[CVS] OpenPKG: OPENPKG_1_3_SOLID: openpkg-src/cvs/ cvs.patch cvs.spec ...

Wed, 07 Jan 2004 05:51:03 -0800 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src openpkg-web          Date:   07-Jan-2004 13:49:12
  Branch: OPENPKG_1_3_SOLID HEAD           Handle: 2004010712491001

  Modified files:
    openpkg-web             news.txt
  Modified files:           (Branch: OPENPKG_1_3_SOLID)
    openpkg-src/cvs         cvs.patch cvs.spec

  Log:
    Extracted security enhancement backported from Stable CVS 1.12.5

  Summary:
    Revision    Changes     Path
    1.3.2.1.2.2 +91 -0      openpkg-src/cvs/cvs.patch
    1.48.2.3.2.3+1  -1      openpkg-src/cvs/cvs.spec
    1.8000      +1  -0      openpkg-web/news.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/cvs/cvs.patch
  ============================================================================
  $ cvs diff -u -r1.3.2.1.2.1 -r1.3.2.1.2.2 cvs.patch
  --- openpkg-src/cvs/cvs.patch 12 Dec 2003 16:39:13 -0000      1.3.2.1.2.1
  +++ openpkg-src/cvs/cvs.patch 7 Jan 2004 12:49:11 -0000       1.3.2.1.2.2
  @@ -43,3 +43,94 @@
        /* if this is a directory to ignore, add it to that list */
        if (mname[0] == '!' && mname[1] != '\0')
        {
  +
  +Extracted security enhancement backported from Stable CVS 1.12.5
  +
  +2003-12-18 19:11  dprice
  +
  +     * src/: ChangeLog, server.c: * server.c (switch_to_user): SysLog
  +     attempts to root from pserver.
  +
  +2003-12-18 18:38  dprice
  +
  +     * src/: ChangeLog, sanity.sh, server.c: * server.c
  +     (switch_to_user): Don't allow CVS to run as root in pserver mode.
  +     (Original patch from Wichert Akkerman via Bradley M Kuhn
  +     <[EMAIL PROTECTED]>.) * sanity.sh (pserver): Check for bad root error
  +     message.
  +
  +Index: src/server.c
  +--- src/server.c.orig        2004-01-07 12:37:41.000000000 +0100
  ++++ src/server.c     2004-01-07 12:48:37.000000000 +0100
  +@@ -5178,10 +5178,11 @@
  + 
  + 
  + #if defined (HAVE_KERBEROS) || defined (AUTH_SERVER_SUPPORT) || defined 
(HAVE_GSSAPI)
  +-static void switch_to_user PROTO((const char *));
  ++static void switch_to_user PROTO((const char *cvs_username, const char *username));
  + 
  + static void
  +-switch_to_user (username)
  ++switch_to_user (cvs_username, username)
  ++    const char *cvs_username;
  +     const char *username;
  + {
  +     struct passwd *pw;
  +@@ -5198,6 +5199,20 @@
  +     error_exit ();
  +     }
  + 
  ++    if (pw->pw_uid == 0)
  ++    {
  ++#ifdef HAVE_SYSLOG_H
  ++        /* FIXME: Can the IP address of the connecting client be retrieved
  ++         * and printed here?
  ++         */
  ++        syslog (LOG_DAEMON | LOG_ALERT,
  ++                "attempt to root from account: %s", cvs_username
  ++               );
  ++#endif
  ++        printf("error 0: root not allowed\n");
  ++    exit (EXIT_FAILURE);
  ++    }
  ++
  + #if HAVE_INITGROUPS
  +     if (initgroups (pw->pw_name, pw->pw_gid) < 0
  + #  ifdef EPERM
  +@@ -5798,7 +5813,7 @@
  +     strcpy (Pserver_Repos, repository);
  + 
  +     /* Switch to run as this user. */
  +-    switch_to_user (host_user);
  ++    switch_to_user (username, host_user);
  +     free (host_user);
  +     free (tmp);
  +     free (repository);
  +@@ -5879,7 +5894,7 @@
  +     }
  + 
  +     /* Switch to run as this user. */
  +-    switch_to_user (user);
  ++    switch_to_user ("KERBEROS", user);
  + }
  + #endif /* HAVE_KERBEROS */
  + 
  +@@ -5991,7 +6006,7 @@
  +         error (1, errno, "fwrite failed");
  +     }
  + 
  +-    switch_to_user (buf);
  ++    switch_to_user ("GSSAPI", buf);
  + 
  +     printf ("I LOVE YOU\n");
  +     fflush (stdout);
  +@@ -6922,7 +6937,7 @@
  +     }
  + 
  +     /* Switch to run as this user. */
  +-    switch_to_user(host_user);
  ++    switch_to_user(username, host_user);
  +     free(tmp);
  +     free(repository);
  +     free(username);
  +
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/cvs/cvs.spec
  ============================================================================
  $ cvs diff -u -r1.48.2.3.2.2 -r1.48.2.3.2.3 cvs.spec
  --- openpkg-src/cvs/cvs.spec  12 Dec 2003 16:39:13 -0000      1.48.2.3.2.2
  +++ openpkg-src/cvs/cvs.spec  7 Jan 2004 12:49:11 -0000       1.48.2.3.2.3
  @@ -37,7 +37,7 @@
   Group:        SCM
   License:      GPL
   Version:      %{V_cvs}
  -Release:      1.3.1
  +Release:      1.3.2
   
   #   package options
   %option       with_fsl         yes
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/news.txt
  ============================================================================
  $ cvs diff -u -r1.7999 -r1.8000 news.txt
  --- openpkg-web/news.txt      7 Jan 2004 11:44:10 -0000       1.7999
  +++ openpkg-web/news.txt      7 Jan 2004 12:49:10 -0000       1.8000
  @@ -1,3 +1,4 @@
  +07-Jan-2004: Upgraded package: P<cvs-1.12.1-1.3.2>
   07-Jan-2004: Upgraded package: P<imap-2004rc1-20040107>
   07-Jan-2004: Upgraded package: P<vmware-console-2.5.1.6192-20040107>
   07-Jan-2004: Upgraded package: P<openpkg-20040107-20040107>
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to