Hello community, here is the log from the commit of package udev for openSUSE:Factory checked in at 2012-07-12 14:56:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/udev (Old) and /work/SRC/openSUSE:Factory/.udev.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "udev", Maintainer is "rmila...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/udev/udev.changes 2012-06-28 17:03:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.udev.new/udev.changes 2012-07-12 14:56:11.000000000 +0200 @@ -1,0 +2,16 @@ +Wed Jul 11 13:24:21 UTC 2012 - rmila...@suse.com + +- Security: libudev using getenv() in suids (bnc#697103) + add: 0015-udev-secure-getenv.patch + Added several patches from upstream: + add: 0016-udev-ata_id-fixup-all-8-not-only-6-bytes-of-the-fw_revision.patch + add: 0017-udev-add-some-O_CLOEXEC.patch + add: 0018-udev-static-nodes-fix-default-permissions-if-no-rule.patch + +------------------------------------------------------------------- +Fri Jul 6 14:37:31 UTC 2012 - dmuel...@suse.com + +- move udev.pc to the libudev-devel subpackage, as it causes + a pkg-config dependency + +------------------------------------------------------------------- New: ---- 0015-udev-secure-getenv.patch 0016-udev-ata_id-fixup-all-8-not-only-6-bytes-of-the-fw_revision.patch 0017-udev-add-some-O_CLOEXEC.patch 0018-udev-static-nodes-fix-default-permissions-if-no-rule.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ udev.spec ++++++ --- /var/tmp/diff_new_pack.PDY4Ir/_old 2012-07-12 14:56:14.000000000 +0200 +++ /var/tmp/diff_new_pack.PDY4Ir/_new 2012-07-12 14:56:14.000000000 +0200 @@ -80,6 +80,14 @@ Patch13: 0013-re-enable-by_path-links-for-ata-devices.patch # PATCH-FIX-OPENSUSE 0014-rules-create-by-id-scsi-links-for-ATA-devices.patch Patch14: 0014-rules-create-by-id-scsi-links-for-ATA-devices.patch +# PATCH-FIX-OPENSUSE 0015-udev-secure-getenv.patch +Patch15: 0015-udev-secure-getenv.patch +# PATCH-FIX-UPSTREAM 0016-udev-ata_id-fixup-all-8-not-only-6-bytes-of-the-fw_revision.patch +Patch16: 0016-udev-ata_id-fixup-all-8-not-only-6-bytes-of-the-fw_revision.patch +# PATCH-FIX-UPSTREAM 0017-udev-add-some-O_CLOEXEC.patch +Patch17: 0017-udev-add-some-O_CLOEXEC.patch +# PATCH-FIX-UPSTREAM 0018-udev-static-nodes-fix-default-permissions-if-no-rule.patch +Patch18: 0018-udev-static-nodes-fix-default-permissions-if-no-rule.patch # Upstream First - Policy: # Never add any patches to this package without the upstream commit id @@ -163,6 +171,10 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build autoreconf -vfi @@ -277,7 +289,6 @@ %dir %{_sysconfdir}/udev/rules.d/ %config(noreplace) %{_sysconfdir}/udev/udev.conf %{_mandir}/man?/*.[0-9]* -%{_datadir}/pkgconfig/udev.pc %doc %{_docdir}/udev %dir /lib/udev/devices/ %dir /lib/systemd/system @@ -296,6 +307,7 @@ %defattr(-,root,root) %{_includedir}/libudev.h %{_libdir}/libudev.so +%{_datadir}/pkgconfig/udev.pc %{_libdir}/pkgconfig/libudev.pc %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html ++++++ 0015-udev-secure-getenv.patch ++++++ Index: udev-182/src/libudev.c =================================================================== --- udev-182.orig/src/libudev.c +++ udev-182/src/libudev.c @@ -135,7 +135,7 @@ UDEV_EXPORT struct udev *udev_new(void) udev_list_init(udev, &udev->properties_list, true); /* custom config file */ - env = getenv("UDEV_CONFIG_FILE"); + env = __secure_getenv("UDEV_CONFIG_FILE"); if (env != NULL) { if (set_value(&config_file, env) == NULL) goto err; @@ -237,7 +237,7 @@ UDEV_EXPORT struct udev *udev_new(void) } /* environment overrides config */ - env = getenv("UDEV_LOG"); + env = __secure_getenv("UDEV_LOG"); if (env != NULL) udev_set_log_priority(udev, util_log_priority(env)); ++++++ 0016-udev-ata_id-fixup-all-8-not-only-6-bytes-of-the-fw_revision.patch ++++++ >From daa9cf546ce7265645ced9592dd54c6b2fc04302 Mon Sep 17 00:00:00 2001 From: Kay Sievers <k...