applications to analyse the posix capabilities of all the program running on a system. It also lets you set the file system based capabilities. %else %package -n python-capng Summary: Python bindings for libcap-ng library License: LGPL-2.1+ Group: Development/Libraries/Python BuildRequires: python-devel BuildRequires: swig Requires: %{rname}%{soname} = %{version} %py_requires %description -n python-capng The libcap-ng-python package contains the bindings so that libcap-ng and can be used by python applications. %endif %prep %setup -q -n %{rname}-%{version} %build %configure --disable-static --with-pic --with-python=yes %__make %{?_smp_mflags} %install %__make DESTDIR="%{buildroot}" install # Remove a couple things so they don't get picked up find %{buildroot} -type f -name "*.la" -print -delete %if "%{name}" == "%{rname}-python" %__rm -f %{buildroot}%{_libdir}/lib*.so* %__rm -f %{buildroot}%{_libdir}/lib*.so* %__rm -rf %{buildroot}%{_libdir}/pkgconfig %__rm -rf %{buildroot}%{_bindir} %__rm -rf %{buildroot}%{_mandir} %__rm -rf %{buildroot}%{_includedir} %__rm -rf %{buildroot}%{_datadir}/aclocal %endif %clean %{?buildroot:%__rm -rf "%{buildroot}"} %if "%{name}" == "%{rname}" %post -n %{name}%{soname} -p /sbin/ldconfig %postun -n %{name}%{soname} -p /sbin/ldconfig %files -n %{name}%{soname} %defattr(-,root,root,-) %doc COPYING.LIB %attr(0755,root,root) %{_libdir}/%{rname}.so.%{soname} %attr(0755,root,root) %{_libdir}/%{rname}.so.%{soname}.* %files devel %defattr(-,root,root,-) %attr(0644,root,root) %{_mandir}/man3/*.3%{ext_man} %attr(0644,root,root) %{_includedir}/cap-ng.h %attr(0755,root,root) %{_libdir}/%{rname}.so %attr(0644,root,root) %{_datadir}/aclocal/cap-ng.m4 %{_libdir}/pkgconfig/%{rname}.pc %files utils %defattr(-,root,root,-) %doc COPYING %attr(0755,root,root) %{_bindir}/captest %attr(0755,root,root) %{_bindir}/filecap %attr(0755,root,root) %{_bindir}/netcap %attr(0755,root,root) %{_bindir}/pscap %attr(0644,root,root) %{_mandir}/man8/*.8%{ext_man} %else %files -n python-capng %defattr(-,root,root,-) %attr(755,root,root) %{python_sitearch}/_capng.so %{python_sitearch}/capng.py* %endif %changelog ++++++ libcap-ng.spec ++++++ # # spec file for package libcap-ng # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Summary: An alternate POSIX capabilities library License: LGPL-2.1+ Group: System/Libraries Name: libcap-ng Version: 0.7.3 Release: 0 %define soname 0 %define rname libcap-ng Url: http://people.redhat.com/sgrubb/libcap-ng Source0: http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz Source1: pre_checkin.sh Source2: baselibs.conf Source99: libcap-ng.rpmlintrc Patch: libcap-ng-CVE-2014-3215.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: kernel-headers >= 2.6.11 BuildRequires: libattr-devel BuildRequires: pkg-config BuildRequires: python-base %description Libcap-ng is a library that makes using posix capabilities easier %if "%{name}" == "%{rname}" %package -n %{name}%{soname} Summary: An alternate POSIX capabilities library License: LGPL-2.1+ Group: System/Libraries %description -n %{name}%{soname} Libcap-ng is a library that makes using posix capabilities easier %package devel Summary: Header files for libcap-ng library License: LGPL-2.1+ Group: Development/Libraries/C and C++ Requires: %{name}%{soname} = %{version} Requires: kernel-headers >= 2.6.11 Requires: pkgconfig %description devel The libcap-ng-devel package contains the files needed for developing applications that need to use the libcap-ng library. %package utils Summary: Utilities for analysing and setting file capabilities License: GPL-2.0+ Group: System/Base %description utils The libcap-ng-utils package contains applications to analyse the posix capabilities of all the program running on a system. It also lets you set the file system based capabilities. %else %package -n python-capng Summary: Python bindings for libcap-ng library License: LGPL-2.1+ Group: Development/Libraries/Python BuildRequires: python-devel BuildRequires: swig Requires: %{rname}%{soname} = %{version} %py_requires %description -n python-capng The libcap-ng-python package contains the bindings so that libcap-ng and can be used by python applications. %endif %prep %setup -q -n %{rname}-%{version} %patch %build %configure --disable-static --with-pic --with-python=no %__make %{?