diff options
| author |   Robert Buchholz <rbu@gentoo.org> | 2009-07-15 16:06:25 +0000 |
|---|---|---|
| committer | Robert Buchholz <rbu@gentoo.org> | 2009-07-15 16:06:25 +0000 |
| commit | e951cbe7092059532dc75bc4d2b8e5781e1c6fb2 (patch) | |
| tree | 986c44f1ebfda03e186f69a31eba65f243389422 /net-firewall | |
| parent | Remove autotools from inherit since no functions are called from it. (diff) | |
| download | historical-e951cbe7092059532dc75bc4d2b8e5781e1c6fb2.tar.gz historical-e951cbe7092059532dc75bc4d2b8e5781e1c6fb2.tar.bz2 historical-e951cbe7092059532dc75bc4d2b8e5781e1c6fb2.zip | |
Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch tested by Kerin Millar, thanks. Fixes bug 246013.
Package-Manager: portage-2.1.6.13/cvs/Linux x86_64
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/firehol/ChangeLog | 9 | ||||
| -rw-r--r-- | net-firewall/firehol/Manifest | 4 | ||||
| -rw-r--r-- | net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch | 58 | ||||
| -rw-r--r-- | net-firewall/firehol/firehol-1.273-r1.ebuild | 78 |
4 files changed, 147 insertions, 2 deletions
diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog index a821e28b0be8..4fa93463fbc6 100644 --- a/net-firewall/firehol/ChangeLog +++ b/net-firewall/firehol/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-firewall/firehol # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.40 2009/03/09 16:54:00 armin76 Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.41 2009/07/15 16:06:24 rbu Exp $ + +*firehol-1.273-r1 (15 Jul 2009) + + 15 Jul 2009; Robert Buchholz <rbu@gentoo.org> + +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild: + Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch + tested by Kerin Millar, thanks. Fixes bug 246013. 09 Mar 2009; Raúl Porcel <armin76@gentoo.org> firehol-1.273.ebuild: x86 stable wrt #261699 diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest index 7609f509f729..5405c90fb90e 100644 --- a/net-firewall/firehol/Manifest +++ b/net-firewall/firehol/Manifest @@ -2,6 +2,7 @@ AUX firehol-1.226-to-228.patch 2311 RMD160 9adefc751d465dd193134b3243e6d34300216 AUX firehol-1.250-groupwith.patch 1005 RMD160 ca56cbd4abad50a0203c520ae62b255266aa104e SHA1 061ffcc50dcb605faf882a7cbfb5c59205356e8d SHA256 6d56366f16b53209e9944fffcac65de6300264d6ba35575643af3bcd45522029 AUX firehol-1.250-printf.patch 1496 RMD160 df025b1bf110ba50b2d8060a145aa79af39a8b26 SHA1 a3450b2b3c94c94be4f64aebdbdbf6a0fc5e3b19 SHA256 35ab81db53612f938ca37f592d85e68260573084c34b598a7c4254b3d3fab071 AUX firehol-1.256-printf.patch 1496 RMD160 df025b1bf110ba50b2d8060a145aa79af39a8b26 SHA1 a3450b2b3c94c94be4f64aebdbdbf6a0fc5e3b19 SHA256 35ab81db53612f938ca37f592d85e68260573084c34b598a7c4254b3d3fab071 +AUX firehol-1.273-CVE-2008-4953.patch 1734 RMD160 d0cceb51c5c0acb568700b38650ed02242db2211 SHA1 5087929bc70de03bf61f1a3ad70c3160d337042a SHA256 9f14a2bcf92f3a68b63a2506cd75f4cbdacd600e72133b37b439b6e179a2fd9d AUX firehol.conf.d 70 RMD160 a87dc5fb7ba67d3f87d9672de62ba5081925ddcb SHA1 5a31d6751f0ea13550218132ff210e3286694152 SHA256 0e6bae0a5329d6b527cf0ae7183acf04f0f08f5a931bf5e82a789053faed4e3c AUX firehol.initrd 1245 RMD160 