summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkos Chandras <hwoarang@gentoo.org>2012-06-16 16:58:14 +0000
committerMarkos Chandras <hwoarang@gentoo.org>2012-06-16 16:58:14 +0000
commit167e7cccacd885f65f4c36dbecdf0a364710a54d (patch)
tree875134c9f2aa85ebc9874440af05afadcfa17414 /app-shells/rssh
parentUse global USE flag "postscript" instead of local USE flag "ps" for PostScrip... (diff)
downloadhistorical-167e7cccacd885f65f4c36dbecdf0a364710a54d.tar.gz
historical-167e7cccacd885f65f4c36dbecdf0a364710a54d.tar.bz2
historical-167e7cccacd885f65f4c36dbecdf0a364710a54d.zip
Revbump to fix security problem. bug #415255. Thanks to Marios Andreopoulos <opensource@andmarios.com>. Take over by proxy-maintainers
Package-Manager: portage-2.1.10.65/cvs/Linux x86_64
Diffstat (limited to 'app-shells/rssh')
-rw-r--r--app-shells/rssh/ChangeLog12
-rw-r--r--app-shells/rssh/Manifest31
-rw-r--r--app-shells/rssh/files/rssh-2.3.3-envvars.patch228
-rw-r--r--app-shells/rssh/metadata.xml5
-rw-r--r--app-shells/rssh/rssh-2.3.2.ebuild37
-rw-r--r--app-shells/rssh/rssh-2.3.3-r1.ebuild35
-rw-r--r--app-shells/rssh/rssh-2.3.3.ebuild37
7 files changed, 297 insertions, 88 deletions
diff --git a/app-shells/rssh/ChangeLog b/app-shells/rssh/ChangeLog
index 1683190964ec..e2efa0a579fc 100644
--- a/app-shells/rssh/ChangeLog
+++ b/app-shells/rssh/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for app-shells/rssh
-# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/ChangeLog,v 1.23 2011/04/30 17:29:18 armin76 Exp $
+# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/ChangeLog,v 1.24 2012/06/16 16:58:14 hwoarang Exp $
+
+*rssh-2.3.3-r1 (16 Jun 2012)
+
+ 16 Jun 2012; Markos Chandras <hwoarang@gentoo.org> -rssh-2.3.2.ebuild,
+ -rssh-2.3.3.ebuild, +rssh-2.3.3-r1.ebuild, +files/rssh-2.3.3-envvars.patch,
+ metadata.xml:
+ Revbump to fix security problem. bug #415255. Thanks to Marios Andreopoulos
+ <opensource@andmarios.com>. Take over by proxy-maintainers
30 Apr 2011; Raúl Porcel <armin76@gentoo.org> rssh-2.3.3.ebuild:
sparc stable wrt #344339
diff --git a/app-shells/rssh/Manifest b/app-shells/rssh/Manifest
index a5077af4ffb2..0def5c273696 100644
--- a/app-shells/rssh/Manifest
+++ b/app-shells/rssh/Manifest
@@ -1,18 +1,25 @@
-----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
+Hash: SHA512
-DIST rssh-2.3.2.tar.gz 113959 RMD160 bcdf7d111042bbf296d624943e3350d5273676ed SHA1 bc7154f50dec1e46cb76b3e1c00e2b1179e50d3d SHA256 8569a07dd96c8f70d0310186b37bbb2e8e591807ac1d1bd0990c02bfd467ba57
+AUX rssh-2.3.3-envvars.patch 7087 RMD160 bcf2ae7a8de12cc067d341807d7a74603f4ede32 SHA1 434712f82f24c60834a10142ca5c49b8a57555a7 SHA256 d407531c9717306dbd5e1b3bbb587b5ce5d9f6b6440edb51d2d9f6c64401d4b6
