1 |
commit: 1cc9a7d0c5b62ab36e04c724f5fa6877fb09a88f |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Feb 17 18:38:11 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 17 18:38:11 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cc9a7d0 |
7 |
|
8 |
net-misc/oidentd: security cleanup (#709454) |
9 |
|
10 |
Bug: https://bugs.gentoo.org/709454 |
11 |
Package-Manager: Portage-2.3.89, Repoman-2.3.20 |
12 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
13 |
|
14 |
net-misc/oidentd/Manifest | 1 - |
15 |
net-misc/oidentd/files/oidentd-2.0.7-confd | 4 -- |
16 |
.../files/oidentd-2.0.8-bind-to-ipv6-too.patch | 17 ------ |
17 |
net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch | 25 --------- |
18 |
.../files/oidentd-2.0.8-log-conntrack-fails.patch | 52 ------------------ |
19 |
.../oidentd/files/oidentd-2.0.8-masquerading.patch | 43 --------------- |
20 |
.../oidentd-2.0.8-no-conntrack-masquerading.patch | 41 -------------- |
21 |
net-misc/oidentd/files/oidentd.conf | 22 -------- |
22 |
net-misc/oidentd/files/oidentd.service | 9 ---- |
23 |
net-misc/oidentd/files/oidentd.socket | 10 ---- |
24 |
net-misc/oidentd/files/oidentd_at.service | 7 --- |
25 |
net-misc/oidentd/files/oidentd_masq.conf | 10 ---- |
26 |
net-misc/oidentd/oidentd-2.0.8-r6.ebuild | 63 ---------------------- |
27 |
13 files changed, 304 deletions(-) |
28 |
|
29 |
diff --git a/net-misc/oidentd/Manifest b/net-misc/oidentd/Manifest |
30 |
index 4639109ca44..6d1c2163397 100644 |
31 |
--- a/net-misc/oidentd/Manifest |
32 |
+++ b/net-misc/oidentd/Manifest |
33 |
@@ -1,2 +1 @@ |
34 |
-DIST oidentd-2.0.8.tar.gz 212354 BLAKE2B 46f4c4478822e832885f5f38a2ab5b2132ff5c1e5071fd1dc6050e55992d50bd96be096064996853af69d16316e6aff648c5320714b53b60c038cc9aaedfedda SHA512 86229a4ef9892121c25a7140616e180f862ca34b73ea3ad9f0fbb008f657abb17e9f14c2c25ae14c14bfc14bf1ea10b50fd68318631a9c52227bbfd6e6d43288 |
35 |
DIST oidentd-2.4.0.tar.xz 188280 BLAKE2B e7a6cdcc78ae61b103b81335d6a4802bbc301adad256dbe9461245e7a2839e1f4786cf3bf7206df2f8fc6414351c4bb8f92c87d16d69f678e0793b9a760ee966 SHA512 3dc6f8ba1c374c21bbc721516f83c5b825d5bc75dbda390d5e5e0e72ceac31495380a6025c626edcec4f8685a009f5be9571606c50e28fc28dc9f73a20f1b2d0 |
36 |
|
37 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.7-confd b/net-misc/oidentd/files/oidentd-2.0.7-confd |
38 |
deleted file mode 100644 |
39 |
index 3116889e67e..00000000000 |
40 |
--- a/net-misc/oidentd/files/oidentd-2.0.7-confd |
41 |
+++ /dev/null |
42 |
@@ -1,4 +0,0 @@ |
43 |
-# oidentd start-up options |
44 |
-USER="nobody" |
45 |
-GROUP="nobody" |
46 |
-OPTIONS="" |
47 |
|
48 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch b/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch |
49 |
deleted file mode 100644 |
50 |
index 2652622cdd4..00000000000 |
51 |
--- a/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch |
52 |
+++ /dev/null |
53 |
@@ -1,17 +0,0 @@ |
54 |
-Patch to bind to ipv6 socket as well |
55 |
-Patch supplied by Fabian Knittel <fabian.knittel@×××××.com> |
56 |
---- oidentd-2.0.8/src/oidentd_inet_util.c 2006-05-22 02:31:19.000000000 +0200 |
57 |
-+++ oidentd-2.0.8.new/src/oidentd_inet_util.c 2010-03-01 20:26:11.000000000 +0100 |
58 |
-@@ -60,6 +60,12 @@ |
59 |
- #ifdef WANT_IPV6 |
60 |
- case AF_INET6: |
61 |
- SIN6(ai->ai_addr)->sin6_port = listen_port; |