65730686994af4ae61a8ecc3d5b747850ea01aa4 SHA1 a5892f1c762b0c061f6957583dd58bf7b5bc4ab9 SHA256 8e5d71c35ccb9e03ff8b2a984d7082d69a51cd1384a6cc709931f3f7a5531d4c DIST firehol-1.226-to-250.patch.bz2 6679 RMD160 ce71661271ee7d94bddcac5ae072c933fdfa67c6 SHA1 e8a2716cb5dd5be7dd3850c7d81ed91f87601bca SHA256 574953d443cfe61a3f92adfc68a9ff53cc3679ad2598074dc671288846b1d632 @@ -10,6 +11,7 @@ DIST firehol-1.256.tar.bz2 125333 RMD160 42ef66f441529d0c216545a313f71d37800f8f7 DIST firehol-1.273.tar.bz2 128128 RMD160 858fda3300e2de10fc82be6582d7042de6cbfc23 SHA1 09433f7fbb3cbb7e33e9c601008191bfe3b388a8 SHA256 e8d3b4ac3e54097c0e0f14bfab773a75d43b522fa123a42088b7f23f13495ea2 EBUILD firehol-1.250-r2.ebuild 2283 RMD160 a023131928449d85bce7c42a595a5f8e0fe592cd SHA1 f38ed4b754bd951562eb3b97d1a5e3225c1a917d SHA256 7b455b4ff2f520358572471d76f2b15b2be7be6ccdda48ab9b4aaa3c0837e04d EBUILD firehol-1.256-r1.ebuild 2397 RMD160 1c515003b76d014e5538c285072845f8fdfb7605 SHA1 02ddcb50554a54f467bce1efcc9028d62888c01d SHA256 c23ac25229c4b75bfd05627faa07497c1cec7b8bbb19279b4a73f2e4653c2f4a +EBUILD firehol-1.273-r1.ebuild 2163 RMD160 efec6c330da95fe193fd88b3eddcbe8c0d665bfe SHA1 6c7c909f503261440420301dc205aecef22ff293 SHA256 cf35445c808996eef514c509871190fa82c44e32451d7e2f7edd4c737262bb29 EBUILD firehol-1.273.ebuild 2089 RMD160 6cb86b116abda6f128fd2415c4287b165b879f6e SHA1 8f793717c7d1e8ef3d22044d92eecdb732729e86 SHA256 462cd4aa3bf09d60499cab116c4abfb99ad23c91f438d1a3425ebe03b74e1c5c -MISC ChangeLog 7593 RMD160 e00941bb19f2385226650d42f4e1e112c3827993 SHA1 7c523cbd24093d1e3a39f607cab6b49eeea3b55a SHA256 b8df0d3ad541efbcc32a8dcfdb605286b868ea08d6ee42ca666685f9bd5a81c9 +MISC ChangeLog 7869 RMD160 18403332f8b1057b5b3cca1490755d47f6117aea SHA1 390879fcbceef979ea2b27ccf8124bbae5499785 SHA256 16ae4499863a1a2a9321d4af5344853e035513dbd1d3fdeca2e2fe136866f34e MISC metadata.xml 290 RMD160 b9b86283c09349c8827faef7d3ef5f724a248e77 SHA1 ae1c8e62d75c94ff50b8a5391afb6008460963aa SHA256 380e26e9262298b9cb31e863a9ab641f6fbdc8c50bda2cf2e47fd399f9cb5e85 diff --git a/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch new file mode 100644 index 000000000000..99a958aa701f --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch @@ -0,0 +1,58 @@ +From 545db8cd292957158bf3fa1c1c370e4be83c6688 Mon Sep 17 00:00:00 2001 +From: Robert Buchholz <rbu@goodpoint.de> +Date: Tue, 6 Jan 2009 23:26:00 +0100 +Subject: [PATCH] Use mktemp instead of relying that $$-$RANDOM-$RANDOM does not exist. + +References: +* CVE-2008-4953 +* https://bugs.gentoo.org/246013 +--- + firehol.sh | 25 +++++++++---------------- + 1 files changed, 9 insertions(+), 16 deletions(-) + +diff --git a/firehol.sh b/firehol.sh +index 6acb497..f5dba16 100755 +--- a/firehol.sh ++++ b/firehol.sh +@@ -238,8 +238,15 @@ ${IPTABLES_CMD} -nxvL >/dev/null 2>&1 + # ---------------------------------------------------------------------- + # Directories and files + +-# These files will be created and deleted during our run. +-FIREHOL_DIR="/tmp/.firehol-tmp-$$-${RANDOM}-${RANDOM}" ++# Create an empty temporary directory we need for this run. ++if ! FIREHOL_DIR="`mktemp -d -t .firehol-tmp-XXXXXX`" ++then ++ echo >&2 ++ echo >&2 ++ echo >&2 "Cannot create temporary directory." ++ echo >&2 ++ exit 1 ++fi + FIREHOL_CHAINS_DIR="${FIREHOL_DIR}/chains" + FIREHOL_OUTPUT="${FIREHOL_DIR}/firehol-out.sh" + FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh" +@@ -329,20 +336,6 @@ then + "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}/services" + fi + +-# Remove any old directories that might be there. +-if [ -d "${FIREHOL_DIR}" ] +-then +- "${RM_CMD}" -rf "${FIREHOL_DIR}" +- if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ] +- then +- echo >&2 +- echo >&2 +- echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'." +- echo >&2 +- exit 1 +- fi +-fi +-"${MKDIR_CMD}" "${FIREHOL_DIR}" || exit 1 + "${MKDIR_CMD}" "${FIREHOL_CHAINS_DIR}" || exit 1 + + # prepare the file that will hold all modules to be loaded. +-- +1.6.0.4 + diff --git a/net-firewall/firehol/firehol-1.273-r1.ebuild b/net-firewall/firehol/firehol-1.273-r1.ebuild new file mode 100644 index 000000000000..a55cbaa3c921 --- /dev/null +++ b/net-firewall/firehol/firehol-1.273-r1.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.273-r1.ebuild,v 1.1 2009/07/15 16:06:24 rbu Exp $ + +EAPI=2 + +inherit eutils linux-info + +DESCRIPTION="iptables firewall generator" +HOMEPAGE="http://firehol.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +IUSE="" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" + +DEPEND="sys-apps/iproute2" +RDEPEND="net-firewall/iptables + sys-apps/iproute2[-minimal] + virtual/modutils + || ( + net-misc/wget + net-misc/curl + )" + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2008-4953.patch || die +} + + +pkg_setup() { + # perform checks for kernel config from eclass linux-info + # for now we just print warnings as I am not sure if these + # are required always... + local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK \ + ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT \ + ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG ~NF_NAT \ + ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE" + get_version + if [ ${KV_PATCH} -ge 25 ]; then + CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}" + else + CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}" + fi + linux-info_pkg_setup +} + +src_install() { + newsbin firehol.sh firehol + + dodir /etc/firehol /etc/firehol/examples /etc/firehol/services + insinto /etc/firehol/examples + doins examples/* || die + + newconfd "${FILESDIR}/firehol.conf.d" firehol || die + + dodoc ChangeLog README TODO WhatIsNew || die + dohtml doc/*.html doc/*.css || die + + docinto scripts + dodoc get-iana.sh adblock.sh || die + + doman man/*.1 man/*.5 || die + + newinitd "${FILESDIR}/firehol.initrd" firehol || die +} + +pkg_postinst() { + elog "The default path to firehol's configuration file is /etc/firehol/firehol.conf" + elog "See /etc/firehol/examples for configuration examples." + # + # Install a default configuration if none is available yet + if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then + einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf" + cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf" + fi +} |