DIST rssh-2.3.3.tar.gz 119510 RMD160 e9f5c3a8f8cecd6b29c6b85a2672cd22481ef8b5 SHA1 0a6dd80b5e6059e0db12c9f1276121dd966b610a SHA256 1940912c2485f8531e4461de06bd2aebc607d2a89805debb7ac81002fa6fd07f
-EBUILD rssh-2.3.2.ebuild 878 RMD160 fd3def37b64e3956e3a12d006453c6e314bad986 SHA1 5cb05d2247198fcae697a000538fe270ece6442a SHA256 e0a0d6861a6c4711367a81ce4a20e56eec44459e3cf8f4dcc557ccad2616c1f9
-EBUILD rssh-2.3.3.ebuild 880 RMD160 b2d6d3b09a8cca4a9eb841a96b8622ed4c852ad6 SHA1 a74aeea139baed1632014dd5c79d986c3c190973 SHA256 a9ee8c8e2ffa8707eaec2b3adf49e0c9b21aa8bcfbd368a9d9b2a521faf3e3fe
-MISC ChangeLog 2631 RMD160 c055d140b80f96b3ea11bfadc150ce926ff25200 SHA1 33c99b655b51390fce905b68b716826779570c8b SHA256 6fb515b93b2eefa79cf5beff44438e61f0895671a19da11b00af1eca0d700cb2
-MISC metadata.xml 139 RMD160 c84b2b78f85074cc5c7d26cb757d91c8384fa16a SHA1 00e3ae2ead875413d94aeafa5279646740c2c21d SHA256 5cdc1888ebc8807b9a37b1d33429c61cabe7415a4f240e21a4c2ff8eca7a34ed
+EBUILD rssh-2.3.3-r1.ebuild 891 RMD160 36a8d9baca454a13956a99ba8a8219894b682e6a SHA1 b0e6d50021202c69d27cfe6d909d9621cf46be51 SHA256 6ee507b5d3219c7d253a2c6159c9ce86374e0c4d7da622392816a33853bf9204
+MISC ChangeLog 2969 RMD160 a07862e3ad13c300f17883dccd3d9e4cfd77ab9c SHA1 b43b101b50118cfcdcf8b6cdeca3a524ca7cdd86 SHA256 2c770c206530061dc15330b5bd7b682e1d7bb098de26231f9da9356debf3f541
+MISC metadata.xml 272 RMD160 bb70b862fa39af58b186c5d2c7ae18ca31c2604a SHA1 4e17571eccf21f1cadf628f02f458a5c7ea83b1e SHA256 0c365913714b5beca9b01b87b60c5fba58bd64d4f17dbd9a4e64868deb580883
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (GNU/Linux)
+Version: GnuPG v2.0.19 (GNU/Linux)
-iJwEAQEIAAYFAk59AdIACgkQfXuS5UK5QB3iCAP+IkgwT/quR3JmxmwQgluV4vYA
-ByWOCRceCX2Mn65ktdGkBrBEuvZyUBFqWE7vklM1heB0nA6me+ZpbzLlPXh6a1JQ
-yT2IIOT1WfO1CNit6j5FY4fS64QmjhbGuIn1lNvm4Sjw7PShvt5YAOVyfPJWXSJH
-M9PMSPcmOERLZY4eS7k=
-=5lEN
+iQIcBAEBCgAGBQJP3LsrAAoJEPqDWhW0r/LCg50P+wTBXP03WkTxu2Ha9h/Fizit
+gTk1UzsSfxwXrf/NWEEtKHhy+pNZNEDBJcCG6fYn73k7tAofKhizFD7L7NagUOOF
+8f7R0GAEVUxQxic531xYqL9Y3LXQITDC4EsyHAPvf1KFF2twIbn4QLeKNzFbkvT9
+nyPfvebmtKGu2RWqbPWRgwzVK34LYwWXyciwbXSyhau0gspyb1UHruQtIntgKidX
+YNED9sYcYP/TpQBjYR6td4tBRkZr50cRrp4jnaswBNv3c9HPu59MHDyY1LvxFGAB
+QhArWICObfPBi2A5PvgsqKbVWw2509zLkXLZXbksu+7T4vJAooPtVfL6vmsWDwvm
+JoiKpdOVbkskFRrBSq2yiVVAgw4vaZFS980b+fupNhOu24ICNURCIbvz41heyoMZ
++35Eoymezu/qhEEMfQ0y12UcHZrBKZNCzENINfYbBzqiWIkT2zrBYTnoC9yysGGQ
+aHszwD5iviYbBAA1Am8tJO1/Eww306ZEdv0ksq+lrwUANmk55yy1tZARuFe6q38B
+X/VLRowFDUqPrQwci4GV26z6JD5cy2M4Lb4rC4h2omgJrswp61/B5IBVDaCpDCjq
+jBLWmtlqizAbM6JScme5DJSiozPKoKntAnC5VU1JXaShIxHQB/IzL5A/TRzLCQmZ
+BDH55UekCKX6sALudIa3
+=kA+9
-----END PGP SIGNATURE-----
diff --git a/app-shells/rssh/files/rssh-2.3.3-envvars.patch b/app-shells/rssh/files/rssh-2.3.3-envvars.patch
new file mode 100644
index 000000000000..e9193c7bd2e0
--- /dev/null
+++ b/app-shells/rssh/files/rssh-2.3.3-envvars.patch
