Development July 2016

development@lists.ipfire.org

14 participants
38 discussions

[PATCH 0/3] Update image libaries (libjpeg, libtiff, libpng)
by Marcel Lorenz 06 Oct '16

06 Oct '16

The next 3 patches update the image libaries to the last versions with many security fixes. They are necessary for apache 2.4.x update and other software (netpbm) Please merge this patches first. Marcel Lorenz (3): libjpeg: update to 1.4.2 libtiff: update to 4.0.6 libpng: update to 1.2.56 config/rootfiles/common/libjpeg | 19 +- config/rootfiles/common/libjpeg-compat | 33 ++++ config/rootfiles/common/libpng | 13 +- config/rootfiles/packages/libtiff | 310 ++++++++++++++++++--------------- lfs/libjpeg | 14 +- lfs/libjpeg-compat | 80 +++++++++ lfs/libpng | 11 +- lfs/libtiff | 13 +- make.sh | 1 + 9 files changed, 313 insertions(+), 181 deletions(-) create mode 100644 config/rootfiles/common/libjpeg-compat create mode 100644 lfs/libjpeg-compat -- 1.9.1

3 9

Betatest Guardian 2.0
by Stefan Schantl 24 Aug '16

24 Aug '16

Hello mailing list followers, this is the official release announcement for the first beta release of the new Guardian 2.0 approach. - What are the differences to the current version of guardian (legacy) and the first approach of guardian 2.0? The most important difference is, that the new version of Guardian 2.0 completely has been re-written from scratch and released under the terms of the GPLv3. The legacy version of guardian is not maintained anymore by it's developer and the software has been released without any license details at all. Guardian 2.0 has a very modular code base and has been designed as a multi-threaded application. This allows a parallel parsing of all monitored logfiles and faster actions, if one of the used modules detects an attack. A very important difference to the legacy version is the support of configuring and managing the entire service through the IPFire webinterface. The entire configuration, managing of current blocked hosts, unblocking them or editing the ignored hosts list now can be done in a graphical way. The legacy version of guardian only supported parsing snort alerts. HTTPD and SSH support has been patched by the IPFire development team some time ago. Guardian 2.0 supports all of them out of the box and includes a filter to detect owncloud login brute-force attempts. As a benefit of the new modular design, additional filters easily can be added. Guardian 2.0 is able to reload it's configuration, reloading the ignore list during runtime and handle, if the logfiles will get rotated by logrotate. This actions can be called by using the webinterface or from the command line interface by using "guardianctrl". These are just a handful of the changes and benefits which comes with Guardian 2.0, a complete list would be to long for this mailing list. - How to join testing? To get part of the testing team, simple navigate to http://people.ipfir e.org/~stevee/guardian-2.0/ and download the latest tarball (currently 002). Please take care to download the correct one, based on your used architecture. The i585 packages are for 32Bit installations of IPFire, the x86_64 packages only can be used on 64Bit installations. Put the downloaded file on your IPFire test system and extract the package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C /". The final installation step would be to regenerate the language cache by executing "update-lang-cache" on the console. From now you can find a new menu item called "Guardian" in your "Service" menu after you have logged-in into your IPFire's webinterface. Documentation can be found on the IPFire wiki: http://wiki.ipfire.org/e n/addons/guardian/start#the_guardian_20_addon - Where to post bugs reports or provide feedback? If you find any bugs, please report them as usual on the IPFire bugtracker, which can be found at https://bugzilla.ipfire.org. To provide feedback or to join a discussion, please send your mails to "development(a)lists.ipfire.org" (Please register first at http://lists.i pfire.org if not yet done). The source code can be found at http://git.ipfire.org/?p=people/stevee/ guardian.git;a=summary Happy testing, -Stefan

6 37

[PATCH] squid 3.5.20: latest patches from upstream
by Matthias Fischer 18 Aug '16

