Hello community, here is the log from the commit of package iputils.2246 for openSUSE:13.1:Update checked in at 2013-11-25 11:21:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/iputils.2246 (Old) and /work/SRC/openSUSE:13.1:Update/.iputils.2246.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iputils.2246" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:13.1:Update/.iputils.2246.new/iputils.changes 2013-11-25 11:21:57.000000000 +0100 @@ -0,0 +1,371 @@ +------------------------------------------------------------------- +Fri Nov 15 22:41:11 UTC 2013 - meiss...@suse.com + +- the ping binary moved to /usr/bin from /bin, + so it did not get the right permissions. bnc#841533 + +------------------------------------------------------------------- +Tue Jul 23 11:04:46 CEST 2013 - m...@suse.de + +- ping denpend on SIGALRM to exit sometime, so we mask it UNBLOCK (bnc #674304) + +------------------------------------------------------------------- +Fri Mar 8 03:27:28 UTC 2013 - crrodrig...@opensuse.org + +- Build everythiong with full RELRO here. SUID code around.. + +------------------------------------------------------------------- +Sat Mar 2 08:18:36 UTC 2013 - co...@suse.com + +- update license to new format + +------------------------------------------------------------------- +Fri Feb 17 00:36:48 UTC 2012 - rschweik...@suse.com + +- place binaries in /usr tree (UsrMerge project) + +------------------------------------------------------------------- +Tue May 31 10:06:29 CEST 2011 - m...@suse.de + +- fixed typo in ping output. Since 11.4 sequence tag is icmp_req + instead of icmp_seq beause of that for example cacti ping script + does not work anymore (bnc #696720) + +------------------------------------------------------------------- +Fri Nov 19 09:55:18 UTC 2010 - co...@novell.com + +- remove no longer needed patches + +------------------------------------------------------------------- +Tue Nov 16 15:41:51 UTC 2010 - lnus...@suse.de + +- don't verify caps as that's done by chkstat as well +- use new %set_permissions macro + +------------------------------------------------------------------- +Mon Nov 8 10:32:37 UTC 2010 - lnus...@suse.de + +- fix capabilities patch: first switch uid then drop caps. + +------------------------------------------------------------------- +Wed Nov 3 14:31:09 UTC 2010 - lnus...@suse.de + +- update to version s20100418 + * ping,ping6: avoid gethostbyaddr during ping flood. + * arping: Set correct broadcast address. + * tracepath: Fix some small typos in tracepath.sgml. + * ping: Fix resource consumption triggered by specially crafted ICMP + Echo Reply (CVE-2010-2529) +- don't install fscaps, rely on /etc/permissions handling instead +- compile using -fno-strict-aliasing +- drop capabilities unconditionally (bnc#645423) +- spec file cleanup + +------------------------------------------------------------------- +Mon Oct 11 03:56:55 UTC 2010 - reddw...@opensuse.org + +- Use POSIX capabilities instead of SUID for ping + +------------------------------------------------------------------- +Tue Sep 7 20:35:03 UTC 2010 - a...@suse.de + +- BuildRequire sysfsutils-devel + +------------------------------------------------------------------- +Wed Jul 14 13:42:08 CEST 2010 - m...@suse.de + +- fixed device broadcast setup (bnc #614389) +- upstream maintainer has changed. new maintainer is + YOSHIFUJI Hideaki. Along with this change the versioning + of the package also changed. Current version is: s20100418 + from 18-Apr-2010 +- many patches upstream now, reduced patch set + +------------------------------------------------------------------- +Tue Jul 13 17:03:24 CEST 2010 - m...