@@ -0,0 +1,228 @@
+--- rssh-2.3.3/main.c.in 2010-08-01 15:43:30.000000000 -0400
++++ rssh-2.3.3/main.c.in 2012-05-11 16:44:39.000000000 -0400
+@@ -184,7 +184,7 @@
+ * determine if the command in cmdline is acceptable to run, and store
+ * name of program to exec in cmd
+ */
+- if ( !(*cmd = check_command_line(cmdline, opts)) ) return NULL;
++ if ( !(*cmd = get_command(cmdline, opts)) ) return NULL;
+
+ /* if we need to do chroot processing, do it */
+ if ( opts->shell_flags & RSSH_USE_CHROOT ){
+@@ -252,7 +252,9 @@
+ }
+
+ /* return vector of pointers to command line arguments */
+- return build_arg_vector(cmdline, 0);
++ argvec = build_arg_vector(cmdline, 0);
++ if (check_command_line(argvec, opts)) return argvec;
++ else return NULL;
+ }
+
+ void vers_info( void )
+--- rssh-2.3.3/util.c 2010-08-01 09:07:00.000000000 -0400
++++ rssh-2.3.3/util.c 2012-05-11 16:43:10.000000000 -0400
+@@ -106,7 +106,7 @@
+ /* print error message to user and log attempt */
+ fprintf(stderr, "\nThis account is restricted by rssh.\n"
+ "%s\n\nIf you believe this is in error, please contact "
+- "your system administrator.\n\n", cmd);
++ "your system administrator.\n\n", cmd);
+ if ( argc < 3 )
+ log_msg("user %s attempted to log in with a shell",
+ username);
+@@ -132,31 +132,35 @@
+ */
+ bool opt_exist(char *cl, char opt)
+ {
+- int i = 0;
++ int i = 1;
+ int len;
+- char *token;
+- bool optstring = FALSE;
+-
+
+ len = strlen(cl);
+
+ /* process command line character by character */
+- while ( i < (len - 2) ){
+- if ( cl[i] == ' ' || cl[i] == '\t' ){
+- if ( cl[i+1] == '-' ){
+- optstring = TRUE;
+- i+=2;
+- }
+- }
+- if ( cl[i] == opt && optstring ) return TRUE;
+- if ( cl[i] == ' ' || cl[i] == '\t' || cl[i] == '-' )
+- optstring = FALSE;
++ if (!(cl[0] == '-')) return FALSE;
++ while ( i < (len) ){
++ if ( cl[i] == opt ) return TRUE;
+ i++;
+ }
+ return FALSE;
+ }
+
+
++bool opt_filter(char **vec, const char opt)
++{
++ while (vec && *vec){
++ if (opt_exist(*vec, opt)){
++ fprintf(stderr, "\nillegal insecure %c option", opt);
++ log_msg("insecure %c option in scp command line!", opt);
++ return TRUE;
++ }
++ vec++;
++ }
++ return FALSE;
++}
++
++
+ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
+ {
+ int cl_len; /* length of command line */
+@@ -186,69 +190,78 @@
+ return FALSE;
+ }
+
++
+ /*
+ * check_command_line() - take the command line passed to rssh, and verify
+- * that the specified command is one the user is
+- * allowed to run. Return the path of the command
+- * which will be run if it is ok, or return NULL if it
+- * is not.
++ * that the specified command is one the user is
++ * allowed to run and validate the arguments. Return the
++ * path of the command which will be run if it is ok, or
++ * return NULL if it is not.
