diff options
author | Markos Chandras <hwoarang@gentoo.org> | 2012-06-16 16:58:14 +0000 |
---|---|---|
committer | Markos Chandras <hwoarang@gentoo.org> | 2012-06-16 16:58:14 +0000 |
commit | 167e7cccacd885f65f4c36dbecdf0a364710a54d (patch) | |
tree | 875134c9f2aa85ebc9874440af05afadcfa17414 /app-shells/rssh | |
parent | Use global USE flag "postscript" instead of local USE flag "ps" for PostScrip... (diff) | |
download | historical-167e7cccacd885f65f4c36dbecdf0a364710a54d.tar.gz historical-167e7cccacd885f65f4c36dbecdf0a364710a54d.tar.bz2 historical-167e7cccacd885f65f4c36dbecdf0a364710a54d.zip |
Revbump to fix security problem. bug #415255. Thanks to Marios Andreopoulos <opensource@andmarios.com>. Take over by proxy-maintainers
Package-Manager: portage-2.1.10.65/cvs/Linux x86_64
Diffstat (limited to 'app-shells/rssh')
-rw-r--r-- | app-shells/rssh/ChangeLog | 12 | ||||
-rw-r--r-- | app-shells/rssh/Manifest | 31 | ||||
-rw-r--r-- | app-shells/rssh/files/rssh-2.3.3-envvars.patch | 228 | ||||
-rw-r--r-- | app-shells/rssh/metadata.xml | 5 | ||||
-rw-r--r-- | app-shells/rssh/rssh-2.3.2.ebuild | 37 | ||||
-rw-r--r-- | app-shells/rssh/rssh-2.3.3-r1.ebuild | 35 | ||||
-rw-r--r-- | app-shells/rssh/rssh-2.3.3.ebuild | 37 |
7 files changed, 297 insertions, 88 deletions
diff --git a/app-shells/rssh/ChangeLog b/app-shells/rssh/ChangeLog index 1683190964ec..e2efa0a579fc 100644 --- a/app-shells/rssh/ChangeLog +++ b/app-shells/rssh/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-shells/rssh -# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/ChangeLog,v 1.23 2011/04/30 17:29:18 armin76 Exp $ +# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/ChangeLog,v 1.24 2012/06/16 16:58:14 hwoarang Exp $ + +*rssh-2.3.3-r1 (16 Jun 2012) + + 16 Jun 2012; Markos Chandras <hwoarang@gentoo.org> -rssh-2.3.2.ebuild, + -rssh-2.3.3.ebuild, +rssh-2.3.3-r1.ebuild, +files/rssh-2.3.3-envvars.patch, + metadata.xml: + Revbump to fix security problem. bug #415255. Thanks to Marios Andreopoulos + <opensource@andmarios.com>. Take over by proxy-maintainers 30 Apr 2011; Raúl Porcel <armin76@gentoo.org> rssh-2.3.3.ebuild: sparc stable wrt #344339 diff --git a/app-shells/rssh/Manifest b/app-shells/rssh/Manifest index a5077af4ffb2..0def5c273696 100644 --- a/app-shells/rssh/Manifest +++ b/app-shells/rssh/Manifest @@ -1,18 +1,25 @@ -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 +Hash: SHA512 -DIST rssh-2.3.2.tar.gz 113959 RMD160 bcdf7d111042bbf296d624943e3350d5273676ed SHA1 bc7154f50dec1e46cb76b3e1c00e2b1179e50d3d SHA256 8569a07dd96c8f70d0310186b37bbb2e8e591807ac1d1bd0990c02bfd467ba57 +AUX rssh-2.3.3-envvars.patch 7087 RMD160 bcf2ae7a8de12cc067d341807d7a74603f4ede32 SHA1 434712f82f24c60834a10142ca5c49b8a57555a7 SHA256 d407531c9717306dbd5e1b3bbb587b5ce5d9f6b6440edb51d2d9f6c64401d4b6 DIST rssh-2.3.3.tar.gz 119510 RMD160 e9f5c3a8f8cecd6b29c6b85a2672cd22481ef8b5 SHA1 0a6dd80b5e6059e0db12c9f1276121dd966b610a SHA256 1940912c2485f8531e4461de06bd2aebc607d2a89805debb7ac81002fa6fd07f -EBUILD rssh-2.3.2.ebuild 878 RMD160 fd3def37b64e3956e3a12d006453c6e314bad986 SHA1 5cb05d2247198fcae697a000538fe270ece6442a SHA256 e0a0d6861a6c4711367a81ce4a20e56eec44459e3cf8f4dcc557ccad2616c1f9 -EBUILD rssh-2.3.3.ebuild 