[gentoo-commits] repo/gentoo:master commit in: net-analyzer/pnp4nagios/

[Michael Orlitzky]

commit:     184ae2c637ba60cd8f65d33c9098a2f4a079b4dc
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Thu Nov  2 17:08:14 2017 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sat Nov  4 23:37:20 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=184ae2c6

net-analyzer/pnp4nagios: new revision with a better fix for CVE-2012-3457.

In CVE-2012-3457, it was reported that one particular file should not
be world-readable. To fix that, our ebuild made all of /etc/pnp
unreadable; that made other permissions issues difficult to work
around. This r2 sets o-rwx only on /etc/pnp/process_perfdata.cfg.

Bug: https://bugs.gentoo.org/430358
Package-Manager: Portage-2.3.8, Repoman-2.3.3

 ...0.6.26-r1.ebuild => pnp4nagios-0.6.26-r2.ebuild} | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild 
b/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild
similarity index 84%
rename from net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild
rename to net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild
index c15a8c98de6..818bc3104ff 100644
--- a/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild
+++ b/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild
@@ -74,25 +74,18 @@ src_install() {
        rm "${ED%/}/usr/share/pnp/install.php" || \
                die "unable to remove ${ED%/}/usr/share/pnp/install.php"
 
+       # Fix CVE-2012-3457 (Gentoo bug 430358)
+       fperms o-rwx /etc/pnp/process_perfdata.cfg
+
        if use apache2 ; then
                insinto "${APACHE_MODULES_CONFDIR}"
                newins "${FILESDIR}"/98_pnp4nagios-2.4.conf 98_pnp4nagios.conf
 
-               # Allow the apache user to read our config files. This same
-               # approach is used in net-analyzer/nagios-core.
-               chgrp -R apache "${ED%/}/etc/pnp" \
-                       || die "failed to change group of ${ED%/}/etc/pnp"
+               # This one file isn't world-readable, but it should be group-
+               # readable. Give it to the "apache" group to let the web
+               # server read it.
+               fowners :apache /etc/pnp/process_perfdata.cfg
        fi
-
-       # Bug 430358 - CVE-2012-3457
-       local f
-       while IFS="" read -d $'\0' -r f ; do
-               chmod 0640 "${f}" || die
-       done < <(find "${ED%/}/etc/pnp" -type f)
-
-       while IFS="" read -d $'\0' -r f ; do
-               chmod 0750 "${f}" || die
-       done < <(find "${ED%/}/etc/pnp" -type d)
 }
 
 pkg_postinst() {