Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Thomas Danckaert]

From: Leo Famulari <address@hidden>
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Mon, 30 Jan 2017 17:38:21 -0500

> Overall LGTM, but we should include at least the patch for the
> CVE-2013-4342, introduced here:
>
> https://github.com/xinetd-org/xinetd/pull/10

Yes, you're right.  I was under the impression that the CVE was 
already fixed in version 2.3.15, but it's not.  I took the patch from 
github (it's already in the master branch, there's just no recent 
release).

> And applied as 000009-TCPMUX by Debian, along with some other 
> patches
> that should be evaluated:
>
> https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches

I've added a patch that fixes a file descriptor leak (and created a 
pull request for it).  There's also a patch to fix compilation on 
hurd, but that's probably something that should be fixed upstream?

The other patches are corrections to the man pages, which have made 
it into upstream master as well, so perhaps we do not need to add 
them all to Guix.

Thomas

>From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001
From: Thomas Danckaert <address@hidden>
Date: Thu, 26 Jan 2017 11:35:50 +0100
Subject: [PATCH] gnu: Add xinetd.

* gnu/packages/web.scm (xinetd): New variable.
* gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file.
* gnu/packages/patches/xinetd-fix-fd-leak.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
 gnu/local.mk                                    |  2 ++
 gnu/packages/patches/xinetd-CVE-2013-4342.patch | 27 +++++++++++++++++++++++++
 gnu/packages/patches/xinetd-fix-fd-leak.patch   | 18 +++++++++++++++++
 gnu/packages/web.scm                            | 25 +++++++++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 gnu/packages/patches/xinetd-CVE-2013-4342.patch
 create mode 100644 gnu/packages/patches/xinetd-fix-fd-leak.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 59fc1a8..160a4aa 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -953,6 +953,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/xfce4-panel-plugins.patch               \
   %D%/packages/patches/xfce4-session-fix-xflock4.patch         \
   %D%/packages/patches/xfce4-settings-defaults.patch           \
+  %D%/packages/patches/xinetd-fix-fd-leak.patch                        \
+  %D%/packages/patches/xinetd-CVE-2013-4342.patch              \
   %D%/packages/patches/xmodmap-asprintf.patch                  \
   %D%/packages/patches/libyaml-CVE-2014-9130.patch             \
   %D%/packages/patches/zathura-plugindir-environment-variable.patch
diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch 
b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..f095a44
--- /dev/null
+++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,27 @@
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <address@hidden>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered 
<https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute 
TCPMUX services without dropping privilege to match the service configuration 
allowing the service to run with same privilege as the xinetd process (root).
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+    if( SC_IS_INTERNAL( scp ) ) {
+       SC_INTERNAL(scp, nserp);
+    } else {
+-      exec_server(nserp);
++      child_process(nserp);
+    }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch 
b/gnu/packages/patches/xinetd-fix-fd-leak.patch
new file mode 100644
index 0000000..70a4ec2
--- /dev/null
+++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch
@@ -0,0 +1,18 @@
+Reported upstream at https://github.com/xinetd-org/xinetd/pull/26.
+
+diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
+index 5a26214..fe0f872 100644
+--- a/xinetd/xgetloadavg.c
++++ b/xinetd/xgetloadavg.c
+@@ -34,7 +34,7 @@ double xgetloadavg(void)
+ 
+    if( fscanf(fd, "%lf", &ret) != 1 ) {
+       perror("fscanf");
+-      return -1;
++      ret = -1;
+    }
+ 
+    fclose(fd);
+-- 
+2.7.4
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..80f52ee 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,28 @@ programs' code.  Its architecture is optimized for 
security, portability, and
 scalability (including load-balancing), making it suitable for large
 deployments.")
   (license l:gpl2+)))
+
+(define-public xinetd
+  (package
+    (name "xinetd")
+    (version "2.3.15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri 
"https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz";)
+       (patches (search-patches "xinetd-CVE-2013-4342.patch" 
"xinetd-fix-fd-leak.patch"))
+       (sha256
+        (base32
+         "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--with-loadavg")
+       #:tests? #f )) ; no tests
+    (home-page "https://github.com/xinetd-org/xinetd";)
+    (synopsis "Internet services daemon")
+    (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request.  Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request.  It can be
+used to start services with both privileged and non-privileged port numbers.")
+    (license (l:non-copyleft "file://COPYRIGHT"))))
-- 
2.7.4