880 RMD160 b2d6d3b09a8cca4a9eb841a96b8622ed4c852ad6 SHA1 a74aeea139baed1632014dd5c79d986c3c190973 SHA256 a9ee8c8e2ffa8707eaec2b3adf49e0c9b21aa8bcfbd368a9d9b2a521faf3e3fe -MISC ChangeLog 2631 RMD160 c055d140b80f96b3ea11bfadc150ce926ff25200 SHA1 33c99b655b51390fce905b68b716826779570c8b SHA256 6fb515b93b2eefa79cf5beff44438e61f0895671a19da11b00af1eca0d700cb2 -MISC metadata.xml 139 RMD160 c84b2b78f85074cc5c7d26cb757d91c8384fa16a SHA1 00e3ae2ead875413d94aeafa5279646740c2c21d SHA256 5cdc1888ebc8807b9a37b1d33429c61cabe7415a4f240e21a4c2ff8eca7a34ed +EBUILD rssh-2.3.3-r1.ebuild 891 RMD160 36a8d9baca454a13956a99ba8a8219894b682e6a SHA1 b0e6d50021202c69d27cfe6d909d9621cf46be51 SHA256 6ee507b5d3219c7d253a2c6159c9ce86374e0c4d7da622392816a33853bf9204 +MISC ChangeLog 2969 RMD160 a07862e3ad13c300f17883dccd3d9e4cfd77ab9c SHA1 b43b101b50118cfcdcf8b6cdeca3a524ca7cdd86 SHA256 2c770c206530061dc15330b5bd7b682e1d7bb098de26231f9da9356debf3f541 +MISC metadata.xml 272 RMD160 bb70b862fa39af58b186c5d2c7ae18ca31c2604a SHA1 4e17571eccf21f1cadf628f02f458a5c7ea83b1e SHA256 0c365913714b5beca9b01b87b60c5fba58bd64d4f17dbd9a4e64868deb580883 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (GNU/Linux) +Version: GnuPG v2.0.19 (GNU/Linux) -iJwEAQEIAAYFAk59AdIACgkQfXuS5UK5QB3iCAP+IkgwT/quR3JmxmwQgluV4vYA -ByWOCRceCX2Mn65ktdGkBrBEuvZyUBFqWE7vklM1heB0nA6me+ZpbzLlPXh6a1JQ -yT2IIOT1WfO1CNit6j5FY4fS64QmjhbGuIn1lNvm4Sjw7PShvt5YAOVyfPJWXSJH -M9PMSPcmOERLZY4eS7k= -=5lEN +iQIcBAEBCgAGBQJP3LsrAAoJEPqDWhW0r/LCg50P+wTBXP03WkTxu2Ha9h/Fizit +gTk1UzsSfxwXrf/NWEEtKHhy+pNZNEDBJcCG6fYn73k7tAofKhizFD7L7NagUOOF +8f7R0GAEVUxQxic531xYqL9Y3LXQITDC4EsyHAPvf1KFF2twIbn4QLeKNzFbkvT9 +nyPfvebmtKGu2RWqbPWRgwzVK34LYwWXyciwbXSyhau0gspyb1UHruQtIntgKidX +YNED9sYcYP/TpQBjYR6td4tBRkZr50cRrp4jnaswBNv3c9HPu59MHDyY1LvxFGAB +QhArWICObfPBi2A5PvgsqKbVWw2509zLkXLZXbksu+7T4vJAooPtVfL6vmsWDwvm +JoiKpdOVbkskFRrBSq2yiVVAgw4vaZFS980b+fupNhOu24ICNURCIbvz41heyoMZ ++35Eoymezu/qhEEMfQ0y12UcHZrBKZNCzENINfYbBzqiWIkT2zrBYTnoC9yysGGQ +aHszwD5iviYbBAA1Am8tJO1/Eww306ZEdv0ksq+lrwUANmk55yy1tZARuFe6q38B +X/VLRowFDUqPrQwci4GV26z6JD5cy2M4Lb4rC4h2omgJrswp61/B5IBVDaCpDCjq +jBLWmtlqizAbM6JScme5DJSiozPKoKntAnC5VU1JXaShIxHQB/IzL5A/TRzLCQmZ +BDH55UekCKX6sALudIa3 +=kA+9 -----END PGP SIGNATURE----- diff --git a/app-shells/rssh/files/rssh-2.3.3-envvars.patch b/app-shells/rssh/files/rssh-2.3.3-envvars.patch new file mode 100644 index 000000000000..e9193c7bd2e0 --- /dev/null +++ b/app-shells/rssh/files/rssh-2.3.3-envvars.patch @@ -0,0 +1,228 @@ +--- rssh-2.3.3/main.c.in 2010-08-01 15:43:30.000000000 -0400 ++++ rssh-2.3.3/main.c.in 2012-05-11 16:44:39.000000000 -0400 +@@ -184,7 +184,7 @@ + * determine if the command in cmdline is acceptable to run, and store + * name of program to exec in cmd + */ +- if ( !(*cmd = check_command_line(cmdline, opts)) ) return NULL; ++ if ( !(*cmd = get_command(cmdline, opts)) ) return NULL; + + /* if we need to do chroot processing, do it */ + if ( opts->shell_flags & RSSH_USE_CHROOT ){ +@@ -252,7 +252,9 @@ + } + + /* return vector of pointers to command line arguments */ +- return build_arg_vector(cmdline, 0); ++ argvec = build_arg_vector(cmdline, 0); ++ if (check_command_line(argvec, opts)) return argvec; ++ else return NULL; + } + + void vers_info( void ) +--- rssh-2.3.3/util.c 2010-08-01 09:07:00.000000000 -0400 ++++ rssh-2.3.3/util.c 2012-05-11 16:43:10.000000000 -0400 +@@ -106,7 +106,7 @@ + /* print error message to user and log attempt */ + fprintf(stderr, "\nThis account is restricted by rssh.