18 Aug '16

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/squid | 3 + src/patches/squid/squid-3.5-14067.patch | 381 ++++++++++++++++++++++++++++++++ src/patches/squid/squid-3.5-14068.patch | 35 +++ src/patches/squid/squid-3.5-14069.patch | 30 +++ 4 files changed, 449 insertions(+) create mode 100644 src/patches/squid/squid-3.5-14067.patch create mode 100644 src/patches/squid/squid-3.5-14068.patch create mode 100644 src/patches/squid/squid-3.5-14069.patch diff --git a/lfs/squid b/lfs/squid index 5bc976e..a88f0c5 100644 --- a/lfs/squid +++ b/lfs/squid @@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14067.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14068.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14069.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.17-fix-max-file-descriptors.patch cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/squid-3.5-14067.patch b/src/patches/squid/squid-3.5-14067.patch new file mode 100644 index 0000000..8d9cb21 --- /dev/null +++ b/src/patches/squid/squid-3.5-14067.patch @@ -0,0 +1,381 @@ +------------------------------------------------------------ +revno: 14067 +revision-id: squid3(a)treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg +parent: squid3(a)treenet.co.nz-20160701113616-vpjak1pq4uecadd2 +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4534 +committer: Amos Jeffries <squid3(a)treenet.co.nz> +branch nick: 3.5 +timestamp: Sat 2016-07-23 19:16:20 +1200 +message: + Bug 4534: assertion failure in xcalloc when using many cache_dir +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: fcd663f0fd4a24d505f81eb94ef95d627a4ca363 +# timestamp: 2016-07-23 07:24:01 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20160701113616-\ +# vpjak1pq4uecadd2 +# +# Begin patch +=== modified file 'src/CacheDigest.cc' +--- src/CacheDigest.cc 2016-01-01 00:14:27 +0000 ++++ src/CacheDigest.cc 2016-07-23 07:16:20 +0000 +@@ -35,12 +35,12 @@ + static uint32_t hashed_keys[4]; + + static void +-cacheDigestInit(CacheDigest * cd, int capacity, int bpe) ++cacheDigestInit(CacheDigest * cd, uint64_t capacity, uint8_t bpe) + { +- const size_t mask_size = cacheDigestCalcMaskSize(capacity, bpe); ++ const uint32_t mask_size = cacheDigestCalcMaskSize(capacity, bpe); + assert(cd); + assert(capacity > 0 && bpe > 0); +- assert(mask_size > 0); ++ assert(mask_size != 0); + cd->capacity = capacity; + cd->bits_per_entry = bpe; + cd->mask_size = mask_size; +@@ -50,7 +50,7 @@ + } + + CacheDigest * +-cacheDigestCreate(int capacity, int bpe) ++cacheDigestCreate(uint64_t capacity, uint8_t bpe) + { + CacheDigest *cd = (CacheDigest *)memAllocate(MEM_CACHE_DIGEST); + assert(SQUID_MD5_DIGEST_LENGTH == 16); /* our hash functions rely on 16 byte keys */ +@@ -97,7 +97,7 @@ + + /* changes mask size, resets bits to 0, preserves "cd" pointer */ + void +-cacheDigestChangeCap(CacheDigest * cd, int new_cap) ++cacheDigestChangeCap(CacheDigest * cd, uint64_t new_cap) + { + assert(cd); + cacheDigestClean(cd); +@@ -278,12 +278,12 @@ + storeAppendPrintf(e, "%s digest: size: %d bytes\n", + label ? label : "", stats.bit_count / 8 + ); +- storeAppendPrintf(e, "\t entries: count: %d capacity: %d util: %d%%\n", ++ storeAppendPrintf(e, "\t entries: count: %" PRIu64 " capacity: %" PRIu64 " util: %d%%\n", + cd->count, + cd->capacity, + xpercentInt(cd->count, cd->capacity) + ); +- storeAppendPrintf(e, "\t deletion attempts: %d\n", ++ storeAppendPrintf(e, "\t deletion attempts: %" PRIu64 "\n", + cd->del_count + ); + storeAppendPrintf(e, "\t bits: per entry: %d on: %d capacity: %d util: %d%%\n", +@@ -297,16 +297,18 @@ + ); + } + +-size_t +-cacheDigestCalcMaskSize(int cap, int bpe) ++uint32_t ++cacheDigestCalcMaskSize(uint64_t cap, uint8_t bpe) + { +- return (size_t) (cap * bpe + 7) / 8; ++ uint64_t bitCount = (cap * bpe) + 7; ++ assert(bitCount < INT_MAX); // dont 31-bit overflow later ++ return static_cast<uint32_t>(bitCount / 8); + } + + static void + cacheDigestHashKey(const CacheDigest * cd, const cache_key * key) + { +- const unsigned int bit_count = cd->mask_size * 8; ++ const uint32_t bit_count = cd->mask_size * 8; + unsigned int tmp_keys[4]; + /* we must memcpy to ensure alignment */ + memcpy(tmp_keys, key, sizeof(tmp_keys)); + +=== modified file 'src/CacheDigest.h' +--- src/CacheDigest.h 2016-01-01 00:14:27 +0000 ++++ src/CacheDigest.h 2016-07-23 07:16:20 +0000 +@@ -22,23 +22,23 @@ + { + public: + /* public, read-only */ +- char *mask; /* bit mask */ +- int mask_size; /* mask size in bytes */ +- int capacity; /* expected maximum for .count, not a hard limit */ +- int bits_per_entry; /* number of bits allocated for each entry from capacity */ +- int count; /* number of digested entries */ +- int del_count; /* number of deletions performed so far */ ++ uint64_t count; /* number of digested entries */ ++ uint64_t del_count; /* number of deletions performed so far */ ++ uint64_t capacity; /* expected maximum for .count, not a hard limit */ ++ char *mask; /* bit mask */ ++ uint32_t mask_size; /* mask size in bytes */ ++ int8_t bits_per_entry; /* number of bits allocated for each entry from capacity */ + }; + +-CacheDigest *cacheDigestCreate(int capacity, int bpe); ++CacheDigest *cacheDigestCreate(uint64_t capacity, uint8_t bpe); + void cacheDigestDestroy(CacheDigest * cd); + CacheDigest *cacheDigestClone(const CacheDigest * cd); + void cacheDigestClear(CacheDigest * cd); +-void cacheDigestChangeCap(CacheDigest * cd, int new_cap); ++void cacheDigestChangeCap(CacheDigest * cd, uint64_t new_cap); + int cacheDigestTest(const CacheDigest * cd, const cache_key * key); + void cacheDigestAdd(CacheDigest * cd, const cache_key * key); + void cacheDigestDel(CacheDigest * cd, const cache_key * key); +-size_t cacheDigestCalcMaskSize(int cap, int bpe); ++uint32_t cacheDigestCalcMaskSize(uint64_t cap, uint8_t bpe); + int cacheDigestBitUtil(const CacheDigest * cd); + void cacheDigestGuessStatsUpdate(CacheDigestGuessStats * stats, int real_hit, int guess_hit); + void cacheDigestGuessStatsReport(const CacheDigestGuessStats * stats, StoreEntry * sentry, const char *label); + +=== modified file 'src/PeerDigest.h' +--- src/PeerDigest.h 2016-01-01 00:14:27 +0000 ++++ src/PeerDigest.h 2016-07-23 07:16:20 +0000 +@@ -52,7 +52,7 @@ + store_client *old_sc; + HttpRequest *request; + int offset; +- int mask_offset; ++ uint32_t mask_offset; + time_t start_time; + time_t resp_time; + time_t expires; + +=== modified file 'src/peer_digest.cc' +--- src/peer_digest.cc 2016-01-01 00:14:27 +0000 ++++ src/peer_digest.cc 2016-07-23 07:16:20 +0000 +@@ -754,7 +754,7 @@ + if (!reason && !size) { + if (!pd->cd) + reason = "null digest?!"; +- else if (fetch->mask_offset != (int)pd->cd->mask_size) ++ else if (fetch->mask_offset != pd->cd->mask_size) + reason = "premature end of digest?!"; + else if (!peerDigestUseful(pd)) + reason = "useless digest"; + +=== modified file 'src/store_digest.cc' +--- src/store_digest.cc 2016-01-01 00:14:27 +0000 ++++ src/store_digest.cc 2016-07-23 07:16:20 +0000 +@@ -76,36 +76,63 @@ + static void storeDigestRewriteFinish(StoreEntry * e); + static EVH storeDigestSwapOutStep; + static void storeDigestCBlockSwapOut(StoreEntry * e); +-static int storeDigestCalcCap(void); +-static int storeDigestResize(void); + static void storeDigestAdd(const StoreEntry *); + ++/// calculates digest capacity ++static uint64_t ++storeDigestCalcCap() ++{ ++ /* ++ * To-Do: Bloom proved that the optimal filter utilization is 50% (half of ++ * the bits are off). However, we do not have a formula to calculate the ++ * number of _entries_ we want to pre-allocate for. ++ */ ++ const uint64_t hi_cap = Store::Root().maxSize() / Config.Store.avgObjectSize; ++ const uint64_t lo_cap = 1 + Store::Root().currentSize() / Config.Store.avgObjectSize; ++ const uint64_t e_count = StoreEntry::inUseCount(); ++ uint64_t cap = e_count ? e_count : hi_cap; ++ debugs(71, 2, "have: " << e_count << ", want " << cap << ++ " entries; limits: [" << lo_cap << ", " << hi_cap << "]"); ++ ++ if (cap < lo_cap) ++ cap = lo_cap; ++ ++ /* do not enforce hi_cap limit, average-based estimation may be wrong ++ *if (cap > hi_cap) ++ * cap = hi_cap; ++ */ ++ ++ // Bug 4534: we still have to set an upper-limit at some reasonable value though. ++ // this matches cacheDigestCalcMaskSize doing (cap*bpe)+7 < INT_MAX ++ const uint64_t absolute_max = (INT_MAX -8) / Config.digest.bits_per_entry; ++ if (cap > absolute_max) { ++ static time_t last_loud = 0; ++ if (last_loud < squid_curtime - 86400) { ++ debugs(71, DBG_IMPORTANT, "WARNING: Cache Digest cannot store " << cap << " entries. Limiting to " << absolute_max); ++ last_loud = squid_curtime; ++ } else { ++ debugs(71, 3, "WARNING: Cache Digest cannot store " << cap << " entries. Limiting to " << absolute_max); ++ } ++ cap = absolute_max; ++ } ++ ++ return cap; ++} + #endif /* USE_CACHE_DIGESTS */ + +-static void +-storeDigestRegisterWithCacheManager(void) ++void ++storeDigestInit(void) + { + Mgr::RegisterAction("store_digest", "Store Digest", storeDigestReport, 0, 1); +-} +- +-/* +- * PUBLIC FUNCTIONS +- */ +- +-void +-storeDigestInit(void) +-{ +- storeDigestRegisterWithCacheManager(); + + #if USE_CACHE_DIGESTS +- const int cap = storeDigestCalcCap(); +- + if (!Config.onoff.digest_generation) { + store_digest = NULL; + debugs(71, 3, "Local cache digest generation disabled"); + return; + } + ++ const uint64_t cap = storeDigestCalcCap(); + store_digest = cacheDigestCreate(cap, Config.digest.bits_per_entry); + debugs(71, DBG_IMPORTANT, "Local cache digest enabled; rebuild/rewrite every " << + (int) Config.digest.rebuild_period << "/" << +@@ -290,6 +317,31 @@ + storeDigestRebuildResume(); + } + ++/// \returns true if we actually resized the digest ++static bool ++storeDigestResize() ++{ ++ const uint64_t cap = storeDigestCalcCap(); ++ assert(store_digest); ++ uint64_t diff; ++ if (cap > store_digest->capacity) ++ diff = cap - store_digest->capacity; ++ else ++ diff = store_digest->capacity - cap; ++ debugs(71, 2, store_digest->capacity << " -> " << cap << "; change: " << ++ diff << " (" << xpercentInt(diff, store_digest->capacity) << "%)" ); ++ /* avoid minor adjustments */ ++ ++ if (diff <= store_digest->capacity / 10) { ++ debugs(71, 2, "small change, will not resize."); ++ return false; ++ } else { ++ debugs(71, 2, "big change, resizing."); ++ cacheDigestChangeCap(store_digest, cap); ++ } ++ return true; ++} ++ + /* called be Rewrite to push Rebuild forward */ + static void + storeDigestRebuildResume(void) +@@ -439,7 +491,7 @@ + assert(e); + /* _add_ check that nothing bad happened while we were waiting @?@ @?@ */ + +- if (sd_state.rewrite_offset + chunk_size > store_digest->mask_size) ++ if (static_cast<uint32_t>(sd_state.rewrite_offset + chunk_size) > store_digest->mask_size) + chunk_size = store_digest->mask_size - sd_state.rewrite_offset; + + e->append(store_digest->mask + sd_state.rewrite_offset, chunk_size); +@@ -451,7 +503,7 @@ + sd_state.rewrite_offset += chunk_size; + + /* are we done ? */ +- if (sd_state.rewrite_offset >= store_digest->mask_size) ++ if (static_cast<uint32_t>(sd_state.rewrite_offset) >= store_digest->mask_size) + storeDigestRewriteFinish(e); + else + eventAdd("storeDigestSwapOutStep", storeDigestSwapOutStep, data, 0.0, 1, false); +@@ -467,60 +519,10 @@ + sd_state.cblock.count = htonl(store_digest->count); + sd_state.cblock.del_count = htonl(store_digest->del_count); + sd_state.cblock.mask_size = htonl(store_digest->mask_size); +- sd_state.cblock.bits_per_entry = (unsigned char) +- Config.digest.bits_per_entry; ++ sd_state.cblock.bits_per_entry = Config.digest.bits_per_entry; + sd_state.cblock.hash_func_count = (unsigned char) CacheDigestHashFuncCount; + e->append((char *) &sd_state.cblock, sizeof(sd_state.cblock)); + } + +-/* calculates digest capacity */ +-static int +-storeDigestCalcCap(void) +-{ +- /* +- * To-Do: Bloom proved that the optimal filter utilization is 50% (half of +- * the bits are off). However, we do not have a formula to calculate the +- * number of _entries_ we want to pre-allocate for. +- */ +- const int hi_cap = Store::Root().maxSize() / Config.Store.avgObjectSize; +- const int lo_cap = 1 + Store::Root().currentSize() / Config.Store.avgObjectSize; +- const int e_count = StoreEntry::inUseCount(); +- int cap = e_count ? e_count :hi_cap; +- debugs(71, 2, "storeDigestCalcCap: have: " << e_count << ", want " << cap << +- " entries; limits: [" << lo_cap << ", " << hi_cap << "]"); +- +- if (cap < lo_cap) +- cap = lo_cap; +- +- /* do not enforce hi_cap limit, average-based estimation may be wrong +- *if (cap > hi_cap) +- * cap = hi_cap; +- */ +- return cap; +-} +- +-/* returns true if we actually resized the digest */ +-static int +-storeDigestResize(void) +-{ +- const int cap = storeDigestCalcCap(); +- int diff; +- assert(store_digest); +- diff = abs(cap - store_digest->capacity); +- debugs(71, 2, "storeDigestResize: " << +- store_digest->capacity << " -> " << cap << "; change: " << +- diff << " (" << xpercentInt(diff, store_digest->capacity) << "%)" ); +- /* avoid minor adjustments */ +- +- if (diff <= store_digest->capacity / 10) { +- debugs(71, 2, "storeDigestResize: small change, will not resize."); +- return 0; +- } else { +- debugs(71, 2, "storeDigestResize: big change, resizing."); +- cacheDigestChangeCap(store_digest, cap); +- return 1; +- } +-} +- + #endif /* USE_CACHE_DIGESTS */ + + +=== modified file 'src/tests/stub_CacheDigest.cc' +--- src/tests/stub_CacheDigest.cc 2016-01-01 00:14:27 +0000 ++++ src/tests/stub_CacheDigest.cc 2016-07-23 07:16:20 +0000 +@@ -16,11 +16,11 @@ + class CacheDigestGuessStats; + class StoreEntry; + +-CacheDigest * cacheDigestCreate(int, int) STUB_RETVAL(NULL) ++CacheDigest * cacheDigestCreate(uint64_t, uint8_t) STUB_RETVAL(NULL) + void cacheDigestDestroy(CacheDigest *) STUB + CacheDigest * cacheDigestClone(const CacheDigest *) STUB_RETVAL(NULL) + void cacheDigestClear(CacheDigest * ) STUB +-void cacheDigestChangeCap(CacheDigest *,int) STUB ++void cacheDigestChangeCap(CacheDigest *,uint64_t) STUB + int cacheDigestTest(const CacheDigest *, const cache_key *) STUB_RETVAL(1) + void cacheDigestAdd(CacheDigest *, const cache_key *) STUB + void cacheDigestDel(CacheDigest *, const cache_key *) STUB +@@ -28,5 +28,4 @@ + void cacheDigestGuessStatsUpdate(CacheDigestGuessStats *, int, int) STUB + void cacheDigestGuessStatsReport(const CacheDigestGuessStats *, StoreEntry *, const char *) STUB + void cacheDigestReport(CacheDigest *, const char *, StoreEntry *) STUB +-size_t cacheDigestCalcMaskSize(int, int) STUB_RETVAL(1) +- ++uint32_t cacheDigestCalcMaskSize(uint64_t, uint8_t) STUB_RETVAL(1) + diff --git a/src/patches/squid/squid-3.5-14068.patch b/src/patches/squid/squid-3.5-14068.patch new file mode 100644 index 0000000..4766e00 --- /dev/null +++ b/src/patches/squid/squid-3.5-14068.patch @@ -0,0 +1,35 @@ +------------------------------------------------------------ +revno: 14068 +revision-id: squid3(a)treenet.co.nz-20160723071930-cemledcltg8pkc28 +parent: squid3(a)treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg +fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4542 +author: Anonymous <bigparrot(a)pirateperfection.com> +committer: Amos Jeffries <squid3(a)treenet.co.nz> +branch nick: 3.5 +timestamp: Sat 2016-07-23 19:19:30 +1200 +message: + Bug #4542: authentication credentials IP TTL updated incorrectly +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3(a)treenet.co.nz-20160723071930-cemledcltg8pkc28 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: ee0c6aab5414532d9554ef338cce049263902fd8 +# timestamp: 2016-07-23 07:24:05 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20160723071620-\ +# 1wzqpbyi1rk5w6vg +# +# Begin patch +=== modified file 'src/auth/User.cc' +--- src/auth/User.cc 2016-01-01 00:14:27 +0000 ++++ src/auth/User.cc 2016-07-23 07:19:30 +0000 +@@ -284,7 +284,7 @@ + /* This ip has already been seen. */ + found = 1; + /* update IP ttl */ +- ipdata->ip_expiretime = squid_curtime; ++ ipdata->ip_expiretime = squid_curtime + ::Config.authenticateIpTTL; + } else if (ipdata->ip_expiretime <= squid_curtime) { + /* This IP has expired - remove from the seen list */ + dlinkDelete(&ipdata->node, &ip_list); + diff --git a/src/patches/squid/squid-3.5-14069.patch b/src/patches/squid/squid-3.5-14069.patch new file mode 100644 index 0000000..15ca37a --- /dev/null +++ b/src/patches/squid/squid-3.5-14069.patch @@ -0,0 +1,30 @@ +------------------------------------------------------------ +revno: 14069 +revision-id: squidadm(a)squid-cache.org-20160723121351-iuc8hwstrqd0l1dv +parent: squid3(a)treenet.co.nz-20160723071930-cemledcltg8pkc28 +committer: Source Maintenance <squidadm(a)squid-cache.org> +branch nick: 3.5 +timestamp: Sat 2016-07-23 12:13:51 +0000 +message: + SourceFormat Enforcement +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squidadm(a)squid-cache.org-20160723121351-\ +# iuc8hwstrqd0l1dv +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: c9e37a723686ae2ee489ba7ec2e981ae153bda28 +# timestamp: 2016-07-23 12:50:56 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3(a)treenet.co.nz-20160723071930-\ +# cemledcltg8pkc28 +# +# Begin patch +=== modified file 'src/tests/stub_CacheDigest.cc' +--- src/tests/stub_CacheDigest.cc 2016-07-23 07:16:20 +0000 ++++ src/tests/stub_CacheDigest.cc 2016-07-23 12:13:51 +0000 +@@ -29,3 +29,4 @@ + void cacheDigestGuessStatsReport(const CacheDigestGuessStats *, StoreEntry *, const char *) STUB + void cacheDigestReport(CacheDigest *, const char *, StoreEntry *) STUB + uint32_t cacheDigestCalcMaskSize(uint64_t, uint8_t) STUB_RETVAL(1) ++ + -- 2.9.2

