gnu: Add xinetd.
* gnu/packages/web.scm (xinetd): New variable. * gnu/packages/patches/xinetd-CVE-2013-4342.patch, gnu/packages/patches/xinetd-fix-fd-leak.patch: New files. * gnu/local.mk (dist_patch_DATA): Add patches. Signed-off-by: Leo Famulari <leo@famulari.name>
This commit is contained in:
parent
9b11eee955
commit
59ae241f71
|
@ -956,6 +956,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/xfce4-panel-plugins.patch \
|
||||
%D%/packages/patches/xfce4-session-fix-xflock4.patch \
|
||||
%D%/packages/patches/xfce4-settings-defaults.patch \
|
||||
%D%/packages/patches/xinetd-fix-fd-leak.patch \
|
||||
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
|
||||
%D%/packages/patches/xmodmap-asprintf.patch \
|
||||
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
|
||||
%D%/packages/patches/zathura-plugindir-environment-variable.patch
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
Fix CVE-2013-4342:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864
|
||||
|
||||
From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Swan <thomas.swan@gmail.com>
|
||||
Date: Wed, 2 Oct 2013 23:17:17 -0500
|
||||
Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
|
||||
TCPMUX services
|
||||
|
||||
Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
|
||||
---
|
||||
xinetd/builtins.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/xinetd/builtins.c b/xinetd/builtins.c
|
||||
index 3b85579..34a5bac 100644
|
||||
--- a/xinetd/builtins.c
|
||||
+++ b/xinetd/builtins.c
|
||||
@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
|
||||
if( SC_IS_INTERNAL( scp ) ) {
|
||||
SC_INTERNAL(scp, nserp);
|
||||
} else {
|
||||
- exec_server(nserp);
|
||||
+ child_process(nserp);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
Fix a file descriptor leak:
|
||||
|
||||
https://github.com/xinetd-org/xinetd/issues/23
|
||||
|
||||
Patch copied from Debian:
|
||||
|
||||
https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches/000012-fix_fd_leak
|
||||
|
||||
Patch sent upstream at https://github.com/xinetd-org/xinetd/pull/26.
|
||||
|
||||
diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
|
||||
index 5a26214..fe0f872 100644
|
||||
--- a/xinetd/xgetloadavg.c
|
||||
+++ b/xinetd/xgetloadavg.c
|
||||
@@ -34,7 +34,7 @@ double xgetloadavg(void)
|
||||
|
||||
if( fscanf(fd, "%lf", &ret) != 1 ) {
|
||||
perror("fscanf");
|
||||
- return -1;
|
||||
+ ret = -1;
|
||||
}
|
||||
|
||||
fclose(fd);
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -3995,3 +3995,28 @@ programs' code. Its architecture is optimized for security, portability, and
|
|||
scalability (including load-balancing), making it suitable for large
|
||||
deployments.")
|
||||
(license l:gpl2+)))
|
||||
|
||||
(define-public xinetd
|
||||
(package
|
||||
(name "xinetd")
|
||||
(version "2.3.15")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
|
||||
(patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
`(#:configure-flags '("--with-loadavg")
|
||||
#:tests? #f )) ; no tests
|
||||
(home-page "https://github.com/xinetd-org/xinetd")
|
||||
(synopsis "Internet services daemon")
|
||||
(description "@code{xinetd}, a more secure replacement for @code{inetd},
|
||||
listens for incoming requests over a network and launches the appropriate
|
||||
service for that request. Requests are made using port numbers as identifiers
|
||||
and xinetd usually launches another daemon to handle the request. It can be
|
||||
used to start services with both privileged and non-privileged port numbers.")
|
||||
(license (l:fsf-free "file://COPYRIGHT"))))
|
||||
|
|
Loading…
Reference in New Issue