From: Thomas Danckaert <post@thomasdanckaert.be>
To: leo@famulari.name
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Tue, 31 Jan 2017 08:49:16 +0100 (CET) [thread overview]
Message-ID: <20170131.084916.1061110240342484370.post@thomasdanckaert.be> (raw)
In-Reply-To: <20170130223821.GB5172@jasmine>
[-- Attachment #1: Type: Text/Plain, Size: 1058 bytes --]
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Mon, 30 Jan 2017 17:38:21 -0500
> Overall LGTM, but we should include at least the patch for the
> CVE-2013-4342, introduced here:
>
> https://github.com/xinetd-org/xinetd/pull/10
Yes, you're right. I was under the impression that the CVE was
already fixed in version 2.3.15, but it's not. I took the patch from
github (it's already in the master branch, there's just no recent
release).
> And applied as 000009-TCPMUX by Debian, along with some other
> patches
> that should be evaluated:
>
> https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches
I've added a patch that fixes a file descriptor leak (and created a
pull request for it). There's also a patch to fix compilation on
hurd, but that's probably something that should be fixed upstream?
The other patches are corrections to the man pages, which have made
it into upstream master as well, so perhaps we do not need to add
them all to Guix.
Thomas
[-- Attachment #2: 0001-gnu-Add-xinetd.patch --]
[-- Type: Text/X-Patch, Size: 4867 bytes --]
From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001
From: Thomas Danckaert <thomas.danckaert@gmail.com>
Date: Thu, 26 Jan 2017 11:35:50 +0100
Subject: [PATCH] gnu: Add xinetd.
* gnu/packages/web.scm (xinetd): New variable.
* gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file.
* gnu/packages/patches/xinetd-fix-fd-leak.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
gnu/local.mk | 2 ++
gnu/packages/patches/xinetd-CVE-2013-4342.patch | 27 +++++++++++++++++++++++++
gnu/packages/patches/xinetd-fix-fd-leak.patch | 18 +++++++++++++++++
gnu/packages/web.scm | 25 +++++++++++++++++++++++
4 files changed, 72 insertions(+)
create mode 100644 gnu/packages/patches/xinetd-CVE-2013-4342.patch
create mode 100644 gnu/packages/patches/xinetd-fix-fd-leak.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 59fc1a8..160a4aa 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -953,6 +953,8 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-session-fix-xflock4.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
+ %D%/packages/patches/xinetd-fix-fd-leak.patch \
+ %D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
%D%/packages/patches/zathura-plugindir-environment-variable.patch
diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..f095a44
--- /dev/null
+++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,27 @@
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <thomas.swan@gmail.com>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+ if( SC_IS_INTERNAL( scp ) ) {
+ SC_INTERNAL(scp, nserp);
+ } else {
+- exec_server(nserp);
++ child_process(nserp);
+ }
+ }
+
+--
+2.7.4
+
diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch b/gnu/packages/patches/xinetd-fix-fd-leak.patch
new file mode 100644
index 0000000..70a4ec2
--- /dev/null
+++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch
@@ -0,0 +1,18 @@
+Reported upstream at https://github.com/xinetd-org/xinetd/pull/26.
+
+diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
+index 5a26214..fe0f872 100644
+--- a/xinetd/xgetloadavg.c
++++ b/xinetd/xgetloadavg.c
+@@ -34,7 +34,7 @@ double xgetloadavg(void)
+
+ if( fscanf(fd, "%lf", &ret) != 1 ) {
+ perror("fscanf");
+- return -1;
++ ret = -1;
+ }
+
+ fclose(fd);
+--
+2.7.4
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..80f52ee 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,28 @@ programs' code. Its architecture is optimized for security, portability, and
scalability (including load-balancing), making it suitable for large
deployments.")
(license l:gpl2+)))
+
+(define-public xinetd
+ (package
+ (name "xinetd")
+ (version "2.3.15")
+ (source
+ (origin
+ (method url-fetch)
+ (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
+ (patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch"))
+ (sha256
+ (base32
+ "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:configure-flags '("--with-loadavg")
+ #:tests? #f )) ; no tests
+ (home-page "https://github.com/xinetd-org/xinetd")
+ (synopsis "Internet services daemon")
+ (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request. Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request. It can be
+used to start services with both privileged and non-privileged port numbers.")
+ (license (l:non-copyleft "file://COPYRIGHT"))))
--
2.7.4
next prev parent reply other threads:[~2017-01-31 7:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 10:43 [PATCH] gnu: Add xinetd Thomas Danckaert
2017-01-26 13:58 ` Tobias Geerinckx-Rice
2017-01-26 14:55 ` [PATCH] gnu: Add xinetd.,Re: " Thomas Danckaert
2017-01-26 15:00 ` Thomas Danckaert
2017-01-30 22:38 ` Leo Famulari
2017-01-31 7:49 ` Thomas Danckaert [this message]
2017-01-31 20:10 ` Leo Famulari
2017-01-31 20:27 ` Thomas Danckaert
2017-02-01 22:25 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170131.084916.1061110240342484370.post@thomasdanckaert.be \
--to=post@thomasdanckaert.be \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.