diff options
author | Joshua Kinard <kumba@gentoo.org> | 2011-02-10 09:26:38 +0000 |
---|---|---|
committer | Joshua Kinard <kumba@gentoo.org> | 2011-02-10 09:26:38 +0000 |
commit | 159d797d0384c8c970ef9399cf7bc8633f214fa9 (patch) | |
tree | 32fda386ae6b38246cc7953efb5f5e28a4654c8e /net-fs/ncpfs | |
parent | add ~ppc-aix keyword. (diff) | |
download | gentoo-2-159d797d0384c8c970ef9399cf7bc8633f214fa9.tar.gz gentoo-2-159d797d0384c8c970ef9399cf7bc8633f214fa9.tar.bz2 gentoo-2-159d797d0384c8c970ef9399cf7bc8633f214fa9.zip |
Add two patches to ncpfs, one to correct several vulnerabilities (#308071) and another to remove unneeded __attribute((packed)) directives to make the build look a lot cleaner. Also imported an init.d script and companion conf.d file for starting up/shutting down IPX through the init system. The init script should address #238688 in this package. Also fixed #126323 by installing headers for ncpfs into /usr/include. And removed the -r0 ebuild.
(Portage version: 2.1.9.39/cvs/Linux x86_64)
Diffstat (limited to 'net-fs/ncpfs')
-rw-r--r-- | net-fs/ncpfs/ChangeLog | 17 | ||||
-rw-r--r-- | net-fs/ncpfs/files/ipx.confd | 28 | ||||
-rw-r--r-- | net-fs/ncpfs/files/ipx.init | 42 | ||||
-rw-r--r-- | net-fs/ncpfs/files/ncpfs-2.2.6-multiple-vulns.patch | 557 | ||||
-rw-r--r-- | net-fs/ncpfs/files/ncpfs-2.2.6-remove-packed-attrib.patch | 297 | ||||
-rw-r--r-- | net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild | 6 | ||||
-rw-r--r-- | net-fs/ncpfs/ncpfs-2.2.6-r2.ebuild | 68 | ||||
-rw-r--r-- | net-fs/ncpfs/ncpfs-2.2.6.ebuild | 52 |
8 files changed, 1011 insertions, 56 deletions
diff --git a/net-fs/ncpfs/ChangeLog b/net-fs/ncpfs/ChangeLog index 5ca2b14bd894..14989dc1af59 100644 --- a/net-fs/ncpfs/ChangeLog +++ b/net-fs/ncpfs/ChangeLog @@ -1,6 +1,19 @@ # ChangeLog for net-fs/ncpfs -# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ChangeLog,v 1.26 2010/10/08 16:22:59 mabi Exp $ +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ChangeLog,v 1.27 2011/02/10 09:26:38 kumba Exp $ + +*ncpfs-2.2.6-r2 (10 Feb 2011) + + 10 Feb 2011; Joshua Kinard <kumba@gentoo.org> -ncpfs-2.2.6.ebuild, + +ncpfs-2.2.6-r2.ebuild, +files/ncpfs-2.2.6-multiple-vulns.patch, + +files/ncpfs-2.2.6-remove-packed-attrib.patch, +files/ipx.confd, + +files/ipx.init: + Add two patches to ncpfs, one to correct several vulnerabilities (#308071) + and another to remove unneeded __attribute((packed)) directives to make the + build look a lot cleaner. Also imported an init.d script and companion conf.d + file for starting up/shutting down IPX through the init system. The init + script should address #238688 in this package. Also fixed #126323 by + installing headers for ncpfs into /usr/include. And removed the -r0 ebuild. 08 Oct 2010; Matti Bickel <mabi@gentoo.org> ncpfs-2.2.6-r1.ebuild: change virtual/php to dev-lang/php (bug #319623) diff --git a/net-fs/ncpfs/files/ipx.confd b/net-fs/ncpfs/files/ipx.confd new file mode 100644 index 000000000000..026a2993beca --- /dev/null +++ b/net-fs/ncpfs/files/ipx.confd @@ -0,0 +1,28 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/files/ipx.confd,v 1.1 2011/02/10 09:26:38 kumba Exp $ + +# Config file for /etc/init.d/ipx + +# Automatically selecting a primary interface. +IPX_AUTO_PRIMARY=on + +# Automatically creating interfaces. +IPX_AUTO_INTERFACE=on + +# Interface to which IPX sockets are bound. +IPX_DEVICE=eth0 + +# The IPX frame type to use. +# Valid values are: 802.2, 802.3, SNAP, & EtherII. +IPX_FRAME=802.2 + +# Create a special kind of IPX interface that does not +# have a physical device or frame type. +IPX_INTERNAL_NET=no + +# Network number +IPX_NETNUM=1 + +# Node number +IPX_NODENUM=1 diff --git a/net-fs/ncpfs/files/ipx.init b/net-fs/ncpfs/files/ipx.init new file mode 100644 index 000000000000..4ad8cf0880a0 --- /dev/null +++ b/net-fs/ncpfs/files/ipx.init @@ -0,0 +1,42 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/files/ipx.init,v 1.1 2011/02/10 09:26:38 kumba Exp $ + +#NB: Config is in /etc/conf.d/ipx + +depend() { + need net netmount +} + +start() { + local retval=0 + + ebegin "Bringing IPX up" + if [ ${IPX_INTERNAL_NET} = "yes" ] + then + /usr/bin/ipx_internal_net add ${IPX_NETNUM} ${IPX_NODENUM} + retval=$? + else + /usr/bin/ipx_interface add -p ${IPX_DEVICE} \ + ${IPX_FRAME} ${IPX_NETNUM} + retval=$? + fi + + /usr/bin/ipx_configure \ + --auto_primary=${IPX_AUTO_PRIMARY} \ + --auto_interface=${IPX_AUTO_INTERFACE} + retval=$(( $retval + $? )) + eend ${retval} "Failed to bring IPX up" +} + +stop() { + local retval=0 + + ebegin "Bringing IPX down" + /usr/bin/ipx_configure --auto_primary=off --auto_interface=off + retval=$? + /usr/bin/ipx_interface delall + retval=$(( $retval + $? )) + eend ${retval} "Failed to down IPX" +} diff --git a/net-fs/ncpfs/files/ncpfs-2.2.6-multiple-vulns.patch b/net-fs/ncpfs/files/ncpfs-2.2.6-multiple-vulns.patch new file mode 100644 index 000000000000..a43c6ea00548 --- /dev/null +++ b/net-fs/ncpfs/files/ncpfs-2.2.6-multiple-vulns.patch @@ -0,0 +1,557 @@ +From: Dan Rosenberg <dan.j.rosenberg () gmail com> +Date: Fri, 5 Mar 2010 12:06:01 -0500 + +============================================ + ncpfs, Multiple Vulnerabilities + March 5, 2010 + CVE-2010-0788, CVE-2010-0790, CVE-2010-0791 +============================================ + +==Description== + +The ncpmount, ncpumount, and ncplogin utilities, installed as part of the ncpfs +package, contain several vulnerabilities. + +1. ncpmount, ncpumount, and ncplogin are vulnerable to race conditions that +allow a local attacker to unmount arbitrary mountpoints, causing +denial-of-service, or mount Netware shares to arbitrary directories, +potentially leading to root compromise. This issue was formerly assigned +CVE-2009-3297, but has since been re-assigned CVE-2010-0788 to avoid overlap +with related bugs in other packages. + +2. ncpumount is vulnerable to an information disclosure vulnerability that +allows a local attacker to verify the existence of arbitrary files, violating +directory permissions. This issue has been assigned CVE-2010-0790. + +3. ncpmount, ncpumount, and ncplogin create lockfiles insecurely, allowing a +local attacker to leave a stale lockfile at /etc/mtab~, causing other mount +utilities to fail and creating denial-of-service conditions. This issue has +been assigned CVE-2010-0791. + +==Workaround== + +If unprivileged users do not need the ability to mount and unmount Netware +shares, then the suid bit should be removed from these utilities. + +==Solution== + +A patch has been released that resolves these issues (attached to this +advisory). ncpfs-2.2.6.partial.patch is intended for ncpfs releases that have +already been patched against the first vulnerability in this report +(CVE-2010-0788, formerly CVE-2009-3297). It has been tested against the latest +ncpfs packages distributed by Fedora, Red Hat, and Mandriva. +ncpfs-2.2.6.full.patch is intended for ncpfs releases that have not been +patched against any of these vulnerabilities. It has been tested against the +latest ncpfs packages distributed by Debian, Ubuntu, and the upstream release +(ftp://platan.vc.cvut.cz/pub/linux/ncpfs/). + +Users are advised to recompile from source, or request updated packages from +downstream distributors. + +==Credits== + +These vulnerabilities were discovered by Dan Rosenberg +(dan.j.rosenberg () gmail com). +Thanks to Vitezslav Crhonek for the patch against the first issue. + +==References== + +CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been +assigned to these issues. + +http://seclists.org/fulldisclosure/2010/Mar/122 + + +diff -ur ncpfs-2.2.6.orig/sutil/ncplogin.c ncpfs-2.2.6/sutil/ncplogin.c +--- ncpfs-2.2.6.orig/sutil/ncplogin.c 2010-03-03 16:18:59.000000000 -0500 ++++ ncpfs-2.2.6/sutil/ncplogin.c 2010-03-03 16:17:41.000000000 -0500 +@@ -934,7 +934,9 @@ + NWDSFreeContext(ctx); + /* ncpmap, ncplogin must write in /etc/mtab */ + { ++ block_sigs(); + add_mnt_entry(mount_name, mount_point, info.flags); ++ unblock_sigs(); + } + free(mount_name); + if (info.echo_mnt_pnt) { +diff -ur ncpfs-2.2.6.orig/sutil/ncpm_common.c ncpfs-2.2.6/sutil/ncpm_common.c +--- ncpfs-2.2.6.orig/sutil/ncpm_common.c 2010-03-03 16:18:59.000000000 -0500 ++++ ncpfs-2.2.6/sutil/ncpm_common.c 2010-03-03 16:17:41.000000000 -0500 +@@ -360,7 +360,7 @@ + #endif + + static inline int ncpm_suser(void) { +- return setreuid(-1, 0); ++ return setresuid(0, 0, myuid); + } + + static int ncpm_normal(void) { +@@ -368,11 +368,31 @@ + int v; + + e = errno; +- v = setreuid(-1, myuid); ++ v = setresuid(myuid, myuid, 0); + errno = e; + return v; + } + ++void block_sigs(void) { ++ ++ sigset_t mask, orig_mask; ++ sigfillset(&mask); ++ ++ if(sigprocmask(SIG_SETMASK, &mask, &orig_mask) < 0) { ++ errexit(-1, _("Blocking signals failed.