+ */
+-char *check_command_line( char *cl, ShellOptions_t *opts )
++char *check_command_line( char **cl, ShellOptions_t *opts )
+ {
+
+- if ( check_command(cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) )
++ if ( check_command(*cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) )
+ return PATH_SFTP_SERVER;
+
+- if ( check_command(cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
++ if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
+ /* filter -S option */
+- if ( opt_exist(cl, 'S') ){
+- fprintf(stderr, "\ninsecure -S option not allowed.");
+- log_msg("insecure -S option in scp command line!");
+- return NULL;
+- }
++ if ( opt_filter(cl, 'S') ) return NULL;
+ return PATH_SCP;
+ }
+
+- if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
+- if ( opt_exist(cl, 'e') ){
+- fprintf(stderr, "\ninsecure -e option not allowed.");
+- log_msg("insecure -e option in cvs command line!");
+- return NULL;
+- }
++ if ( check_command(*cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
++ if ( opt_filter(cl, 'e') ) return NULL;
+ return PATH_CVS;
+ }
+
+- if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
++ if ( check_command(*cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
+ /* filter -P option */
+- if ( opt_exist(cl, 'P') ){
+- fprintf(stderr, "\ninsecure -P option not allowed.");
+- log_msg("insecure -P option in rdist command line!");
+- return NULL;
+- }
++ if ( opt_filter(cl, 'P') ) return NULL;
+ return PATH_RDIST;
+ }
+
+- if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
++ if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ /* filter -e option */
+- if ( opt_exist(cl, 'e') ){
+- fprintf(stderr, "\ninsecure -e option not allowed.");
+- log_msg("insecure -e option in rdist command line!");
+- return NULL;
+- }
+-
+- if ( strstr(cl, "--rsh=" ) ){
+- fprintf(stderr, "\ninsecure --rsh= not allowed.");
+- log_msg("insecure --rsh option in rsync command line!");
+- return NULL;
++ if ( opt_filter(cl, 'e') ) return NULL;
++ while (cl && *cl){
++ if ( strstr(*cl, "--rsh=" ) ){
++ fprintf(stderr, "\ninsecure --rsh= not allowed.");
++ log_msg("insecure --rsh option in rsync command line!");
++ return NULL;
++ }
+ }
+-
+ return PATH_RSYNC;
+ }
++ /* No match, return NULL */
++ return NULL;
++}
++
++
++/*
++ * get_command() - take the command line passed to rssh, and verify
++ * that the specified command is one the user is allowed to run.
++ * Return the path of the command which will be run if it is ok,
++ * or return NULL if it is not.
++ */
++char *get_command( char *cl, ShellOptions_t *opts )
++{
+
++ if ( check_command(cl, opts, PATH_SFTP_SERVER, RSSH_ALLOW_SFTP) )
++ return PATH_SFTP_SERVER;
++ if ( check_command(cl, opts, PATH_SCP, RSSH_ALLOW_SCP) )
++ return PATH_SCP;
++ if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
++ return PATH_CVS;
++ if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) )
++ return PATH_RDIST;
++ if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) )
++ return PATH_RSYNC;
+ return NULL;
+ }
+
+
++
+ /*
+ * extract_root() - takes a root directory and the full path to some other
+ * directory, and returns a pointer to a string which
+@@ -264,7 +277,7 @@
+ len = strlen(root);
+ /* get rid of a trailing / from the root path */
+ if ( root[len - 1] == '/' ){
+- root[len - 1] = '\0';
++ root[len - 1] = '\0';
+ len--;
+ }
+ if ( (strncmp(root, path, len)) ) return NULL;
+@@ -309,7 +322,7 @@
+ * same name, and returns FALSE if the bits are not valid
+ */
+ int validate_access( const char *temp, bool *allow_sftp, bool *allow_scp,
+- bool *allow_cvs, bool *allow_rdist, bool *allow_rsync )
++ bool *allow_cvs, bool *allow_rdist, bool *allow_rsync )
+ {
+ int i;
+
+--- rssh-2.3.3/util.h 2006-12-21 17:22:38.000000000 -0500
++++ rssh-2.3.3/util.h 2012-05-11 16:21:12.000000000 -0400