@suse.de + +- reverted arping-infiniband.diff, it breaks arping + (bnc #614389) and (bnc #610839) + +------------------------------------------------------------------- +Thu Jul 8 16:24:50 CEST 2010 - m...@suse.de + +- security fix: replies by a malicious system can + make ping run into an endless loop (bnc #620837) + +------------------------------------------------------------------- +Fri Jun 4 09:22:08 CEST 2010 - m...@suse.de + +- fixed arping buffer overflow on Infiniband (bnc #610839) + +------------------------------------------------------------------- +Fri Apr 23 16:16:33 CEST 2010 - m...@suse.de + +- ifenslave: fixed detach/attach code of bonds (bnc #595474) +- ifenslave: fixed output of the IP address - in hex: (bnc #595474) + +------------------------------------------------------------------- +Tue Dec 22 21:21:39 UTC 2009 - jeng...@medozas.de + +- enable parallel build + +------------------------------------------------------------------- +Mon Oct 6 10:47:49 CEST 2008 - m...@suse.de + +- fixed compiler warning in ifenslave.c: + *ordered comparison of pointer with integer zero (bnc #431910) + +------------------------------------------------------------------- +Thu Sep 4 14:40:01 CEST 2008 - m...@suse.de + +- fixed ping signal handling during address lookup (bnc #416404) + +------------------------------------------------------------------- +Wed Dec 12 15:44:07 CET 2007 - rguent...@suse.de + +- use sysconf(_SC_OPEN_MAX) instead of OPEN_MAX to fix build + +------------------------------------------------------------------- +Tue Mar 6 09:14:02 CET 2007 - m...@suse.de + +- fixed overbound ttab2 array access (#251195) + +------------------------------------------------------------------- +Wed Dec 6 15:24:00 CET 2006 - m...@suse.de + +- ping_common.c: added check for oversized packages (-s) (#222010) + +------------------------------------------------------------------- +Thu Nov 23 17:04:15 CET 2006 - o...@suse.de + +- move ifenslave.c to the first patch to allow quilt setup *.spec + +------------------------------------------------------------------- +Wed Nov 22 11:47:46 CET 2006 - m...@suse.de + +- ping6: use getaddrinfo() instead of gethostbyname2 (#221745) + +------------------------------------------------------------------- +Fri Nov 10 12:26:57 CET 2006 - r...@suse.de + +- fix manpage permissions + +------------------------------------------------------------------- +Mon Aug 7 20:38:57 CEST 2006 - a...@suse.de + +- use sysconf(_SC_CLK_TCK) instead of HZ + +------------------------------------------------------------------- +Wed Mar 1 15:47:50 CET 2006 - sch...@suse.de + +- ifenslave: fix display of interface address. +- Don't strip binaries. + +------------------------------------------------------------------- +Wed Jan 25 21:36:41 CET 2006 - m...@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 23 13:45:37 CET 2006 - m...@suse.de + +- Fix ping6 [#143932] + +------------------------------------------------------------------- +Fri Jul 8 10:34:54 CEST 2005 - m...@suse.de + +- Patch from ak which allows to use the standard ping6 + link-local-addr%interface syntax instead of ping6 -I interface + link-local-addr. + +------------------------------------------------------------------- +Thu Jun 16 09:58:16 CEST 2005 - m...@suse.de + +- Compile with -fpie, link with -pie + +------------------------------------------------------------------- +Fri Sep 3 11:40:14 CEST 2004 - ku...@suse.de + +- Fix compiling with new glibc headers + +------------------------------------------------------------------- +Fri Mar 19 12:07:00 CET 2004 - m...@suse.de + +- Use correct permissions for manpages [#36321] + +------------------------------------------------------------------- +Wed Mar 17 13:16:15 CET 2004 - m...