\n")); ++ } ++} ++ ++void unblock_sigs(void) { ++ ++ sigset_t mask, orig_mask; ++ sigemptyset(&mask); ++ ++ if (sigprocmask(SIG_SETMASK, &mask, &orig_mask) < 0) { ++ errexit(-1, _("Un-blocking signals failed.\n")); ++ } ++} ++ + static int proc_ncpm_mount(const char* source, const char* target, const char* filesystem, unsigned long mountflags, const void* data) { + int v; + int e; +@@ -444,7 +464,7 @@ + } + datav2.file_mode = data->file_mode; + datav2.dir_mode = data->dir_mode; +- err = proc_ncpm_mount(mount_name, data->mount_point, "ncpfs", flags, (void*) &datav2); ++ err = proc_ncpm_mount(mount_name, ".", "ncpfs", flags, (void*) &datav2); + if (err) + return errno; + return 0; +@@ -508,7 +528,7 @@ + exit(0); /* Should not return from process_connection */ + } + close(pp[0]); +- err=proc_ncpm_mount(mount_name, data->mount_point, "ncpfs", flags, (void*) &datav3); ++ err=proc_ncpm_mount(mount_name, ".", "ncpfs", flags, (void*) &datav3); + if (err) { + err = errno; + /* Mount unsuccesful so we have to kill daemon */ +@@ -559,7 +579,7 @@ + sprintf(mountopts, "version=%u,flags=%u,owner=%u,uid=%u,gid=%u,mode=%u,dirmode=%u,timeout=%u,retry=%u,wdogpid=%u,ncpfd=%u,infofd=%u", + NCP_MOUNT_VERSION_V5, ncpflags, data->mounted_uid, data->uid, data->gid, data->file_mode, + data->dir_mode, data->time_out, data->retry_count, wdog_pid, data->ncp_fd, pp[1]); +- err=proc_ncpm_mount(mount_name, data->mount_point, "ncpfs", flags, mountopts); ++ err=proc_ncpm_mount(mount_name, ".", "ncpfs", flags, mountopts); + } else { + err=-1; + } +@@ -577,7 +597,7 @@ + datav4.file_mode = data->file_mode; + datav4.dir_mode = data->dir_mode; + datav4.wdog_pid = wdog_pid; +- err = proc_ncpm_mount(mount_name, data->mount_point, "ncpfs", flags, (void*)&datav4); ++ err = proc_ncpm_mount(mount_name, ".", "ncpfs", flags, (void*)&datav4); + if (err) { + err = errno; + /* Mount unsuccesful so we have to kill daemon */ +@@ -1395,6 +1415,17 @@ + } + #endif /* MOUNT3 */ + ++static int check_name(const char *name) ++{ ++ char *s; ++ for (s = "\n\t\\"; *s; s++) { ++ if (strchr(name, *s)) { ++ return -1; ++ } ++ } ++ return 0; ++} ++ + static const struct smntflags { + unsigned int flag; + const char* name; +@@ -1416,6 +1447,9 @@ + int fd; + FILE* mtab; + ++ if (check_name(mount_name) == -1 || check_name(mpnt) == -1) ++ errexit(107, _("Illegal character in mount entry\n")); ++ + ment.mnt_fsname = mount_name; + ment.mnt_dir = mpnt; + ment.mnt_type = (char*)"ncpfs"; +diff -ur ncpfs-2.2.6.orig/sutil/ncpm_common.h ncpfs-2.2.6/sutil/ncpm_common.h +--- ncpfs-2.2.6.orig/sutil/ncpm_common.h 2010-03-03 16:18:59.000000000 -0500 ++++ ncpfs-2.2.6/sutil/ncpm_common.h 2010-03-03 16:17:41.000000000 -0500 +@@ -121,6 +121,9 @@ + int proc_aftermount(const struct ncp_mount_info* info, NWCONN_HANDLE* conn); + int proc_ncpm_umount(const char* dir); + ++void block_sigs(void); ++void unblock_sigs(void); ++ + #define UNUSED(x) x __attribute__((unused)) + + #endif /* __NCPM_COMMON_H__ */ +diff -ur ncpfs-2.2.6.orig/sutil/ncpmount.c ncpfs-2.2.6/sutil/ncpmount.c +--- ncpfs-2.2.6.orig/sutil/ncpmount.c 2010-03-03 16:18:59.000000000 -0500 ++++ ncpfs-2.2.6/sutil/ncpmount.c 2010-03-03 16:17:41.000000000 -0500 +@@ -359,11 +359,17 @@ + usage(); + return -1; + } ++ + realpath(argv[optind], mount_point); + +- if (stat(mount_point, &st) == -1) ++ if (chdir(mount_point)) ++ { ++ errexit(31, _("Could not change directory into mount target %s: %s\n"), ++ mount_point, strerror(errno)); ++ } ++ if (stat(".", &st) == -1) + { +- errexit(31, _("Could not find mount point %s: %s\n"), ++ errexit(31, _("Mount point %s does not exist: %s\n"), + mount_point, strerror(errno)); + } + if (mount_ok(&st) != 0) +@@ -714,7 +720,9 @@ + ncp_close(conn); + + if (!opt_n) { ++ block_sigs(); + add_mnt_entry(mount_name, mount_point, info.flags); ++ unblock_sigs(); + } + return 0; + } +diff -ur ncpfs-2.2.6.orig/sutil/ncpumount.c ncpfs-2.2.6/sutil/ncpumount.c +--- ncpfs-2.2.6.orig/sutil/ncpumount.c 2010-03-03 16:18:59.000000000 -0500 ++++ ncpfs-2.2.6/sutil/ncpumount.c 2010-03-03 16:17:41.000000000 -0500 +@@ -70,13 +70,24 @@ + #include <mntent.h> + #include <pwd.h> + ++#include <sched.h> ++ + #include "private/libintl.h" + + #define _(X) X + ++#ifndef MS_REC ++#define MS_REC 16384 ++#endif ++#ifndef MS_SLAVE ++#define MS_SLAVE (1<<19) ++#endif ++ + static char *progname; + static int is_ncplogout = 0; + ++uid_t uid; ++ + static void + usage(void) + { +@@ -117,6 +128,40 @@ + va_end(ap); + } + ++/* Mostly copied from ncpm_common.c */ ++void block_sigs(void) { ++ ++ sigset_t mask, orig_mask; ++ sigfillset(&mask); ++ sigdelset(&mask, SIGALRM); /* Need SIGALRM for ncpumount */ ++ ++ if(setresuid(0, 0, uid) < 0) { ++ eprintf("Failed to raise privileges.