\n" + "%s\n\nIf you believe this is in error, please contact " +- "your system administrator.\n\n", cmd); ++ "your system administrator.\n\n", cmd); + if ( argc < 3 ) + log_msg("user %s attempted to log in with a shell", + username); +@@ -132,31 +132,35 @@ + */ + bool opt_exist(char *cl, char opt) + { +- int i = 0; ++ int i = 1; + int len; +- char *token; +- bool optstring = FALSE; +- + + len = strlen(cl); + + /* process command line character by character */ +- while ( i < (len - 2) ){ +- if ( cl[i] == ' ' || cl[i] == '\t' ){ +- if ( cl[i+1] == '-' ){ +- optstring = TRUE; +- i+=2; +- } +- } +- if ( cl[i] == opt && optstring ) return TRUE; +- if ( cl[i] == ' ' || cl[i] == '\t' || cl[i] == '-' ) +- optstring = FALSE; ++ if (!(cl[0] == '-')) return FALSE; ++ while ( i < (len) ){ ++ if ( cl[i] == opt ) return TRUE; + i++; + } + return FALSE; + } + + ++bool opt_filter(char **vec, const char opt) ++{ ++ while (vec && *vec){ ++ if (opt_exist(*vec, opt)){ ++ fprintf(stderr, "\nillegal insecure %c option", opt); ++ log_msg("insecure %c option in scp command line!", opt); ++ return TRUE; ++ } ++ vec++; ++ } ++ return FALSE; ++} ++ ++ + bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag ) + { + int cl_len; /* length of command line */ +@@ -186,69 +190,78 @@ + return FALSE; + } + ++ + /* + * check_command_line() - take the command line passed to rssh, and verify +- * that the specified command is one the user is +- * allowed to run. Return the path of the command +- * which will be run if it is ok, or return NULL if it +- * is not. ++ * that the specified command is one the user is ++ * allowed to run and validate the arguments. Return the ++ * path of the command which will be run if it is ok, or ++ * return NULL if it is not. + */ +-char *check_command_line( char *cl, ShellOptions_t *opts ) ++char *check_command_line( char **cl, ShellOptions_t *opts ) + { + +- if ( check_command(cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) ) ++ if ( check_command(*cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) ) + return PATH_SFTP_SERVER; + +- if ( check_command(cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ ++ if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ + /* filter -S option */ +- if ( opt_exist(cl, 'S') ){ +- fprintf(stderr, "\ninsecure -S option not allowed."); +- log_msg("insecure -S option in scp command line!"); +- return NULL; +- } ++ if ( opt_filter(cl, 'S') ) return NULL; + return PATH_SCP; + } + +- if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){ +- if ( opt_exist(cl, 'e') ){ +- fprintf(stderr, "\ninsecure -e option not allowed."); +- log_msg("insecure -e option in cvs command line!"); +- return NULL; +- } ++ if ( check_command(*cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){ ++ if ( opt_filter(cl, 'e') ) return NULL; + return PATH_CVS; + } + +- if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){ ++ if ( check_command(*cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){ + /* filter -P option */ +- if ( opt_exist(cl, 'P') ){ +- fprintf(stderr, "\ninsecure -P option not allowed."); +- log_msg("insecure -P option in rdist command line!"); +- return NULL; +- } ++ if ( opt_filter(cl, 'P') ) return NULL; + return PATH_RDIST; + } + +- if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ ++ if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ + /* filter -e option */ +- if ( opt_exist(cl, 'e') ){ +- fprintf(stderr, "\ninsecure -e option not allowed."); +- log_msg("insecure -e option in rdist command line!"); +- return NULL; +- } +- +- if ( strstr(cl, "--rsh=" ) ){ +- fprintf(stderr, "\ninsecure --rsh= not allowed."); +- log_msg("insecure --rsh option in rsync command line!"); +- return NULL; ++ if ( opt_filter(cl, 'e') ) return NULL; ++ while (cl && *cl){ ++ if ( strstr(*cl, "--rsh=" ) ){ ++ fprintf(stderr, "\ninsecure --rsh= not allowed."); ++ log_msg("insecure --rsh option in rsync command line!"); ++ return NULL; ++ } + } +- + return PATH_RSYNC; + } ++ /* No match, return NULL */ ++ return NULL; ++} ++ ++ ++/* ++ * get_command() - take the command line passed to rssh, and verify ++ * that the specified command is one the user is allowed to run. ++ * Return the path of the command which will be run if it is ok, ++ * or return NULL if it is not. ++ */ ++char *get_command( char *cl, ShellOptions_t *opts ) ++{ + ++ if ( check_command(cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) ) ++ return PATH_SFTP_SERVER; ++ if ( check_command(cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ) ++ return PATH_SCP; ++ if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ) ++ return PATH_CVS; ++ if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ) ++ return PATH_RDIST; ++ if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ) ++ return PATH_RSYNC; + return NULL; + } + + ++ + /* + * extract_root() - takes a root directory and the full path to some other + * directory, and returns a pointer to a string which +@@ -264,7 +277,7 @@ + len = strlen(root); + /* get rid of a trailing / from the root path */ + if ( root[len - 1] == '/' ){ +- root[len - 1] = '\0'; ++ root[len - 1] = '\0'; + len--; + } + if ( (strncmp(root, path, len)) ) return NULL; +@@ -309,7 +322,7 @@ + * same name, and returns FALSE if the bits are not valid + */ + int validate_access( const char *temp, bool *allow_sftp, bool *allow_scp, +- bool *allow_cvs, bool *allow_rdist, bool *allow_rsync ) ++ bool *allow_cvs, bool *allow_rdist, bool *allow_rsync ) + { + int i; + +--- rssh-2.3.3/util.h 2006-12-21 17:22:38.000000000 -0500 ++++ rssh-2.3.3/util.h 2012-05-11 16:21:12.000000000 -0400 +@@ -33,7 +33,8 @@ + #include "rsshconf.h" + + void fail( int flags, int argc, char **argv ); +-char *check_command_line( char *cl, ShellOptions_t *opts ); ++char *check_command_line( char **cl, ShellOptions_t *opts ); ++char *get_command( char *cl, ShellOptions_t *opts); + char *extract_root( char *root, char *path ); + int validate_umask( const char *temp, int *mask ); + int validate_access( const char *temp, bool *allow_sftp, bool *allow_scp, diff --git a/app-shells/rssh/metadata.xml b/app-shells/rssh/metadata.xml index 097975e3adc2..6f229cf9eedf 