62 |
-+ |
63 |
-+ if (setsockopt(listenfd, IPPROTO_IPV6, IPV6_V6ONLY, &one, |
64 |
-+ sizeof(one)) != 0) { |
65 |
-+ debug("setsockopt IPV6_V6ONLY: %s", strerror(errno)); |
66 |
-+ return (-1); |
67 |
-+ } |
68 |
- break; |
69 |
- #endif |
70 |
- |
71 |
|
72 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch b/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch |
73 |
deleted file mode 100644 |
74 |
index a401a65d9bc..00000000000 |
75 |
--- a/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch |
76 |
+++ /dev/null |
77 |
@@ -1,25 +0,0 @@ |
78 |
-Description: Fix a failure to build with gcc5. |
79 |
-Bug: http://bugs.debian.org/778035 |
80 |
- |
81 |
---- a/src/oidentd_util.c 2015-07-03 05:56:24.000000000 -0400 |
82 |
-+++ b/src/oidentd_util.c 2015-07-03 05:56:47.671378000 -0400 |
83 |
-@@ -75,7 +75,7 @@ |
84 |
- ** PRNG functions on systems whose libraries provide them.) |
85 |
- */ |
86 |
- |
87 |
--inline int randval(int i) { |
88 |
-+extern __attribute__ ((gnu_inline)) int randval(int i) { |
89 |
- /* Per _Numerical Recipes in C_: */ |
90 |
- return ((double) i * rand() / (RAND_MAX+1.0)); |
91 |
- } |
92 |
---- a/src/oidentd_util.h 2015-07-03 05:56:32.000000000 -0400 |
93 |
-+++ b/src/oidentd_util.h 2015-07-03 05:56:53.835378000 -0400 |
94 |
-@@ -58,7 +58,7 @@ |
95 |
- int find_group(const char *temp_group, gid_t *gid); |
96 |
- |
97 |
- int random_seed(void); |
98 |
--inline int randval(int i); |
99 |
-+extern __attribute__ ((gnu_inline)) int randval(int i); |
100 |
- |
101 |
- #ifndef HAVE_SNPRINTF |
102 |
- int snprintf(char *str, size_t n, char const *fmt, ...); |
103 |
|
104 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch b/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch |
105 |
deleted file mode 100644 |
106 |
index d29479ec028..00000000000 |
107 |
--- a/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch |
108 |
+++ /dev/null |
109 |
@@ -1,52 +0,0 @@ |
110 |
-From 612f1d85dd59fc39b124392df38586769ebc8add Mon Sep 17 00:00:00 2001 |
111 |
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@××××××.com> |
112 |
-Date: Fri, 11 Mar 2016 10:00:59 +0100 |
113 |
-Subject: [PATCH] Log Linux core_init failures as normal error |
114 |
-MIME-Version: 1.0 |
115 |
-Content-Type: text/plain; charset=UTF-8 |
116 |
-Content-Transfer-Encoding: 8bit |
117 |
- |
118 |
-Opening Linux conntracking table file failure for different reason than |
119 |
-missing the file is fatal for deamon initizalization. But the failure |
120 |
-was logged inly in debugging build. |
121 |
- |
122 |
-This patch makes the fatal error visible in normal log. |
123 |
- |
124 |
-https://bugzilla.redhat.com/show_bug.cgi?id=1316308 |
125 |
-Signed-off-by: Petr Písař <ppisar@××××××.com> |
126 |
---- |
127 |
- src/kernel/linux.c | 6 +++--- |
128 |
- 1 file changed, 3 insertions(+), 3 deletions(-) |
129 |
- |
130 |
-diff --git a/src/kernel/linux.c b/src/kernel/linux.c |
131 |
-index 8bf265f..9103dbf 100644 |
132 |
---- a/src/kernel/linux.c |
133 |
-+++ b/src/kernel/linux.c |
134 |
-@@ -73,21 +73,21 @@ bool core_init(void) { |
135 |
- masq_fp = fopen(MASQFILE, "r"); |
136 |
- if (masq_fp == NULL) { |
137 |
- if (errno != ENOENT) { |
138 |
-- debug("fopen: %s: %s", MASQFILE, strerror(errno)); |
139 |
-+ o_log(NORMAL, "fopen: %s: %s", MASQFILE, strerror(errno)); |