\n"); ++ exit(-1); ++ } ++ ++ if(sigprocmask(SIG_SETMASK, &mask, &orig_mask) < 0) { ++ eprintf("Blocking signals failed.\n"); ++ exit(-1); ++ } ++} ++ ++void unblock_sigs(void) { ++ ++ sigset_t mask, orig_mask; ++ sigemptyset(&mask); ++ ++ if(setresuid(uid, uid, 0) < 0) { ++ eprintf("Failed to drop privileges.\n"); ++ exit(-1); ++ } ++ ++ if(sigprocmask(SIG_SETMASK, &mask, &orig_mask) < 0) { ++ eprintf("Un-blocking signals failed.\n"); ++ exit(-1); ++ } ++} ++ + static void alarmSignal(int sig) { + (void)sig; + } +@@ -192,10 +237,13 @@ + if (!numEntries) + return 0; /* don't waste time ! */ + ++ block_sigs(); ++ + while ((fd = open(MOUNTED "~", O_RDWR | O_CREAT | O_EXCL, 0600)) == -1) { + struct timespec tm; + + if (errno != EEXIST || retries == 0) { ++ unblock_sigs(); + eprintf(_("Can't get %s~ lock file: %s\n"), MOUNTED, strerror(errno)); + return 1; + } +@@ -206,6 +254,7 @@ + alarm(0); + close(fd); + if (err) { ++ unblock_sigs(); + eprintf(_("Can't lock lock file %s~: %s\n"), MOUNTED, _("Lock timed out")); + return 1; + } +@@ -223,26 +272,205 @@ + err = __clearMtab(mount_points, numEntries); + + if ((unlink(MOUNTED "~") == -1) && (err == 0)){ ++ unblock_sigs(); + eprintf(_("Can't remove %s~"), MOUNTED); + return 1; + } ++ unblock_sigs(); + return err; + } + ++ ++int ncp_mnt_umount(const char *abs_mnt, const char *rel_mnt) ++{ ++ if (umount(rel_mnt) != 0) { ++ eprintf(_("Could not umount %s: %s\n"), ++ abs_mnt, strerror(errno)); ++ return -1; ++ } ++ return 0; ++} ++ ++ ++static int check_is_mount_child(void *p) ++{ ++ const char **a = p; ++ const char *last = a[0]; ++ const char *mnt = a[1]; ++ int res; ++ const char *procmounts = "/proc/mounts"; ++ int found; ++ FILE *fp; ++ struct mntent *entp; ++ ++ res = mount("", "/", "", MS_SLAVE | MS_REC, NULL); ++ if (res == -1) { ++ eprintf(_("Failed to mark mounts slave: %s\n"), ++ strerror(errno)); ++ return 1; ++ } ++ ++ res = mount(".", "/tmp", "", MS_BIND | MS_REC, NULL); ++ if (res == -1) { ++ eprintf(_("Failed to bind parent to /tmp: %s\n"), ++ strerror(errno)); ++ return 1; ++ } ++ ++ fp = setmntent(procmounts, "r"); ++ if (fp == NULL) { ++ eprintf(_("Failed to open %s: %s\n"), ++ procmounts, strerror(errno)); ++ return 1; ++ } ++ ++ found = 0; ++ while ((entp = getmntent(fp)) != NULL) { ++ if (strncmp(entp->mnt_dir, "/tmp/", 5) == 0 && ++ strcmp(entp->mnt_dir + 5, last) == 0) { ++ found = 1; ++ break; ++ } ++ } ++ endmntent(fp); ++ ++ if (!found) { ++ eprintf(_("%s not mounted\n"), mnt); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++ ++static int check_is_mount(const char *last, const char *mnt) ++{ ++ char buf[131072]; ++ pid_t pid, p; ++ int status; ++ const char *a[2] = { last, mnt }; ++ ++ pid = clone(check_is_mount_child, buf + 65536, CLONE_NEWNS, (void *) a); ++ if (pid == (pid_t) -1) { ++ eprintf(_("Failed to clone namespace: %s\n"), ++ strerror(errno)); ++ return -1; ++ } ++ p = waitpid(pid, &status, __WCLONE); ++ if (p == (pid_t) -1) { ++ eprintf(_("Waitpid failed: %s\n"), ++ strerror(errno)); ++ return -1; ++ } ++ if (!WIFEXITED(status)) { ++ eprintf(_("Child terminated abnormally (status %i)\n"), ++ status); ++ return -1; ++ } ++ if (WEXITSTATUS(status) != 0) ++ return -1; ++ ++ return 0; ++} ++ ++ ++static int chdir_to_parent(char *copy, const char **lastp, int *currdir_fd) ++{ ++ char *tmp; ++ const char *parent; ++ char buf[PATH_MAX]; ++ int res; ++ ++ tmp = strrchr(copy, '/'); ++ if (tmp == NULL || tmp[1] == '\0') { ++ eprintf(_("Internal error: invalid abs path: <%s>\n"), ++ copy); ++ return -1; ++ } ++ if (tmp != copy) { ++ *tmp = '\0'; ++ parent = copy; ++ *lastp = tmp + 1; ++ } else if (tmp[1] != '\0') { ++ *lastp = tmp + 1; ++ parent = "/"; ++ } else { ++ *lastp = "."; ++ parent = "/"; ++ } ++ *currdir_fd = open(".", O_RDONLY); ++ if (*currdir_fd == -1) { ++ eprintf(_("Failed to open current directory: %s\n"), ++ strerror(errno)); ++ return -1; ++ } ++ res = chdir(parent); ++ if (res == -1) { ++ eprintf(_("Failed to chdir to %s: %s\n"), ++ parent, strerror(errno)); ++ return -1; ++ } ++ if (getcwd(buf, sizeof(buf)) == NULL) { ++ eprintf(_("Failed to obtain current directory: %s\n"), ++ strerror(errno)); ++ return -1; ++ } ++ if (strcmp(buf, parent) != 0) { ++ eprintf(_("Mountpoint moved (%s -> %s)\n"), ++ parent, buf); ++ return -1; ++ ++ } ++ ++ return 0; ++} ++ ++ ++static int unmount_ncp(const char *mount_point) ++{ ++ int currdir_fd = -1; ++ char *copy; ++ const char *last; ++ int res; ++ ++ copy = strdup(mount_point); ++ if (copy == NULL) { ++ eprintf(_("Failed to allocate memory\n")); ++ return -1; ++ } ++ res = chdir_to_parent(copy, &last, &currdir_fd); ++ if (res == -1) ++ goto out; ++ res = check_is_mount(last, mount_point); ++ if (res == -1) ++ goto out; ++ res = ncp_mnt_umount(mount_point, last); ++ ++out: ++ free(copy); ++ if (currdir_fd != -1) { ++ fchdir(currdir_fd); ++ close(currdir_fd); ++ } ++ ++ return res; ++} ++ + static int + do_umount(const char *mount_point) + { + int fid = open(mount_point, O_RDONLY, 0); + uid_t mount_uid; ++ int res; + + if (fid == -1) { +- eprintf(_("Could not open %s: %s\n"), +- mount_point, strerror(errno)); ++ eprintf(_("Invalid or unauthorized mountpoint %s\n"), ++ mount_point); + return -1; + } + if (ncp_get_mount_uid(fid, &mount_uid) != 0) { + close(fid); +- eprintf(_("%s probably not ncp-filesystem\n"), ++ eprintf(_("Invalid or unauthorized mountpoint %s\n"), + mount_point); + return -1; + } +@@ -253,12 +481,8 @@ + return -1; + } + close(fid); +- if (umount(mount_point) != 0) { +- eprintf(_("Could not umount %s: %s\n"), +- mount_point, strerror(errno)); +- return -1; +- } +- return 0; ++ res = unmount_ncp(mount_point); ++ return res; + } + + +@@ -409,7 +633,8 @@ + int allConns = 0; + const char *serverName = NULL; + const char *treeName = NULL; +- uid_t uid = getuid(); ++ ++ uid = getuid(); + + progname = strrchr(argv[0], '/'); + if (progname) { diff --git a/net-fs/ncpfs/files/ncpfs-2.2.6-remove-packed-attrib.patch b/net-fs/ncpfs/files/ncpfs-2.2.6-remove-packed-attrib.patch new file mode 100644 index 000000000000..40267c728710 --- /dev/null +++ b/net-fs/ncpfs/files/ncpfs-2.2.6-remove-packed-attrib.patch @@ -0,0 +1,297 @@ +diff -Naurp ncpfs-2.2.6.orig//include/ncp/ipxlib.h ncpfs-2.2.6//include/ncp/ipxlib.h +--- ncpfs-2.2.6.orig//include/ncp/ipxlib.h 2005-01-27 12:35:59.000000000 -0500 ++++ ncpfs-2.2.6//include/ncp/ipxlib.h 2011-02-10 02:38:18.822076000 -0500 +@@ -64,12 +64,12 @@ struct sap_query + struct sap_server_ident + { + u_int16_t server_type __attribute__((packed)); +- char server_name[48] __attribute__((packed)); ++ char server_name[48]; + IPXNet server_network __attribute__((packed)); + #ifdef SWIG + u_int8_t server_node[6] __attribute__((packed)); + #else +- IPXNode server_node __attribute__((packed)); ++ IPXNode server_node; + #endif + IPXPort server_port __attribute__((packed)); + u_int16_t intermediate_network __attribute__((packed)); +@@ -87,7 +87,7 @@ struct ipx_rt_def { + struct ipx_rip_packet + { + u_int16_t operation __attribute__((packed)); +- struct ipx_rt_def rt[1] __attribute__((packed)); ++ struct ipx_rt_def rt[1]; + }; + + #ifdef SWIG +diff -Naurp ncpfs-2.2.6.orig//include/ncp/kernel/ncp.h ncpfs-2.2.6//include/ncp/kernel/ncp.h +--- ncpfs-2.2.6.orig//include/ncp/kernel/ncp.h 2005-01-27 12:35:59.000000000 -0500 ++++ ncpfs-2.2.6//include/ncp/kernel/ncp.h 2011-02-10 02:38:18.822076000 -0500 +@@ -53,12 +53,12 @@ + + struct ncp_request_header { + u_int16_t type __attribute__((packed)); +- u_int8_t sequence __attribute__((packed)); +- u_int8_t conn_low __attribute__((packed)); +- u_int8_t task __attribute__((packed)); +- u_int8_t conn_high __attribute__((packed)); +- u_int8_t function __attribute__((packed)); +- u_int8_t data[0] __attribute__((packed)); ++ u_int8_t sequence; ++ u_int8_t conn_low; ++ u_int8_t task; ++ u_int8_t conn_high; ++ u_int8_t function; ++ u_int8_t data[0]; + }; + + #define NCP_REPLY (0x3333) +@@ -66,13 +66,13 @@ struct ncp_request_header { + + struct ncp_reply_header { + u_int16_t type __attribute__((packed)); +- u_int8_t sequence __attribute__((packed)); +- u_int8_t conn_low __attribute__((packed)); +- u_int8_t