100644 --- a/app-shells/rssh/metadata.xml +++ b/app-shells/rssh/metadata.xml @@ -1,4 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> +<herd>proxy-maintainers</herd> +<maintainer> + <email>opensource@andmarios.com</email> + <name>Marios Andreopoulos</name> +</maintainer> </pkgmetadata> diff --git a/app-shells/rssh/rssh-2.3.2.ebuild b/app-shells/rssh/rssh-2.3.2.ebuild deleted file mode 100644 index 439e0f1eff59..000000000000 --- a/app-shells/rssh/rssh-2.3.2.ebuild +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1999-2008 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.2.ebuild,v 1.7 2008/02/20 12:55:07 caleb Exp $ - -inherit multilib - -DESCRIPTION="Restricted shell for SSHd" -HOMEPAGE="http://rssh.sourceforge.net/" -SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="amd64 ppc sparc x86" -IUSE="static" - -RDEPEND="virtual/ssh" - -src_unpack() { - unpack ${A} - cd "${S}" - sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in -} - -src_compile() { - econf \ - --libexecdir='$(libdir)/misc' \ - --with-scp=/usr/bin/scp \ - --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ - $(use_enable static) \ - || die "econf failed" - emake || die -} - -src_install() { - make install DESTDIR="${D}" || die - dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO -} diff --git a/app-shells/rssh/rssh-2.3.3-r1.ebuild b/app-shells/rssh/rssh-2.3.3-r1.ebuild new file mode 100644 index 000000000000..e6f314559c7d --- /dev/null +++ b/app-shells/rssh/rssh-2.3.3-r1.ebuild @@ -0,0 +1,35 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.3-r1.ebuild,v 1.1 2012/06/16 16:58:14 hwoarang Exp $ + +EAPI=4 +inherit eutils multilib + +DESCRIPTION="Restricted shell for SSHd" +HOMEPAGE="http://rssh.sourceforge.net/" +SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" +IUSE="static" + +RDEPEND="virtual/ssh" + +src_prepare() { + sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in || die + epatch "${FILESDIR}"/rssh-2.3.3-envvars.patch +} + +src_configure() { + econf \ + --libexecdir='$(libdir)/misc' \ + --with-scp=/usr/bin/scp \ + --with-sftp-server='/usr/$(get_libdir)/misc/sftp-server' \ + $(use_enable static) +} + +src_install() { + emake install DESTDIR="${D}" + dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO +} diff --git a/app-shells/rssh/rssh-2.3.3.ebuild b/app-shells/rssh/rssh-2.3.3.ebuild deleted file mode 100644 index 749df8e7fbd8..000000000000 --- a/app-shells/rssh/rssh-2.3.3.ebuild +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.3.ebuild,v 1.5 2011/04/30 17:29:18 armin76 Exp $ - -inherit multilib - -DESCRIPTION="Restricted shell for SSHd" -HOMEPAGE="http://rssh.sourceforge.net/" -SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="amd64 ppc sparc x86" -IUSE="static" - -RDEPEND="virtual/ssh" - -src_unpack() { - unpack ${A} - cd "${S}" - sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in -} - -src_compile() { - econf \ - --libexecdir='$(libdir)/misc' \ - --with-scp=/usr/bin/scp \ - --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ - $(use_enable static) \ - || die "econf failed" - emake || die -} - -src_install() { - make install DESTDIR="${D}" || die - dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO -} |