2 6

[PATCH] Add new package libusbredir
by Jonatan Schlag 07 Aug '16

07 Aug '16

This package adds support for the use redirection of spice. It is now possible to attach USB devices of the host where the spice client run to the virtual machine. This feature is also enabled in qemu. Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org> --- config/rootfiles/packages/libusbredir | 18 ++++++++ lfs/libusbredir | 84 +++++++++++++++++++++++++++++++++++ lfs/qemu | 6 +-- make.sh | 1 + 4 files changed, 106 insertions(+), 3 deletions(-) create mode 100644 config/rootfiles/packages/libusbredir create mode 100644 lfs/libusbredir diff --git a/config/rootfiles/packages/libusbredir b/config/rootfiles/packages/libusbredir new file mode 100644 index 0000000..af3710a --- /dev/null +++ b/config/rootfiles/packages/libusbredir @@ -0,0 +1,18 @@ +#usr/include/usbredirfilter.h +#usr/include/usbredirhost.h +#usr/include/usbredirparser.h +#usr/include/usbredirproto.h +#usr/lib/libusbredirhost.a +#usr/lib/libusbredirhost.la +usr/lib/libusbredirhost.so +usr/lib/libusbredirhost.so.1 +usr/lib/libusbredirhost.so.1.0.0 +#usr/lib/libusbredirparser.a +#usr/lib/libusbredirparser.la +usr/lib/libusbredirparser.so +usr/lib/libusbredirparser.so.1 +usr/lib/libusbredirparser.so.1.0.0 +#usr/lib/pkgconfig/libusbredirhost.pc +#usr/lib/pkgconfig/libusbredirparser-0.5.pc +usr/sbin/usbredirserver +#usr/share/man/man1/usbredirserver.1 diff --git a/lfs/libusbredir b/lfs/libusbredir new file mode 100644 index 0000000..6512d27 --- /dev/null +++ b/lfs/libusbredir @@ -0,0 +1,84 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2016 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.7.1 + +THISAPP = usbredir-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = libusbredir +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 35cfb1720967727dea523b943cc4126b + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/qemu b/lfs/qemu index 62010ee..fb4f4b3 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -33,9 +33,9 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = qemu -PAK_VER = 20 +PAK_VER = 21 -DEPS = "sdl spice" +DEPS = "libusbredir sdl spice" ############################################################################### # Top-level Rules @@ -81,7 +81,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc \ --enable-kvm --disable-bluez --disable-attr \ --target-list="i386-linux-user x86_64-linux-user arm-linux-user i386-softmmu x86_64-softmmu arm-softmmu" \ - --extra-cflags="$(CFLAGS)" --enable-spice + --extra-cflags="$(CFLAGS)" --enable-spice --enable-usb-redir cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/make.sh b/make.sh index c6b1b5b..a992c2f 100755 --- a/make.sh +++ b/make.sh @@ -708,6 +708,7 @@ buildipfire() { ipfiremake spice-protocol ipfiremake spice ipfiremake sdl + ipfiremake libusbredir ipfiremake qemu ipfiremake sane ipfiremake netpbm -- 2.1.4

2 3

[PATCH] htop: Update to 2.0.2
by Matthias Fischer 31 Jul '16

31 Jul '16

For details, see: http://hisham.hm/htop/index.php?page=downloads Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/htop | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/htop b/lfs/htop index 9c0a90c..ee48d65 100644 --- a/lfs/htop +++ b/lfs/htop @@ -24,7 +24,7 @@ include Config -VER = 2.0.1 +VER = 2.0.2 THISAPP = htop-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = htop -PAK_VER = 8 +PAK_VER = 9 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f75fe92b4defaa80d99109830f34b5e2 +$(DL_FILE)_MD5 = 7d354d904bad591a931ad57e99fea84a install : $(TARGET) -- 2.9.2

1 0

[PATCH] log.dat: Added entry for 'guardian'
by Matthias Fischer 28 Jul '16

28 Jul '16

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- html/cgi-bin/logs.cgi/log.dat | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index a8a7ba4..cf7d32d 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -67,7 +67,8 @@ my %sections = ( 'pakfire' => '(pakfire:) ', 'wireless' => '(hostapd:|kernel: ath.*:|kernel: wifi[0-9]:) ', 'squid' => '(squid\[.*\]: |squid: )', - 'snort' => '(snort\[.*\]: )' + 'snort' => '(snort\[.*\]: )', + 'guardian' => '(guardian\[.*\]: )' ); # Translations for the %sections array. @@ -90,7 +91,8 @@ my %trsections = ( 'pakfire' => 'Pakfire', 'wireless' => 'Wireless', 'squid' => "$Lang::tr{'web proxy'}", - 'snort' => "$Lang::tr{'intrusion detection'}" + 'snort' => "$Lang::tr{'intrusion detection'}", + 'guardian' => 'Guardian' ); -- 2.9.2

3 2

[PATCH] Firewall: Add Services SSMTP and submission
by Alexander Marx 27 Jul '16

27 Jul '16

Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> --- config/fwhosts/customservices | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices index 9b25a72..bf3a690 100644 --- a/config/fwhosts/customservices +++ b/config/fwhosts/customservices @@ -32,3 +32,6 @@ 34,DNS (TCP),53,TCP,,0 19,FTPS data,989,TCP,BLANK,0 5,SMTP,25,TCP,BLANK,0 +35,SUBMISSION (TCP),587,TCP,BLANK,0 +36,SUBMISSION (UDP),587,UDP,BLANK,0 +37,SSMTP,465,TCP,BLANK,0 -- 2.7.4

3 3

[PATCH v2] Firewall: Add Services SSMTP and submission
by Alexander Marx 26 Jul '16

26 Jul '16

Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> --- config/fwhosts/customservices | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices index 9b25a72..529f14e 100644 --- a/config/fwhosts/customservices +++ b/config/fwhosts/customservices @@ -32,3 +32,5 @@ 34,DNS (TCP),53,TCP,,0 19,FTPS data,989,TCP,BLANK,0 5,SMTP,25,TCP,BLANK,0 +35,Submission (TCP),587,TCP,BLANK,0 +36,SSMTP,465,TCP,BLANK,0 -- 2.7.4

2 1

Firewall Fix
by R. W. Rodolico 25 Jul '16

25 Jul '16

I was working with the firewall today and noticed the following three ports are not in the default list of ports. SUBMISSION 587 (TCP AND UDP) SSMTP 465 I suggest they be added. I did a quick look and did not see where they came from for sure, but maybe /var/ipfire/fwhosts/customservices.default? If so, it looks like the following three lines added to that file would work: 35,SUBMISSION (TCP),587,TCP,BLANK,0 36,SUBMISSION (UDP),587,UDP,BLANK,0 37,SSMTP,465,TCP,BLANK,0 I do NOT know what the first number is, but since it is not duplicated and is 1-number of entries, I assume it is a unique index. NOTE: I tried modifying that file on my test router and it did not work, so that may not be the correct place. Rod -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 http://www.dailydata.net