task __attribute__((packed)); +- u_int8_t conn_high __attribute__((packed)); +- u_int8_t completion_code __attribute__((packed)); +- u_int8_t connection_state __attribute__((packed)); +- u_int8_t data[0] __attribute__((packed)); ++ u_int8_t sequence; ++ u_int8_t conn_low; ++ u_int8_t task; ++ u_int8_t conn_high; ++ u_int8_t completion_code; ++ u_int8_t connection_state; ++ u_int8_t data[0]; + }; + + #define NCP_VOLNAME_LEN (16) +@@ -230,8 +230,8 @@ struct nw_info_struct { + u_int32_t EAKeyCount __attribute__((packed)); + u_int32_t EAKeySize __attribute__((packed)); + u_int32_t NSCreator __attribute__((packed)); +- u_int8_t nameLen __attribute__((packed)); +- u_int8_t entryName[256] __attribute__((packed)); ++ u_int8_t nameLen; ++ u_int8_t entryName[256]; + }; + #endif + +@@ -282,13 +282,13 @@ struct nw_file_info { + int opened; + int access; + u_int32_t server_file_handle __attribute__((packed)); +- u_int8_t open_create_action __attribute__((packed)); +- u_int8_t file_handle[6] __attribute__((packed)); ++ u_int8_t open_create_action; ++ u_int8_t file_handle[6]; + }; + #endif + + struct nw_search_sequence { +- u_int8_t volNumber __attribute__((packed)); ++ u_int8_t volNumber; + u_int32_t dirBase __attribute__((packed)); + u_int32_t sequence __attribute__((packed)); + }; +diff -Naurp ncpfs-2.2.6.orig//include/ncp/ncp.h ncpfs-2.2.6//include/ncp/ncp.h +--- ncpfs-2.2.6.orig//include/ncp/ncp.h 2005-01-27 12:35:59.000000000 -0500 ++++ ncpfs-2.2.6//include/ncp/ncp.h 2011-02-10 02:38:18.822076000 -0500 +@@ -95,7 +95,7 @@ struct prop_net_address { + #ifdef SWIG + fixedArray node[IPX_NODE_LEN]; + #else +- u_int8_t node[IPX_NODE_LEN] __attribute__((packed)); ++ u_int8_t node[IPX_NODE_LEN]; + #endif + u_int16_t port __attribute__((packed)); + }; +@@ -163,20 +163,20 @@ struct nw_queue_job_entry { + u_int32_t ClientTask __attribute__((packed)); + u_int32_t ClientObjectID __attribute__((packed)); + u_int32_t TargetServerID __attribute__((packed)); +- u_int8_t TargetExecTime[6] __attribute__((packed)); +- u_int8_t JobEntryTime[6] __attribute__((packed)); ++ u_int8_t TargetExecTime[6]; ++ u_int8_t JobEntryTime[6]; + u_int32_t JobNumber __attribute__((packed)); + u_int16_t JobType __attribute__((packed)); + u_int16_t JobPosition __attribute__((packed)); + u_int16_t JobControlFlags __attribute__((packed)); +- u_int8_t FileNameLen __attribute__((packed)); +- char JobFileName[13] __attribute__((packed)); ++ u_int8_t FileNameLen; ++ char JobFileName[13]; + u_int32_t JobFileHandle __attribute__((packed)); + u_int32_t ServerStation __attribute__((packed)); + u_int32_t ServerTaskNumber __attribute__((packed)); + u_int32_t ServerObjectID __attribute__((packed)); +- char JobTextDescription[50] __attribute__((packed)); +- char ClientRecordArea[152] __attribute__((packed)); ++ char JobTextDescription[50]; ++ char ClientRecordArea[152]; + }; + + struct queue_job { +@@ -217,18 +217,18 @@ struct print_job_record { + }; + #else + struct print_job_record { +- u_int8_t Version __attribute__((packed)); +- u_int8_t TabSize __attribute__((packed)); ++ u_int8_t Version; ++ u_int8_t TabSize; + u_int16_t Copies __attribute__((packed)); + u_int16_t CtrlFlags __attribute__((packed)); + u_int16_t Lines __attribute__((packed)); + u_int16_t Rows __attribute__((packed)); +- char FormName[16] __attribute__((packed)); +- u_int8_t Reserved[6] __attribute__((packed)); +- char BannerName[13] __attribute__((packed)); +- char FnameBanner[13] __attribute__((packed)); +- char FnameHeader[14] __attribute__((packed)); +- char Path[80] __attribute__((packed)); ++ char FormName[16]; ++ u_int8_t Reserved[6]; ++ char BannerName[13]; ++ char FnameBanner[13]; ++ char FnameHeader[14]; ++ char Path[80]; + }; + #endif + +diff -Naurp ncpfs-2.2.6.orig//include/ncp/ncplib.h ncpfs-2.2.6//include/ncp/ncplib.h +--- ncpfs-2.2.6.orig//include/ncp/ncplib.h 2005-01-27 12:35:59.000000000 -0500 ++++ ncpfs-2.2.6//include/ncp/ncplib.h 2011-02-10 02:38:18.822076000 -0500 +@@ -462,24 +462,24 @@ struct ncp_file_server_info + #else + struct ncp_file_server_info + { +- u_int8_t ServerName[48] __attribute__((packed)); +- u_int8_t FileServiceVersion __attribute__((packed)); +- u_int8_t FileServiceSubVersion __attribute__((packed)); ++ u_int8_t ServerName[48]; ++ u_int8_t FileServiceVersion; ++ u_int8_t