140 |
- return false; |
141 |
- } |
142 |
- |
143 |
- masq_fp = fopen(CONNTRACK, "r"); |
144 |
- if (masq_fp == NULL) { |
145 |
- if (errno != ENOENT) { |
146 |
-- debug("fopen: %s: %s", CONNTRACK, strerror(errno)); |
147 |
-+ o_log(NORMAL, "fopen: %s: %s", CONNTRACK, strerror(errno)); |
148 |
- return false; |
149 |
- } |
150 |
- |
151 |
- masq_fp = fopen(NFCONNTRACK, "r"); |
152 |
- if (masq_fp == NULL) { |
153 |
- if (errno != ENOENT) { |
154 |
-- debug("fopen: %s: %s", NFCONNTRACK, strerror(errno)); |
155 |
-+ o_log(NORMAL, "fopen: %s: %s", NFCONNTRACK, strerror(errno)); |
156 |
- return false; |
157 |
- } |
158 |
- masq_fp = fopen("/dev/null", "r"); |
159 |
--- |
160 |
-2.5.0 |
161 |
- |
162 |
|
163 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch b/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch |
164 |
deleted file mode 100644 |
165 |
index 191e9b95e64..00000000000 |
166 |
--- a/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch |
167 |
+++ /dev/null |
168 |
@@ -1,43 +0,0 @@ |
169 |
---- oidentd.orig/src/kernel/linux.c 2006-05-22 06:58:53.000000000 +0300 |
170 |
-+++ oidentd-2.0.8/src/kernel/linux.c 2007-07-11 21:28:56.000000000 +0300 |
171 |
-@@ -48,6 +48,7 @@ |
172 |
- #define CFILE6 "/proc/net/tcp6" |
173 |
- #define MASQFILE "/proc/net/ip_masquerade" |
174 |
- #define CONNTRACK "/proc/net/ip_conntrack" |
175 |
-+#define NFCONNTRACK "/proc/net/nf_conntrack" |
176 |
- |
177 |
- static int netlink_sock; |
178 |
- extern struct sockaddr_storage proxy; |
179 |
-@@ -82,7 +83,15 @@ |
180 |
- debug("fopen: %s: %s", CONNTRACK, strerror(errno)); |
181 |
- return false; |
182 |
- } |
183 |
-- masq_fp = fopen("/dev/null", "r"); |
184 |
-+ |
185 |
-+ masq_fp = fopen(NFCONNTRACK, "r"); |
186 |
-+ if (masq_fp == NULL) { |
187 |
-+ if (errno != ENOENT) { |
188 |
-+ debug("fopen: %s: %s", NFCONNTRACK, strerror(errno)); |
189 |
-+ return false; |
190 |
-+ } |
191 |
-+ masq_fp = fopen("/dev/null", "r"); |
192 |
-+ } |
193 |
- } |
194 |
- |
195 |
- netfilter = true; |
196 |
-@@ -367,6 +376,15 @@ |
197 |
- &nport_temp, &mport_temp); |
198 |
- } |
199 |
- |
200 |
-+ if (ret != 21) { |
201 |
-+ ret = sscanf(buf, |
202 |
-+ "%*15s %*d %15s %*d %*d ESTABLISHED src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d packets=%*d bytes=%*d src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d", |
203 |
-+ proto, &l1, &l2, &l3, &l4, &r1, &r2, &r3, &r4, |
204 |
-+ &masq_lport_temp, &masq_fport_temp, |
205 |
-+ &nl1, &nl2, &nl3, &nl4, &nr1, &nr2, &nr3, &nr4, |
206 |
-+ &nport_temp, &mport_temp); |
207 |
-+ } |
208 |
-+ |
209 |
- if (ret != 21) |
210 |
- continue; |
211 |
- |
212 |
|
213 |
diff --git a/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch b/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch |
214 |
deleted file mode 100644 |
215 |
index 92ef0252316..00000000000 |
216 |
--- a/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch |
217 |
+++ /dev/null |
218 |
@@ -1,41 +0,0 @@ |
219 |
-From 20a63ad8a90c36397cceedd34887298890dbafa3 Mon Sep 17 00:00:00 2001 |
220 |
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@××××××.com> |
221 |
-Date: Fri, 11 Mar 2016 10:38:10 +0100 |
222 |
-Subject: [PATCH] Linux: Do not open conntracking table if masquerading is not |
223 |
- enabled |
224 |