@suse.de ++++ 174 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.iputils.2246.new/iputils.changes New: ---- ifenslave.c iputils-ifenslave.diff iputils-pingnamelookuponce.diff iputils-pingtypo.diff iputils-s20101006-capabilities.diff iputils-s20101006-ping-interrupt.diff iputils-s20101006-sec-ping-unblock.diff iputils-s20101006.tar.bz2 iputils-traceroute6-stdint.diff iputils.changes iputils.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iputils.spec ++++++ # # spec file for package iputils # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: iputils BuildRequires: docbook_3 BuildRequires: iso_ent BuildRequires: libopenssl-devel BuildRequires: opensp BuildRequires: perl-SGMLS %if 0%{?suse_version} > 1130 BuildRequires: sysfsutils-devel %else BuildRequires: sysfsutils %endif BuildRequires: libcap-devel Summary: IPv4 and IPv6 Networking Utilities License: BSD-3-Clause and GPL-2.0+ Group: Productivity/Networking/Other Version: s20101006 Release: 0 Url: http://www.skbuff.net/iputils Source: http://www.skbuff.net/iputils/iputils-%{version}.tar.bz2 # XXX: from linux/Documentation/networking/ifenslave.c Source1: ifenslave.c Patch1: iputils-pingnamelookuponce.diff Patch2: iputils-traceroute6-stdint.diff Patch3: iputils-ifenslave.diff Patch6: iputils-s20101006-capabilities.diff Patch7: iputils-pingtypo.diff Patch8: iputils-s20101006-sec-ping-unblock.diff Patch9: iputils-s20101006-ping-interrupt.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions %description This package contains some small network tools for IPv4 and IPv6 like rdisc, ping6, traceroute6, tracepath, and tracepath6. %prep %setup -q cp -a %SOURCE1 . %patch1 %patch2 %patch3 #patch4 #patch5 %patch6 -p1 %patch7 %patch8 %patch9 mkdir linux touch linux/autoconf.h %build make %{?_smp_mflags} KERNEL_INCLUDE=$PWD \ CCOPT='%optflags -fno-strict-aliasing -fpie -D_GNU_SOURCE' \ LDLIBS='-Wl,-z,relro,-z,now -pie -lcap -lresolv' \ CAPABILITIES=1 gcc $RPM_OPT_FLAGS -o ifenslave ifenslave.c make man %install mkdir -p $RPM_BUILD_ROOT/%_sbindir mkdir -p $RPM_BUILD_ROOT/%_bindir install arping $RPM_BUILD_ROOT/%{_sbindir} install ifenslave $RPM_BUILD_ROOT/%{_sbindir} install clockdiff $RPM_BUILD_ROOT/%{_sbindir} install rdisc $RPM_BUILD_ROOT/%{_sbindir}/in.rdisc install tracepath $RPM_BUILD_ROOT/%{_sbindir} install tracepath6 $RPM_BUILD_ROOT/%{_sbindir} install ping $RPM_BUILD_ROOT/%{_bindir} install ping6 $RPM_BUILD_ROOT/%{_bindir} install ipg $RPM_BUILD_ROOT/%{_bindir} #UsrMerge mkdir -p $RPM_BUILD_ROOT/{bin,sbin} ln -sf %{_sbindir}/arping $RPM_BUILD_ROOT/sbin ln -sf %{_sbindir}/ifenslave $RPM_BUILD_ROOT/sbin ln -sf %{_sbindir}/clockdiff $RPM_BUILD_ROOT/sbin ln -sf %{_sbindir}/in.rdisc $RPM_BUILD_ROOT/sbin ln -sf %{_sbindir}/tracepath $RPM_BUILD_ROOT/sbin ln -sf %{_sbindir}/tracepath6 $RPM_BUILD_ROOT/sbin ln -sf %{_bindir}/ping $RPM_BUILD_ROOT/bin ln -sf %{_bindir}/ping6 $RPM_BUILD_ROOT/bin ln -sf %{_bindir}/ipg $RPM_BUILD_ROOT/bin #EndUsrMerge mkdir -p $RPM_BUILD_ROOT%_mandir/man8 install -m 644 doc/arping.8 $RPM_BUILD_ROOT%_mandir/man8/ install -m 644 doc/clockdiff.8 $RPM_BUILD_ROOT%_mandir/man8/ install -m 644 doc/tracepath.8 $RPM_BUILD_ROOT%_mandir/man8/ install -m 644 doc/ping.8 $RPM_BUILD_ROOT%_mandir/man8/ install -m 644 doc/ping.8 $RPM_BUILD_ROOT%_mandir/man8/ping6.8 install -m 644 doc/pg3.8 $RPM_BUILD_ROOT%_mandir/man8/ install -m 644 doc/rdisc.8 $RPM_BUILD_ROOT%_mandir/man8/ %clean rm -rf $RPM_BUILD_ROOT %post %set_permissions %{_bindir}/ping %{_bindir}/ping6 %verifyscript %verify_permissions %{_bindir}/ping %{_bindir}/ping6 %files %defattr(-,root,root) %doc RELNOTES %{_sbindir}/arping %{_sbindir}/ifenslave %{_sbindir}/clockdiff %verify(not mode caps) %attr(4755,root,root) %{_bindir}/ping %verify(not mode caps) %attr(4755,root,root) %{_bindir}/ping6 %{_bindir}/ipg %{_sbindir}/tracepath %{_sbindir}/tracepath6 %{_sbindir}/in.rdisc #UsrMerge /bin/* /sbin/* #EndUsrMerge %attr(644,root,root) %_mandir/man8/* %changelog ++++++ ifenslave.c ++++++ ++++ 1103 lines (skipped) ++++++ iputils-ifenslave.diff ++++++ --- ifenslave.c +++ ifenslave.c @@ -520,8 +520,8 @@ static int if_getconfig(char *ifname) if (ioctl(skfd, SIOCGIFADDR, &ifr) < 0) return -1; printf("The result of SIOCGIFADDR is %2.2x.%2.2x.%2.2x.%2.2x.\n", - ifr.ifr_addr.sa_data[0], ifr.ifr_addr.sa_data[1], - ifr.ifr_addr.sa_data[2], ifr.ifr_addr.sa_data[3]); + ifr.ifr_addr.sa_data[2] & 0xff, ifr.ifr_addr.sa_data[3] & 0xff, + ifr.ifr_addr.sa_data[4] & 0xff, ifr.ifr_addr.sa_data[5] & 0xff); strcpy(ifr.ifr_name, ifname); if (ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0) ++++++ iputils-pingnamelookuponce.diff ++++++ diff -ur iputils/ping.c iputils.new/ping.c --- ping.c 2004-03-17 12:36:43.000000000 +0100 +++ ping.c 2004-03-17 12:35:49.000000000 +0100 @@ -1141,15 +1141,24 @@ char * pr_addr(__u32 addr) { - struct hostent *hp; + struct hostent *hp = NULL; + static __u32 last_addr; static char buf[4096]; - if ((options & F_NUMERIC) || - !(hp = gethostbyaddr((char *)&addr, 4, AF_INET))) - sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&addr)); - else + if (!(options & F_NUMERIC)) { + if (buf[0] && addr == last_addr) + return buf; + hp = gethostbyaddr((char *)&addr, 4, AF_INET); + } + + if (hp) { snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&addr)); + } else { + sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&addr)); + } + + last_addr = addr; return(buf); } diff -ur iputils/ping6.c iputils.new/ping6.c --- ping6.c 2004-03-17 12:36:43.000000000 +0100 +++ ping6.c 2004-03-17 12:36:29.000000000 +0100 @@ -898,11 +898,22 @@ char * pr_addr(struct in6_addr *addr) { struct hostent *hp = NULL; + static struct in6_addr last_addr; + static char buf[1024]; - if (!(options&F_NUMERIC)) + if (!(options&F_NUMERIC)) { + if (buf[0] && !memcmp(&last_addr, addr, sizeof(*addr))) + return buf; hp = gethostbyaddr((__u8*)addr, sizeof(struct in6_addr), AF_INET6); + } - return hp ? hp->h_name : pr_addr_n(addr); + if (hp && strlen(hp->h_name) < sizeof(buf)) { + strcpy(buf, hp->h_name); + } else { + inet_ntop(AF_INET6, addr, buf, sizeof(buf)); + } + last_addr = *addr; + return buf; } char * pr_addr_n(struct in6_addr *addr) ++++++ iputils-pingtypo.diff ++++++ --- ping.c 2011-05-31 10:02:27.076182828 +0200 +++ ping.c 2011-05-31 10:02:34.513776200 +0200 @@ -699,7 +699,7 @@ void pr_echo_reply(__u8 *_icp, int len) { struct icmphdr *icp = (struct icmphdr *)_icp; - printf(" icmp_req=%u", ntohs(icp->un.echo.sequence)); + printf(" icmp_seq=%u", ntohs(icp->un.echo.sequence)); } int ++++++ iputils-s20101006-capabilities.diff ++++++ >From 584838c9d4a496c4329e4c9a3d35520db00abb99 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Wed, 3 Nov 2010 17:43:42 +0100 Subject: [PATCH iputils] drop capabilities dropping capabilities makes sure that ping also gets rid of privileges gained via fscaps. Capabilities are also dropped when called as root so the running ping process has no special privileges anymore at all even in that case. Capabilities need to be dropped after setuid() otherwise a setuid ping would not have the privileges to drop root privileges anymore! --- Makefile | 6 ++++++ ping.c | 16 ++++++++++++++++ ping6.c | 16 ++++++++++++++++ 3 files changed, 38 insertions(+), 0 deletions(-) diff --git a/Makefile b/Makefile index d9a5ca5..6629ebf 