FileServiceSubVersion; + u_int16_t MaximumServiceConnections __attribute__((packed)); + u_int16_t ConnectionsInUse __attribute__((packed)); + u_int16_t NumberMountedVolumes __attribute__((packed)); +- u_int8_t Revision __attribute__((packed)); +- u_int8_t SFTLevel __attribute__((packed)); +- u_int8_t TTSLevel __attribute__((packed)); ++ u_int8_t Revision; ++ u_int8_t SFTLevel; ++ u_int8_t TTSLevel; + u_int16_t MaxConnectionsEverUsed __attribute__((packed)); +- u_int8_t AccountVersion __attribute__((packed)); +- u_int8_t VAPVersion __attribute__((packed)); +- u_int8_t QueueVersion __attribute__((packed)); +- u_int8_t PrintVersion __attribute__((packed)); +- u_int8_t VirtualConsoleVersion __attribute__((packed)); +- u_int8_t RestrictionLevel __attribute__((packed)); +- u_int8_t InternetBridge __attribute__((packed)); +- u_int8_t Reserved[60] __attribute__((packed)); ++ u_int8_t AccountVersion; ++ u_int8_t VAPVersion; ++ u_int8_t QueueVersion; ++ u_int8_t PrintVersion; ++ u_int8_t VirtualConsoleVersion; ++ u_int8_t RestrictionLevel; ++ u_int8_t InternetBridge; ++ u_int8_t Reserved[60]; + }; + #endif + +@@ -592,7 +592,7 @@ struct ncp_station_addr + #ifdef SWIG + fixedArray Node[6]; + #else +- u_int8_t Node[6] __attribute__((packed)); ++ u_int8_t Node[6]; + #endif + u_int16_t Socket __attribute__((packed)); + }; +@@ -602,32 +602,32 @@ struct ncp_prop_login_control + #ifdef SWIG + fixedArray AccountExpireDate[3]; + #else +- u_int8_t AccountExpireDate[3] __attribute__((packed)); ++ u_int8_t AccountExpireDate[3]; + #endif +- u_int8_t Disabled __attribute__((packed)); ++ u_int8_t Disabled; + #ifdef SWIG + fixedArray PasswordExpireDate[3]; + #else +- u_int8_t PasswordExpireDate[3] __attribute__((packed)); ++ u_int8_t PasswordExpireDate[3]; + #endif +- u_int8_t GraceLogins __attribute__((packed)); ++ u_int8_t GraceLogins; + u_int16_t PasswordExpireInterval __attribute__((packed)); +- u_int8_t MaxGraceLogins __attribute__((packed)); +- u_int8_t MinPasswordLength __attribute__((packed)); ++ u_int8_t MaxGraceLogins; ++ u_int8_t MinPasswordLength; + u_int16_t MaxConnections __attribute__((packed)); + #ifdef SWIG + fixedArray ConnectionTimeMask[42] __attribute__((packed)); + fixedArray LastLogin[6] __attribute__((packed)); + #else +- u_int8_t ConnectionTimeMask[42] __attribute__((packed)); +- u_int8_t LastLogin[6] __attribute__((packed)); ++ u_int8_t ConnectionTimeMask[42]; ++ u_int8_t LastLogin[6]; + #endif +- u_int8_t RestrictionMask __attribute__((packed)); +- u_int8_t reserved __attribute__((packed)); ++ u_int8_t RestrictionMask; ++ u_int8_t reserved; + u_int32_t MaxDiskUsage __attribute__((packed)); + u_int16_t BadLoginCount __attribute__((packed)); + u_int32_t BadLoginCountDown __attribute__((packed)); +- struct ncp_station_addr LastIntruder __attribute__((packed)); ++ struct ncp_station_addr LastIntruder; + }; + + NWCCODE NWReadPropertyValue(NWCONN_HANDLE conn, const char *objName, +diff -Naurp ncpfs-2.2.6.orig//ipx-1.0/ipx_cmd.c ncpfs-2.2.6//ipx-1.0/ipx_cmd.c +--- ncpfs-2.2.6.orig//ipx-1.0/ipx_cmd.c 2005-01-27 12:35:59.000000000 -0500 ++++ ncpfs-2.2.6//ipx-1.0/ipx_cmd.c 2011-02-10 02:40:19.222076002 -0500 +@@ -63,8 +63,8 @@ + /* we are doing EthernetII... Any objections? */ + struct { + u_int16_t unknown __attribute__((packed)); +- u_int8_t dst[6] __attribute__((packed)); +- u_int8_t src[6] __attribute__((packed)); ++ u_int8_t dst[6]; ++ u_int8_t src[6]; + u_int16_t type __attribute__((packed)); + u_int8_t ipx[16384]; + } buffer; +diff -Naurp ncpfs-2.2.6.orig//lib/ncplib.c ncpfs-2.2.6//lib/ncplib.c +--- ncpfs-2.2.6.orig//lib/ncplib.c 2011-02-10 02:38:05.000000000 -0500 ++++ ncpfs-2.2.6//lib/ncplib.c 2011-02-10 02:38:18.822076000 -0500 +@@ -2584,13 +2584,13 @@ ncp_request(struct ncp_conn *conn, int f + + struct nw_time_buffer + { +- u_int8_t year __attribute__((packed)); +- u_int8_t month __attribute__((packed)); +- u_int8_t day __attribute__((packed)); +- u_int8_t hour __attribute__((packed)); +- u_int8_t minute __attribute__((packed)); +- u_int8_t second __attribute__((packed)); +- u_int8_t wday __attribute__((packed)); ++ u_int8_t year; ++ u_int8_t month; ++ u_int8_t day; ++ u_int8_t hour; ++ u_int8_t minute; ++ u_int8_t second; ++ u_int8_t wday; + }; + + static time_t diff --git a/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild b/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild index 18fa69e28752..7a451a159976 100644 --- a/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild +++ b/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2010 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild,v 1.2 2010/10/08 16:22:59 mabi Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ncpfs-2.2.6-r1.ebuild,v 1.3 2011/02/10 09:26:38 kumba Exp $ EAPI="2" @@ -19,6 +19,8 @@ DEPEND="nls? ( sys-devel/gettext ) pam? ( virtual/pam ) php? ( || ( dev-lang/php virtual/httpd-php ) )" +RDEPEND="${DEPEND}" + src_prepare() { # add patch for PHP extension sandbox violation epatch "${FILESDIR}"/${PN}-2.2.5-php.patch diff --git a/net-fs/ncpfs/ncpfs-2.2.6-r2.ebuild b/net-fs/ncpfs/ncpfs-2.2.6-r2.ebuild new file mode 100644 index 000000000000..678896ea59b7 --- /dev/null +++ b/net-fs/ncpfs/ncpfs-2.2.6-r2.ebuild @@ -0,0 +1,68 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ncpfs-2.2.6-r2.ebuild,v 1.1 2011/02/10 09:26:38 kumba Exp $ + +EAPI="2" + +inherit eutils pam + +DESCRIPTION="Provides Access to Netware services using the NCP protocol" +HOMEPAGE="ftp://platan.vc.cvut.cz/pub/linux/ncpfs/" +SRC_URI="ftp://platan.vc.cvut.cz/pub/linux/${PN}/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~ppc64 ~x86" +IUSE="nls pam php" + +DEPEND="nls? ( sys-devel/gettext ) + pam? ( virtual/pam ) + php? ( || ( dev-lang/php virtual/httpd-php ) )" + +RDEPEND="${DEPEND}" + +src_prepare() { + # Add patch for PHP extension sandbox violation + epatch "${FILESDIR}"/${PN}-2.2.5-php.patch + epatch "${FILESDIR}"/${P}-gcc4.patch + epatch "${FILESDIR}"/${P}-missing-includes.patch + + # Add a patch to fix multiple vulnerabilities. + # CVE-2010-0788, CVE-2010-0790, & CVE-2010-0791. + # http://seclists.org/fulldisclosure/2010/Mar/122 + epatch "${FILESDIR}"/${P}-multiple-vulns.patch + + # Add a patch that removes the __attribute__((packed)); directive + # from several struct members in include/ncp/ncplib.h. This will + # cut down on a large number of compile warnings generated by modern + # gcc releases. + epatch "${FILESDIR}"/${P}-remove-packed-attrib.patch + + # Bug #273484 + sed -i '/ldconfig/d' lib/Makefile.in + + # Hack to inject LDFLAGS into the build + sed -i '/^LIBS/s:=:= @LDFLAGS@:' `find -name Makefile.in` || die +} + +src_configure() { + econf \ + $(use_enable nls) \ + $(use_enable pam pam "$(getpam_mod_dir)") \ + $(use_enable php) +} + +src_install() { + dodir $(getpam_mod_dir) /usr/sbin /sbin + + # Install the main programs, then the headers. + emake DESTDIR="${D}" install || die + emake DESTDIR="${D}" install-dev || die + + # Install a startup script in /etc/init.d and a conf file in /etc/conf.d + newconfd "${FILESDIR}"/ipx.confd ipx + newinitd "${FILESDIR}"/ipx.init ipx + + # Docs + dodoc FAQ README +} diff --git a/net-fs/ncpfs/ncpfs-2.2.6.ebuild b/net-fs/ncpfs/ncpfs-2.2.6.ebuild deleted file mode 100644 index 98d751d56e4a..000000000000 --- a/net-fs/ncpfs/ncpfs-2.2.6.ebuild +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 1999-2008 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/ncpfs/ncpfs-2.2.6.ebuild,v 1.5 2008/05/14 22:16:53 flameeyes Exp $ - -inherit eutils confutils - -IUSE="nls pam php" - -DESCRIPTION="Provides Access to Netware services using the NCP protocol (Kernel support must be activated!)" -SRC_URI="ftp://platan.vc.cvut.cz/pub/linux/${PN}/${P}.tar.gz" -HOMEPAGE="ftp://platan.vc.cvut.cz/pub/linux/ncpfs/" - -SLOT="0" -LICENSE="GPL-2" -KEYWORDS="x86 ~amd64 ~ppc ppc64" - -DEPEND="nls? ( sys-devel/gettext ) - pam? ( virtual/pam ) - php? ( || ( virtual/php virtual/httpd-php ) )" - -src_unpack() { - unpack ${A} - - # add patch for PHP extension sandbox violation - cd ${S} || die "Unable to cd to ${S}" - epatch "${FILESDIR}"/${PN}-2.2.5-php.patch || die "Unable to apply PHP patch" - epatch "${FILESDIR}"/${P}-gcc4.patch - epatch "${FILESDIR}"/${P}-missing-includes.patch -} - -src_compile() { - - local myconf - - myconf= - enable_extension_enable "nls" "nls" 0 - enable_extension_enable "pam" "pam" 0 - enable_extension_enable "php" "php" 0 - - econf ${myconf} || die "econf failed" - emake || die -} - -src_install () { - # directory ${D}/lib/security needs to be created or the install fails - dodir /lib/security - dodir /usr/sbin - dodir /sbin - make DESTDIR=${D} install || die - - dodoc FAQ README -} |