-MIME-Version: 1.0 |
225 |
-Content-Type: text/plain; charset=UTF-8 |
226 |
-Content-Transfer-Encoding: 8bit |
227 |
- |
228 |
-The contracking table was always opened. This is unnecessary because |
229 |
-the table is used only when masquerading feature is requested on run |
230 |
-time. |
231 |
- |
232 |
-This patch skips opening the conntracking table on Linux if |
233 |
-masquerading is not requested. |
234 |
- |
235 |
-https://bugzilla.redhat.com/show_bug.cgi?id=1316308 |
236 |
-Signed-off-by: Petr Písař <ppisar@××××××.com> |
237 |
---- |
238 |
- src/kernel/linux.c | 5 +++++ |
239 |
- 1 file changed, 5 insertions(+) |
240 |
- |
241 |
-diff --git a/src/kernel/linux.c b/src/kernel/linux.c |
242 |
-index 9103dbf..859f554 100644 |
243 |
---- a/src/kernel/linux.c |
244 |
-+++ b/src/kernel/linux.c |
245 |
-@@ -70,6 +70,11 @@ bool netfilter; |
246 |
- */ |
247 |
- bool core_init(void) { |
248 |
- #ifdef MASQ_SUPPORT |
249 |
-+ if (!opt_enabled(MASQ)) { |
250 |
-+ masq_fp = NULL; |
251 |
-+ return true; |
252 |
-+ } |
253 |
-+ |
254 |
- masq_fp = fopen(MASQFILE, "r"); |
255 |
- if (masq_fp == NULL) { |
256 |
- if (errno != ENOENT) { |
257 |
--- |
258 |
-2.5.0 |
259 |
- |
260 |
|
261 |
diff --git a/net-misc/oidentd/files/oidentd.conf b/net-misc/oidentd/files/oidentd.conf |
262 |
deleted file mode 100644 |
263 |
index 03b28d82780..00000000000 |
264 |
--- a/net-misc/oidentd/files/oidentd.conf |
265 |
+++ /dev/null |
266 |
@@ -1,22 +0,0 @@ |
267 |
-# Configuration for oidentd |
268 |
-# see oidentd.conf(5) |
269 |
-# |
270 |
-default { |
271 |
- default { |
272 |
- deny spoof |
273 |
- deny spoof_all |
274 |
- deny spoof_privport |
275 |
- allow random |
276 |
- allow random_numeric |
277 |
- allow numeric |
278 |
- deny hide |
279 |
- } |
280 |
-} |
281 |
- |
282 |
-# you may want to hide root connections |
283 |
-#user "root" { |
284 |
-# default { |
285 |
-# force reply "UNKNOWN" |
286 |
-# } |
287 |
-#} |
288 |
- |
289 |
|
290 |
diff --git a/net-misc/oidentd/files/oidentd.service b/net-misc/oidentd/files/oidentd.service |
291 |
deleted file mode 100644 |
292 |
index bf159d855b8..00000000000 |
293 |
--- a/net-misc/oidentd/files/oidentd.service |
294 |
+++ /dev/null |
295 |
@@ -1,9 +0,0 @@ |
296 |
-[Unit] |
297 |
-Description=TCP/IP IDENT protocol server |
298 |
- |
299 |
-[Service] |
300 |
-ExecStart=/usr/sbin/oidentd -i -S -u nobody -g nobody |
301 |
-ExecReload=/bin/kill -HUP $MAINPID |
302 |
- |
303 |
-[Install] |
304 |
-WantedBy=multi-user.target |
305 |
|
306 |
diff --git a/net-misc/oidentd/files/oidentd.socket b/net-misc/oidentd/files/oidentd.socket |
307 |
deleted file mode 100644 |
308 |
index 63df7036e54..00000000000 |
309 |
--- a/net-misc/oidentd/files/oidentd.socket |
310 |
+++ /dev/null |
311 |
@@ -1,10 +0,0 @@ |
312 |
-[Unit] |
313 |
-Description=Ident (RFC 1413) socket |
314 |
-Conflicts=oidentd.service |
315 |
- |
316 |
-[Socket] |
317 |
-ListenStream=113 |
318 |
-Accept=yes |
319 |
- |
320 |
-[Install] |
321 |
-WantedBy=sockets.target |
322 |
|
323 |
diff --git a/net-misc/oidentd/files/oidentd_at.service b/net-misc/oidentd/files/oidentd_at.service |
324 |
deleted file mode 100644 |
325 |
index ac03a94d6c8..00000000000 |
326 |
--- a/net-misc/oidentd/files/oidentd_at.service |
327 |
+++ /dev/null |
328 |
@@ -1,7 +0,0 @@ |
329 |
-[Unit] |
330 |