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,12 @@ DEFINES= #options if you have a bind>=4.9.4 libresolv (or, maybe, glibc) LDLIBS= ADDLIB= +CAPABILITIES= + +ifeq ($(CAPABILITIES),1) +DEFINES += -DHAVE_CAPABILITIES +LDLIBS += -lcap +endif #options if you compile with libc5, and without a bind>=4.9.4 libresolv # NOT AVAILABLE. Please, use libresolv. diff --git a/ping.c b/ping.c index eacb29d..fa91163 100644 --- a/ping.c +++ b/ping.c @@ -62,6 +62,9 @@ char copyright[] = #include <netinet/ip.h> #include <netinet/ip_icmp.h> +#ifdef HAVE_CAPABILITIES +#include <sys/capability.h> +#endif #ifndef ICMP_FILTER #define ICMP_FILTER 1 @@ -122,6 +125,9 @@ main(int argc, char **argv) u_char *packet; char *target, hnamebuf[MAX_HOSTNAMELEN]; char rspace[3 + 4 * NROUTES + 1]; /* record route space */ +#ifdef HAVE_CAPABILITIES + cap_t caps; +#endif icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); socket_errno = errno; @@ -132,6 +138,16 @@ main(int argc, char **argv) exit(-1); } +#ifdef HAVE_CAPABILITIES + /* drop all capabilities unconditionally so even root isn't special anymore */ + caps = cap_init(); + if (cap_set_proc(caps) < 0) { + perror("ping: cap_set_proc"); + exit(-1); + } + cap_free(caps); +#endif + source.sin_family = AF_INET; preload = 1; diff --git a/ping6.c b/ping6.c index c5ff881..bfc0769 100644 --- a/ping6.c +++ b/ping6.c @@ -72,6 +72,9 @@ char copyright[] = #include <netinet/ip6.h> #include <netinet/icmp6.h> #include <resolv.h> +#ifdef HAVE_CAPABILITIES +#include <sys/capability.h> +#endif #include "ping6_niquery.h" @@ -528,6 +531,9 @@ int main(int argc, char *argv[]) int csum_offset, sz_opt; #endif static uint32_t scope_id = 0; +#ifdef HAVE_CAPABILITIES + cap_t caps; +#endif icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); socket_errno = errno; @@ -538,6 +544,16 @@ int main(int argc, char *argv[]) exit(-1); } +#ifdef HAVE_CAPABILITIES + /* drop all capabilities unconditionally so even root isn't special anymore */ + caps = cap_init(); + if (cap_set_proc(caps) < 0) { + perror("ping: cap_set_proc"); + exit(-1); + } + cap_free(caps); +#endif + source.sin6_family = AF_INET6; memset(&firsthop, 0, sizeof(firsthop)); firsthop.sin6_family = AF_INET6; -- 1.7.1 ++++++ iputils-s20101006-ping-interrupt.diff ++++++ --- ping.c 2013-07-23 11:15:15.851715020 +0200 +++ ping.c 2013-07-23 11:15:28.075824028 +0200 @@ -103,6 +103,7 @@ static u_short in_cksum(const u_short *addr, int len, u_short salt); static void pr_icmph(__u8 type, __u8 code, __u32 info, struct icmphdr *icp); static int parsetos(char *str); +static void doexit (int); static struct { struct cmsghdr cm; @@ -266,6 +267,8 @@ options |= F_SOURCEROUTE; } } + set_signal(SIGINT, doexit); + while (argc > 0) { target = *argv; @@ -1273,3 +1276,9 @@ " [-T tstamp-options] [-Q tos] [hop1 ...] destination\n"); exit(2); } + +static void doexit(int signo) +{ + exit (1); +} + ++++++ iputils-s20101006-sec-ping-unblock.diff ++++++ --- ping.c 2013-07-23 11:02:26.364843595 +0200 +++ ping.c 2013-07-23 11:02:32.740900627 +0200 @@ -129,6 +129,16 @@ cap_t caps; #endif + /* + * ping depend on SIGALARM to exit sometimes, + * but to popen, system, fork carry on parent signal handler + * so we mask it ourself. + */ + sigset_t s; + sigaddset(&s, SIGALRM); + sigprocmask(SIG_UNBLOCK, &s, NULL); + set_signal(SIGALRM, doexit); + icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); socket_errno = errno; ++++++ iputils-traceroute6-stdint.diff ++++++ --- traceroute6.c +++ traceroute6.c 2004/09/03 09:38:22 @@ -230,6 +230,7 @@ * Tue Dec 20 03:50:13 PST 1988 */ +#include <stdint.h> #include <sys/param.h> #include <sys/time.h> #include <sys/socket.h> -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org