3 3

[PATCH] dnsmasq 2.76: latest patches from upstream (010-012)
by Matthias Fischer 23 Jul '16

23 Jul '16

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/dnsmasq | 3 + ...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 6 +- ...put_to_reduce_risk_of_information_leakage.patch | 169 +++++++++++++++++++++ ...on_transmission_in_case_of_retransmission.patch | 54 +++++++ ...n_buffer_sizes_for_leasefile_parsing_code.patch | 103 +++++++++++++ 5 files changed, 332 insertions(+), 3 deletions(-) create mode 100644 src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch create mode 100644 src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch create mode 100644 src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index a0fdc50..eb0f0ba 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -82,6 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch index 25feb8d..97b7749 100644 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch @@ -42,7 +42,7 @@ --- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 +++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 -@@ -1016,6 +1016,11 @@ +@@ -1017,6 +1017,11 @@ poll_resolv(0, daemon->last_resolv != 0, now); daemon->last_resolv = now; @@ -56,7 +56,7 @@ --- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 +++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 -@@ -1514,6 +1514,11 @@ +@@ -1516,6 +1516,11 @@ void poll_listen(int fd, short event); int do_poll(int timeout); @@ -341,7 +341,7 @@ +#endif --- a/src/option.c Wed Dec 16 19:24:12 2015 +++ b/src/option.c Wed Dec 16 19:42:48 2015 -@@ -1770,7 +1770,7 @@ +@@ -1771,7 +1771,7 @@ ret_err(_("bad MX target")); break; diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch new file mode 100644 index 0000000..a8c10a4 --- /dev/null +++ b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch @@ -0,0 +1,169 @@ +From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Fri, 22 Jul 2016 20:56:01 +0100 +Subject: [PATCH] Zero packet buffers before building output, to reduce risk + of information leakage. + +--- + src/auth.c | 5 +++++ + src/dnsmasq.h | 1 + + src/outpacket.c | 10 ++++++++++ + src/radv.c | 2 +- + src/rfc1035.c | 5 +++++ + src/rfc3315.c | 6 +++--- + src/slaac.c | 2 +- + src/tftp.c | 5 ++++- + 8 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/src/auth.c b/src/auth.c +index 198572d..3c5c37f 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n + struct all_addr addr; + struct cname *a; + ++ /* Clear buffer beyond request to avoid risk of ++ information disclosure. */ ++ memset(((char *)header) + qlen, 0, ++ (limit - ((char *)header)) - qlen); ++ + if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) + return 0; + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index be27ae0..2bda5d0 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay); + /* outpacket.c */ + #ifdef HAVE_DHCP6 + void end_opt6(int container); ++void reset_counter(void); + int save_counter(int newval); + void *expand(size_t headroom); + int new_opt6(int opt); +diff --git a/src/outpacket.c b/src/outpacket.c +index a414efa..2caacd9 100644 +--- a/src/outpacket.c ++++ b/src/outpacket.c +@@ -29,9 +29,19 @@ void end_opt6(int container) + PUTSHORT(len, p); + } + ++void reset_counter(void) ++{ ++ /* Clear out buffer when starting from begining */ ++ if (daemon->outpacket.iov_base) ++ memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len); ++ ++ save_counter(0); ++} ++ + int save_counter(int newval) + { + int ret = outpacket_counter; ++ + if (newval != -1) + outpacket_counter = newval; + +diff --git a/src/radv.c b/src/radv.c +index faa0f6d..39c9217 100644 +--- a/src/radv.c ++++ b/src/radv.c +@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad + parm.adv_interval = calc_interval(ra_param); + parm.prio = calc_prio(ra_param); + +- save_counter(0); ++ reset_counter(); + + if (!(ra = expand(sizeof(struct ra_packet)))) + return; +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 24d08c1..9e730a9 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; + struct mx_srv_record *rec; + size_t len; ++ ++ /* Clear buffer beyond request to avoid risk of ++ information disclosure. */ ++ memset(((char *)header) + qlen, 0, ++ (limit - ((char *)header)) - qlen); + + if (ntohs(header->ancount) != 0 || + ntohs(header->nscount) != 0 || +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 3f4d69c..e1271a1 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) + vendor->netid.next = &vendor->netid; + +- save_counter(0); ++ reset_counter(); + state.context = context; + state.interface = interface; + state.iface_name = iface_name; +@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, + if (hopcount > 32) + return; + +- save_counter(0); ++ reset_counter(); + + if ((header = put_opt6(NULL, 34))) + { +@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival + (!relay->interface || wildcard_match(relay->interface, arrival_interface))) + break; + +- save_counter(0); ++ reset_counter(); + + if (relay) + { +diff --git a/src/slaac.c b/src/slaac.c +index 07b8ba4..bd6c9b4 100644 +--- a/src/slaac.c ++++ b/src/slaac.c +@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) + struct ping_packet *ping; + struct sockaddr_in6 addr; + +- save_counter(0); ++ reset_counter(); + + if (!