_smp_mflags} %install %__make DESTDIR="%{buildroot}" install # Remove a couple things so they don't get picked up find %{buildroot} -type f -name "*.la" -print -delete %if "%{name}" == "%{rname}-python" %__rm -f %{buildroot}%{_libdir}/lib*.so* %__rm -f %{buildroot}%{_libdir}/lib*.so* %__rm -rf %{buildroot}%{_libdir}/pkgconfig %__rm -rf %{buildroot}%{_bindir} %__rm -rf %{buildroot}%{_mandir} %__rm -rf %{buildroot}%{_includedir} %__rm -rf %{buildroot}%{_datadir}/aclocal %endif %clean %{?buildroot:%__rm -rf "%{buildroot}"} %if "%{name}" == "%{rname}" %post -n %{name}%{soname} -p /sbin/ldconfig %postun -n %{name}%{soname} -p /sbin/ldconfig %files -n %{name}%{soname} %defattr(-,root,root,-) %doc COPYING.LIB %attr(0755,root,root) %{_libdir}/%{rname}.so.%{soname} %attr(0755,root,root) %{_libdir}/%{rname}.so.%{soname}.* %files devel %defattr(-,root,root,-) %attr(0644,root,root) %{_mandir}/man3/*.3%{ext_man} %attr(0644,root,root) %{_includedir}/cap-ng.h %attr(0755,root,root) %{_libdir}/%{rname}.so %attr(0644,root,root) %{_datadir}/aclocal/cap-ng.m4 %{_libdir}/pkgconfig/%{rname}.pc %files utils %defattr(-,root,root,-) %doc COPYING %attr(0755,root,root) %{_bindir}/captest %attr(0755,root,root) %{_bindir}/filecap %attr(0755,root,root) %{_bindir}/netcap %attr(0755,root,root) %{_bindir}/pscap %attr(0644,root,root) %{_mandir}/man8/*.8%{ext_man} %else %files -n python-capng %defattr(-,root,root,-) %attr(755,root,root) %{python_sitearch}/_capng.so %{python_sitearch}/capng.py* %endif %changelog ++++++ baselibs.conf ++++++ libcap-ng0 ++++++ libcap-ng-CVE-2014-3215.patch ++++++ Index: docs/capng_lock.3 =================================================================== --- docs/capng_lock.3 (revision 55) +++ docs/capng_lock.3 (working copy) @@ -8,12 +8,13 @@ .SH "DESCRIPTION" -capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. +capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. +This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. .SH "RETURN VALUE" -This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. +This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. .SH "SEE ALSO" Index: src/cap-ng.c =================================================================== --- src/cap-ng.c (revision 55) +++ src/cap-ng.c (working copy) @@ -49,6 +49,7 @@ * 2.6.24 kernel XATTR_NAME_CAPS * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 + * 3.5 kernel PR_SET_NO_NEW_PRIVS */ /* External syscall prototypes */ @@ -126,6 +127,14 @@ #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ #endif +/* prctl values that we use */ +#ifndef PR_SET_SECUREBITS +#define PR_SET_SECUREBITS 28 +#endif +#ifndef PR_SET_NO_NEW_PRIVS +#define PR_SET_NO_NEW_PRIVS 38 +#endif + // States: new, allocated, initted, updated, applied typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; @@ -703,15 +712,22 @@ int capng_lock(void) { -#ifdef PR_SET_SECUREBITS - int rc = prctl(PR_SET_SECUREBITS, - 1 << SECURE_NOROOT | - 1 << SECURE_NOROOT_LOCKED | - 1 << SECURE_NO_SETUID_FIXUP | - 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); + int rc; + + // On Linux 3.5 and up, we can directly prevent ourselves and + // our descendents from gaining privileges. + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) + return 0; + + // This kernel is too old or otherwise doesn't support + // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. + rc = prctl(PR_SET_SECUREBITS, + 1 << SECURE_NOROOT | + 1 << SECURE_NOROOT_LOCKED | + 1 << SECURE_NO_SETUID_FIXUP | + 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); if (rc) return -1; -#endif return 0; } ++++++ libcap-ng.rpmlintrc ++++++ addFilter("libcap-ng-utils.*: W: shlib-policy-missing-lib") addFilter("libcap-ng-utils.*: W: shlib-policy-nonversioned-dir .*") addFilter("python-capng..*: W: files-duplicate /usr/lib.*/python.*/site-packages/.*") addFilter("libcap-ng-devel..*: W: no-dependency-on libcap-ng/libcap-ng-libs/liblibcap-ng") ++++++ pre_checkin.sh ++++++ #!/bin/bash echo -n "Generating python spec " cp libcap-ng.spec libcap-ng-python.spec cp libcap-ng.changes libcap-ng-python.changes perl -pi -e "s/^Name:.*libcap-ng$/Name: libcap-ng-python/" libcap-ng-python.spec echo "Done." -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