+@@ -33,7 +33,8 @@
+ #include "rsshconf.h"
+
+ void fail( int flags, int argc, char **argv );
+-char *check_command_line( char *cl, ShellOptions_t *opts );
++char *check_command_line( char **cl, ShellOptions_t *opts );
++char *get_command( char *cl, ShellOptions_t *opts);
+ char *extract_root( char *root, char *path );
+ int validate_umask( const char *temp, int *mask );
+ int validate_access( const char *temp, bool *allow_sftp, bool *allow_scp,
diff --git a/app-shells/rssh/metadata.xml b/app-shells/rssh/metadata.xml
index 097975e3adc2..6f229cf9eedf 100644
--- a/app-shells/rssh/metadata.xml
+++ b/app-shells/rssh/metadata.xml
@@ -1,4 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
+<herd>proxy-maintainers</herd>
+<maintainer>
+ <email>opensource@andmarios.com</email>
+ <name>Marios Andreopoulos</name>
+</maintainer>
</pkgmetadata>
diff --git a/app-shells/rssh/rssh-2.3.2.ebuild b/app-shells/rssh/rssh-2.3.2.ebuild
deleted file mode 100644
index 439e0f1eff59..000000000000
--- a/app-shells/rssh/rssh-2.3.2.ebuild
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright 1999-2008 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.2.ebuild,v 1.7 2008/02/20 12:55:07 caleb Exp $
-
-inherit multilib
-
-DESCRIPTION="Restricted shell for SSHd"
-HOMEPAGE="http://rssh.sourceforge.net/"
-SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="amd64 ppc sparc x86"
-IUSE="static"
-
-RDEPEND="virtual/ssh"
-
-src_unpack() {
- unpack ${A}
- cd "${S}"
- sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in
-}
-
-src_compile() {
- econf \
- --libexecdir='$(libdir)/misc' \
- --with-scp=/usr/bin/scp \
- --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \
- $(use_enable static) \
- || die "econf failed"
- emake || die
-}
-
-src_install() {
- make install DESTDIR="${D}" || die
- dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO
-}
diff --git a/app-shells/rssh/rssh-2.3.3-r1.ebuild b/app-shells/rssh/rssh-2.3.3-r1.ebuild
new file mode 100644
index 000000000000..e6f314559c7d
--- /dev/null
+++ b/app-shells/rssh/rssh-2.3.3-r1.ebuild
@@ -0,0 +1,35 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.3-r1.ebuild,v 1.1 2012/06/16 16:58:14 hwoarang Exp $
+
+EAPI=4
+inherit eutils multilib
+
+DESCRIPTION="Restricted shell for SSHd"
+HOMEPAGE="http://rssh.sourceforge.net/"
+SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE="static"
+
+RDEPEND="virtual/ssh"
+
+src_prepare() {
+ sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in || die
+ epatch "${FILESDIR}"/rssh-2.3.3-envvars.patch
+}
+
+src_configure() {
+ econf \
+ --libexecdir='$(libdir)/misc' \
+ --with-scp=/usr/bin/scp \
+ --with-sftp-server='/usr/$(get_libdir)/misc/sftp-server' \
+ $(use_enable static)
+}
+
+src_install() {
+ emake install DESTDIR="${D}"
+ dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO
+}
diff --git a/app-shells/rssh/rssh-2.3.3.ebuild b/app-shells/rssh/rssh-2.3.3.ebuild
deleted file mode 100644
index 749df8e7fbd8..000000000000
--- a/app-shells/rssh/rssh-2.3.3.ebuild
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-shells/rssh/rssh-2.3.3.ebuild,v 1.5 2011/04/30 17:29:18 armin76 Exp $
-
-inherit multilib
-
-DESCRIPTION="Restricted shell for SSHd"
-HOMEPAGE="http://rssh.sourceforge.net/"
-SRC_URI="mirror://sourceforge/rssh/${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="amd64 ppc sparc x86"
-IUSE="static"
-
-RDEPEND="virtual/ssh"
-
-src_unpack() {
- unpack ${A}
- cd "${S}"
- sed -i 's:chmod u+s $(:chmod u+s $(DESTDIR)$(:' Makefile.in
-}
-
-src_compile() {
- econf \
- --libexecdir='$(libdir)/misc' \
- --with-scp=/usr/bin/scp \
- --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \
- $(use_enable static) \
- || die "econf failed"
- emake || die
-}
-
-src_install() {
- make install DESTDIR="${D}" || die
- dodoc AUTHORS ChangeLog CHROOT INSTALL README TODO
-}