(ping = expand(sizeof(struct ping_packet)))) + continue; +diff --git a/src/tftp.c b/src/tftp.c +index 3e1b5c5..618c406 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file) + ssize_t len, ret = 4; + char *errstr = strerror(errno); + ++ memset(packet, 0, daemon->packet_buff_sz); + sanitise(file); +- ++ + mess->op = htons(OP_ERR); + mess->err = htons(err); + len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); +@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file) + /* return -1 for error, zero for done. */ + static ssize_t get_block(char *packet, struct tftp_transfer *transfer) + { ++ memset(packet, 0, daemon->packet_buff_sz); ++ + if (transfer->block == 0) + { + /* send OACK */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch new file mode 100644 index 0000000..ab8ba28 --- /dev/null +++ b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch @@ -0,0 +1,54 @@ +From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Fri, 22 Jul 2016 20:59:16 +0100 +Subject: [PATCH] Don't reset packet length on transmission, in case of + retransmission. + +--- + src/radv.c | 2 +- + src/rfc3315.c | 2 +- + src/slaac.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/radv.c b/src/radv.c +index 39c9217..ffc37f2 100644 +--- a/src/radv.c ++++ b/src/radv.c +@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad + } + + while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base, +- save_counter(0), 0, (struct sockaddr *)&addr, ++ save_counter(-1), 0, (struct sockaddr *)&addr, + sizeof(addr)))); + + } +diff --git a/src/rfc3315.c b/src/rfc3315.c +index e1271a1..c7bf46f 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, + my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface")); + } + +- send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0); ++ send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0); + + if (option_bool(OPT_LOG_OPTS)) + { +diff --git a/src/slaac.c b/src/slaac.c +index bd6c9b4..7ecf127 100644 +--- a/src/slaac.c ++++ b/src/slaac.c +@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) + addr.sin6_port = htons(IPPROTO_ICMPV6); + addr.sin6_addr = slaac->addr; + +- if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0, ++ if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0, + (struct sockaddr *)&addr, sizeof(addr)) == -1 && + errno == EHOSTUNREACH) + slaac->ping_time = 0; /* Give up */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch new file mode 100644 index 0000000..c71f470 --- /dev/null +++ b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch @@ -0,0 +1,103 @@ +From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon(a)thekelleys.org.uk> +Date: Fri, 22 Jul 2016 21:37:59 +0100 +Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing + code. + +--- + src/dhcp-common.c | 16 ++++++++-------- + src/dhcp-protocol.h | 4 ++++ + src/lease.c | 9 ++++++++- + src/rfc3315.c | 2 +- + 4 files changed, 21 insertions(+), 10 deletions(-) + +diff --git a/src/dhcp-common.c b/src/dhcp-common.c +index 08528e8..ecc752b 100644 +--- a/src/dhcp-common.c ++++ b/src/dhcp-common.c +@@ -20,11 +20,11 @@ + + void dhcp_common_init(void) + { +- /* These each hold a DHCP option max size 255 +- and get a terminating zero added */ +- daemon->dhcp_buff = safe_malloc(256); +- daemon->dhcp_buff2 = safe_malloc(256); +- daemon->dhcp_buff3 = safe_malloc(256); ++ /* These each hold a DHCP option max size 255 ++ and get a terminating zero added */ ++ daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ); ++ daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); ++ daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ); + + /* dhcp_packet is used by v4 and v6, outpacket only by v6 + sizeof(struct dhcp_packet) is as good an initial size as any, +@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context) + if (context->flags & CONTEXT_RA_STATELESS) + { + if (context->flags & CONTEXT_TEMPLATE) +- strncpy(daemon->dhcp_buff, context->template_interface, 256); ++ strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ); + else + strcpy(daemon->dhcp_buff, daemon->addrbuff); + } + else + #endif +- inet_ntop(family, start, daemon->dhcp_buff, 256); +- inet_ntop(family, end, daemon->dhcp_buff3, 256); ++ inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ); ++ inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ); + my_syslog(MS_DHCP | LOG_INFO, + (context->flags & CONTEXT_RA_STATELESS) ? + _("%s stateless on %s%.0s%.0s%s") : +diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h +index a31d829..0ea449b 100644 +--- a/src/dhcp-protocol.h ++++ b/src/dhcp-protocol.h +@@ -19,6 +19,10 @@ + #define DHCP_CLIENT_ALTPORT 1068 + #define PXE_PORT 4011 + ++/* These each hold a DHCP option max size 255 ++ and get a terminating zero added */ ++#define DHCP_BUFF_SZ 256 ++ + #define BOOTREQUEST 1 + #define BOOTREPLY 2 + #define DHCP_COOKIE 0x63825363 +diff --git a/src/lease.c b/src/lease.c +index 20cac90..ca62cc5 100644 +--- a/src/lease.c ++++ b/src/lease.c +@@ -65,7 +65,14 @@ void lease_init(time_t now) + } + + /* client-id max length is 255 which is 255*2 digits + 254 colons +- borrow DNS packet buffer which is always larger than 1000 bytes */ ++ borrow DNS packet buffer which is always larger than 1000 bytes ++ ++ Check various buffers are big enough for the code below */ ++ ++#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764) ++# error Buffer size breakage in leasfile parsing. ++#endif ++ + if (leasestream) + while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2) + { +diff --git a/src/rfc3315.c b/src/rfc3315.c +index c7bf46f..568b0c8 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, + + if (addr) + { +- inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255); ++ inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1); + strcat(daemon->dhcp_buff2, " "); + } + else +-- +1.7.10.4 + -- 2.9.2

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development July 2016