@vrfy.org> Date: Thu, 5 Jul 2012 16:53:08 +0200 Subject: [PATCH] udev: ata_id - fixup all 8 not only 6 bytes of the fw_rev string The last two digits are in the wrong order: $ hdparm -I /dev/sda | grep Revision 4PC10362 $ /lib/udev/ata_id -x /dev/sda | grep REVISION 4PC10326 Index: udev-182/src/ata_id/ata_id.c =================================================================== --- udev-182.orig/src/ata_id/ata_id.c +++ udev-182/src/ata_id/ata_id.c @@ -511,7 +511,7 @@ int main(int argc, char *argv[]) * use and copy it into the hd_driveid struct for convenience */ disk_identify_fixup_string (identify, 10, 20); /* serial */ - disk_identify_fixup_string (identify, 23, 6); /* fwrev */ + disk_identify_fixup_string (identify, 23, 8); /* fwrev */ disk_identify_fixup_string (identify, 27, 40); /* model */ disk_identify_fixup_uint16 (identify, 0); /* configuration */ disk_identify_fixup_uint16 (identify, 75); /* queue depth */ ++++++ 0017-udev-add-some-O_CLOEXEC.patch ++++++ >From 47ef94ac5f39db6c5c18be10afe32397a0a8d5cc Mon Sep 17 00:00:00 2001 From: Kay Sievers <k...@vrfy.org> Date: Thu, 5 Jul 2012 17:33:24 +0200 Subject: [PATCH] udev: add some O_CLOEXEC Index: udev-182/src/cdrom_id/cdrom_id.c =================================================================== --- udev-182.orig/src/cdrom_id/cdrom_id.c +++ udev-182/src/cdrom_id/cdrom_id.c @@ -125,7 +125,7 @@ static bool is_mounted(const char *devic if (stat(device, &statbuf) < 0) return -ENODEV; - fp = fopen("/proc/self/mountinfo", "r"); + fp = fopen("/proc/self/mountinfo", "re"); if (fp == NULL) return -ENOSYS; while (fscanf(fp, "%*s %*s %i:%i %*[^\n]", &maj, &min) == 2) { Index: udev-182/src/keymap/keymap.c =================================================================== --- udev-182.orig/src/keymap/keymap.c +++ udev-182/src/keymap/keymap.c @@ -409,7 +409,7 @@ int main(int argc, char **argv) const char *filearg = argv[optind+1]; if (strchr(filearg, '/')) { /* Keymap file argument is a path */ - FILE *f = fopen(filearg, "r"); + FILE *f = fopen(filearg, "re"); if (f) merge_table(fd, f); else @@ -419,12 +419,12 @@ int main(int argc, char **argv) /* Open override file if present, otherwise default file */ char keymap_path[PATH_MAX]; snprintf(keymap_path, sizeof(keymap_path), "%s%s", SYSCONFDIR "/udev/keymaps/", filearg); - FILE *f = fopen(keymap_path, "r"); + FILE *f = fopen(keymap_path, "re"); if (f) { merge_table(fd, f); } else { snprintf(keymap_path, sizeof(keymap_path), "%s%s", PKGLIBEXECDIR "/keymaps/", filearg); - f = fopen(keymap_path, "r"); + f = fopen(keymap_path, "re"); if (f) merge_table(fd, f); else Index: udev-182/src/libudev-queue-private.c =================================================================== --- udev-182.orig/src/libudev-queue-private.c +++ udev-182/src/libudev-queue-private.c @@ -223,7 +223,7 @@ static int rebuild_queue_file(struct ude /* create new queue file */ util_strscpyl(filename_tmp, sizeof(filename_tmp), udev_get_run_path(udev_queue_export->udev), "/queue.tmp", NULL); - new_queue_file = fopen(filename_tmp, "w+"); + new_queue_file = fopen(filename_tmp, "w+e"); if (new_queue_file == NULL) goto error; seqnum = udev_queue_export->seqnum_max; Index: udev-182/src/udev-event.c =================================================================== --- udev-182.orig/src/udev-event.c +++ udev-182/src/udev-event.c @@ -789,7 +789,7 @@ static void rename_netif_kernel_log(stru int klog; FILE *f; - klog = open("/dev/kmsg", O_WRONLY); + klog = open("/dev/kmsg", O_WRONLY|O_CLOEXEC); if (klog < 0) return; Index: udev-182/src/udev-rules.c =================================================================== --- udev-182.orig/src/udev-rules.c +++ udev-182/src/udev-rules.c @@ -749,7 +749,7 @@ static int import_file_into_properties(s FILE *f; char line[UTIL_LINE_SIZE]; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return -1; while (fgets(line, sizeof(line), f) != NULL) @@ -1641,7 +1641,7 @@ static int parse_file(struct udev_rules info(rules->udev, "reading '%s' as rules file\n", filename); - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return -1; @@ -2350,7 +2350,7 @@ int udev_rules_apply_to_event(struct ude FILE *f; bool imported = false; - f = fopen("/proc/cmdline", "r"); + f = fopen("/proc/cmdline", "re"); if (f != NULL) { char cmdline[4096]; @@ -2639,7 +2639,7 @@ int udev_rules_apply_to_event(struct ude info(event->udev, "ATTR '%s' writing '%s' %s:%u\n", attr, value, &rules->buf[rule->rule.filename_off], rule->rule.filename_line); - f = fopen(attr, "w"); + f = fopen(attr, "we"); if (f != NULL) { if (fprintf(f, "%s", value) <= 0) err(event->udev, "error writing ATTR{%s}: %m\n", attr); Index: udev-182/src/udevd.c =================================================================== --- udev-182.orig/src/udevd.c +++ udev-182/src/udevd.c @@ -838,7 +838,7 @@ static void static_dev_create_from_modul uname(&kernel); util_strscpyl(modules, sizeof(modules), "/lib/modules/", kernel.release, "/modules.devname", NULL); - f = fopen(modules, "r"); + f = fopen(modules, "re"); if (f == NULL) return; @@ -1016,7 +1016,7 @@ static int mem_size_mb(void) char buf[4096]; long int memsize = -1; - f = fopen("/proc/meminfo", "r"); + f = fopen("/proc/meminfo", "re"); if (f == NULL) return -1; @@ -1054,7 +1054,7 @@ static int convert_db(struct udev *udev) if (access(filename, F_OK) < 0) return 0; - f = fopen("/dev/kmsg", "w"); + f = fopen("/dev/kmsg", "we"); if (f != NULL) { fprintf(f, "<30>udevd[%u]: converting old udev database\n", getpid()); fclose(f); @@ -1285,7 +1285,7 @@ int main(int argc, char *argv[]) * udev.children-max=<number of workers> events are fully serialized if set to 1 * */ - f = fopen("/proc/cmdline", "r"); + f = fopen("/proc/cmdline", "re"); if (f != NULL) { char cmdline[4096]; @@ -1445,7 +1445,7 @@ int main(int argc, char *argv[]) sd_notify(1, "READY=1"); } - f = fopen("/dev/kmsg", "w"); + f = fopen("/dev/kmsg", "we"); if (f != NULL) { fprintf(f, "<30>udevd[%u]: starting version " VERSION "\n", getpid()); fclose(f); ++++++ 0018-udev-static-nodes-fix-default-permissions-if-no-rule.patch ++++++ >From ef8a2bf6484bb0f82248ceb10a55509a93d82c6b Mon Sep 17 00:00:00 2001 From: Kay Sievers <k...@vrfy.org> Date: Mon, 2 Jul 2012 20:44:05 +0200 Subject: [PATCH] udev: static nodes - fix default permissions if no rules is given <falconindy> kay: just curious -- it looks like nodes created by udev from modules.devname all have 000 perms, and there's nothing in udev that attempts to change this. is it intended? <falconindy> c--------- 1 root root 10, 223 Jul 1 23:10 uinput <kay> falconindy: we might miss the default of 0600 <falconindy> seems like it <kay> falconindy: stuff that has a rule works i guess <kay> falconindy: i'll add the 0600 now Index: udev-182/src/udevd.c =================================================================== --- udev-182.orig/src/udevd.c +++ udev-182/src/udevd.c @@ -876,10 +876,11 @@ static void static_dev_create_from_modul if (sscanf(devno, "%c%u:%u", &type, &maj, &min) != 3) continue; + mode = 0600; if (type == 'c') - mode = S_IFCHR; + mode |= S_IFCHR; else if (type == 'b') - mode = S_IFBLK; + mode |= S_IFBLK; else continue; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org