guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: Add xinetd.

From: Leo Famulari
Subject: 01/01: gnu: Add xinetd.
Date: Tue, 31 Jan 2017 20:06:58 +0000 (UTC) 
lfam pushed a commit to branch master
in repository guix.

commit 59ae241f7189252c72394fae2e2b85ca61b72755
Author: Thomas Danckaert <address@hidden>
Date:   Thu Jan 26 11:35:50 2017 +0100

    gnu: Add xinetd.
    
    * gnu/packages/web.scm (xinetd): New variable.
    * gnu/packages/patches/xinetd-CVE-2013-4342.patch,
    gnu/packages/patches/xinetd-fix-fd-leak.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add patches.
    
    Signed-off-by: Leo Famulari <address@hidden>
---
 gnu/local.mk                                    |    2 ++
 gnu/packages/patches/xinetd-CVE-2013-4342.patch |   36 +++++++++++++++++++++++
 gnu/packages/patches/xinetd-fix-fd-leak.patch   |   26 ++++++++++++++++
 gnu/packages/web.scm                            |   25 ++++++++++++++++
 4 files changed, 89 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 269af5f..ead1f2f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -956,6 +956,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/xfce4-panel-plugins.patch               \
   %D%/packages/patches/xfce4-session-fix-xflock4.patch         \
   %D%/packages/patches/xfce4-settings-defaults.patch           \
+  %D%/packages/patches/xinetd-fix-fd-leak.patch                        \
+  %D%/packages/patches/xinetd-CVE-2013-4342.patch              \
   %D%/packages/patches/xmodmap-asprintf.patch                  \
   %D%/packages/patches/libyaml-CVE-2014-9130.patch             \
   %D%/packages/patches/zathura-plugindir-environment-variable.patch
diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch 
b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..ad57bc7
--- /dev/null
+++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,36 @@
+Fix CVE-2013-4342:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678
+
+Patch copied from upstream source repository:
+
+https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864
+
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <address@hidden>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered 
<https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute 
TCPMUX services without dropping privilege to match the service configuration 
allowing the service to run with same privilege as the xinetd process (root).
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+    if( SC_IS_INTERNAL( scp ) ) {
+       SC_INTERNAL(scp, nserp);
+    } else {
+-      exec_server(nserp);
++      child_process(nserp);
+    }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch 
b/gnu/packages/patches/xinetd-fix-fd-leak.patch
new file mode 100644
index 0000000..77e4600
--- /dev/null
+++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch
@@ -0,0 +1,26 @@
+Fix a file descriptor leak:
+
+https://github.com/xinetd-org/xinetd/issues/23
+
+Patch copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches/000012-fix_fd_leak
+
+Patch sent upstream at https://github.com/xinetd-org/xinetd/pull/26.
+
+diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
+index 5a26214..fe0f872 100644
+--- a/xinetd/xgetloadavg.c
++++ b/xinetd/xgetloadavg.c
+@@ -34,7 +34,7 @@ double xgetloadavg(void)
+ 
+    if( fscanf(fd, "%lf", &ret) != 1 ) {
+       perror("fscanf");
+-      return -1;
++      ret = -1;
+    }
+ 
+    fclose(fd);
+-- 
+2.7.4
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..cea5b2d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,28 @@ programs' code.  Its architecture is optimized for 
security, portability, and
 scalability (including load-balancing), making it suitable for large
 deployments.")
   (license l:gpl2+)))
+
+(define-public xinetd
+  (package
+    (name "xinetd")
+    (version "2.3.15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri 
"https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz";)
+       (patches (search-patches "xinetd-CVE-2013-4342.patch" 
"xinetd-fix-fd-leak.patch"))
+       (sha256
+        (base32
+         "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--with-loadavg")
+       #:tests? #f )) ; no tests
+    (home-page "https://github.com/xinetd-org/xinetd";)
+    (synopsis "Internet services daemon")
+    (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request.  Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request.  It can be
+used to start services with both privileged and non-privileged port numbers.")
+    (license (l:fsf-free "file://COPYRIGHT"))))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]