-Description=Ident (RFC 1413) per-connection server |
331 |
- |
332 |
-[Service] |
333 |
-ExecStart=/usr/sbin/oidentd -I -S -u nobody -g nobody |
334 |
-ExecReload=/bin/kill -HUP $MAINPID |
335 |
-StandardInput=socket |
336 |
|
337 |
diff --git a/net-misc/oidentd/files/oidentd_masq.conf b/net-misc/oidentd/files/oidentd_masq.conf |
338 |
deleted file mode 100644 |
339 |
index 6811288ff4c..00000000000 |
340 |
--- a/net-misc/oidentd/files/oidentd_masq.conf |
341 |
+++ /dev/null |
342 |
@@ -1,10 +0,0 @@ |
343 |
-# oident masquarded connections configuration |
344 |
- |
345 |
-# use this file if your host is masquarading connections for several |
346 |
-# hosts and you want to return a reply based on the hostname of |
347 |
-# the originating machine |
348 |
-# add "-f" to OIDENT_OPTIONS in /etc/conf.d/oidentd if you want |
349 |
-# to forward ident requests to the real host |
350 |
- |
351 |
-# add hosts in the following format, see oidentd_masq.conf(5) for details: |
352 |
-# <ip or host>[/mask] <username> <os> |
353 |
|
354 |
diff --git a/net-misc/oidentd/oidentd-2.0.8-r6.ebuild b/net-misc/oidentd/oidentd-2.0.8-r6.ebuild |
355 |
deleted file mode 100644 |
356 |
index aa6c386da6e..00000000000 |
357 |
--- a/net-misc/oidentd/oidentd-2.0.8-r6.ebuild |
358 |
+++ /dev/null |
359 |
@@ -1,63 +0,0 @@ |
360 |
-# Copyright 1999-2020 Gentoo Authors |
361 |
-# Distributed under the terms of the GNU General Public License v2 |
362 |
- |
363 |
-EAPI=6 |
364 |
- |
365 |
-inherit linux-info systemd |
366 |
- |
367 |
-DESCRIPTION="Another (RFC1413 compliant) ident daemon" |
368 |
-HOMEPAGE="https://oidentd.janikrabe.com/" |
369 |
-SRC_URI="mirror://sourceforge/ojnk/${P}.tar.gz" |
370 |
- |
371 |
-LICENSE="GPL-2" |
372 |
-SLOT="0" |
373 |
-KEYWORDS="~alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86" |
374 |
-IUSE="debug ipv6 masquerade selinux" |
375 |
- |
376 |
-DEPEND="" |
377 |
- |
378 |
-RDEPEND="${DEPEND} |
379 |
- selinux? ( sec-policy/selinux-oident )" |
380 |
- |
381 |
-DOCS=( AUTHORS ChangeLog README TODO NEWS "${FILESDIR}"/${PN}_masq.conf "${FILESDIR}"/${PN}.conf ) |
382 |
- |
383 |
-PATCHES=( |
384 |
- "${FILESDIR}/${P}-masquerading.patch" |
385 |
- "${FILESDIR}/${P}-bind-to-ipv6-too.patch" |
386 |
- "${FILESDIR}/${P}-gcc5.patch" |
387 |
- "${FILESDIR}/${P}-log-conntrack-fails.patch" |
388 |
- "${FILESDIR}/${P}-no-conntrack-masquerading.patch" |
389 |
-) |
390 |
- |
391 |
-pkg_setup() { |
392 |
- local CONFIG_CHECK="~INET_TCP_DIAG" |
393 |
- |
394 |
- if use kernel_linux; then |
395 |
- linux-info_pkg_setup |
396 |
- fi |
397 |
-} |
398 |
- |
399 |
-src_configure() { |
400 |
- econf \ |
401 |
- $(use_enable debug) \ |
402 |
- $(use_enable ipv6) \ |
403 |
- $(use_enable masquerade masq) \ |
404 |
- $(use_enable masquerade nat) |
405 |
-} |
406 |
- |
407 |
-src_install() { |
408 |
- default |
409 |
- |
410 |
- newinitd "${FILESDIR}"/${PN}-2.0.7-init ${PN} |
411 |
- newconfd "${FILESDIR}"/${PN}-2.0.7-confd ${PN} |
412 |
- |
413 |
- systemd_newunit "${FILESDIR}"/${PN}_at.service ${PN}@.service |
414 |
- systemd_dounit "${FILESDIR}"/${PN}.socket |
415 |
- systemd_dounit "${FILESDIR}"/${PN}.service |
416 |
-} |
417 |
- |
418 |
-pkg_postinst() { |
419 |
- echo |
420 |
- elog "Example configuration files are in /usr/share/doc/${PF}" |
421 |
- echo |
422 |
-} |