This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via 6036d8a53989e1bc9dda52962e5677d96414700c (commit) via 2899fde21e0bfa5bbbc3f396ebadfc70fb28f031 (commit) from 16454cff320d738f81a77bbe88520db535f907d9 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 6036d8a53989e1bc9dda52962e5677d96414700c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 28 22:51:07 2011 +0200
patch: Update to 2.6.1 add selinux support.
Fixes #85.
commit 2899fde21e0bfa5bbbc3f396ebadfc70fb28f031 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 29 01:36:31 2011 +0200
ed: New package.
Fixes #159.
-----------------------------------------------------------------------
Summary of changes: pkgs/{pth/pth.nm => ed/ed.nm} | 37 ++--- pkgs/patch/patch.nm | 8 +- pkgs/patch/patches/patch-2.6.1-CVE-2010-4651.patch | 164 +++++++++++++++++++ .../patches/patch-2.6.1-backup-if-mismatch.patch | 31 ++++ pkgs/patch/patches/patch-2.6.1-get-arg.patch | 12 ++ pkgs/patch/patches/patch-selinux.patch | 171 ++++++++++++++++++++ 6 files changed, 402 insertions(+), 21 deletions(-) copy pkgs/{pth/pth.nm => ed/ed.nm} (73%) create mode 100644 pkgs/patch/patches/patch-2.6.1-CVE-2010-4651.patch create mode 100644 pkgs/patch/patches/patch-2.6.1-backup-if-mismatch.patch create mode 100644 pkgs/patch/patches/patch-2.6.1-get-arg.patch create mode 100644 pkgs/patch/patches/patch-selinux.patch
Difference in files: diff --git a/pkgs/ed/ed.nm b/pkgs/ed/ed.nm new file mode 100644 index 0000000..73f1453 --- /dev/null +++ b/pkgs/ed/ed.nm @@ -0,0 +1,57 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include $(PKGROOT)/Include + +PKG_NAME = ed +PKG_VER = 1.5 +PKG_REL = 1 + +PKG_MAINTAINER = +PKG_GROUPS = Application/Text +PKG_URL = http://www.gnu.org/software/ed/ +PKG_LICENSE = GPLv3+ +PKG_SUMMARY = The GNU line editor. + +define PKG_DESCRIPTION + Ed is a line-oriented text editor, used to create, display, and modify \ + text files (both interactively and via shell scripts). For most \ + purposes, ed has been replaced in normal usage by full-screen editors \ + (emacs and vi, for example). +endef + +PKG_TARBALL = $(THISAPP).tar.gz + +CONFIGURE_OPTIONS += \ + --exec-prefix=/ + +STAGE_BUILD_TARGET = CFLAGS="$(CFLAGS)" + +define STAGE_INSTALL + # Create directory for man pages + mkdir -pv $(BUILDROOT)/usr/share/man/man1 + + cd $(DIR_APP) && make install bindir=/bin mandir=/usr/share/man \ + DESTDIR=$(BUILDROOT) +endef diff --git a/pkgs/patch/patch.nm b/pkgs/patch/patch.nm index b696f72..c42c42a 100644 --- a/pkgs/patch/patch.nm +++ b/pkgs/patch/patch.nm @@ -25,8 +25,10 @@ include $(PKGROOT)/Include
PKG_NAME = patch -PKG_VER = 2.6.1.28-d909 -PKG_REL = 0 +PKG_VER = 2.6.1 +PKG_REL = 1 + +PKG_BUILD_DEPS+= ed libselinux-devel pkg-config
PKG_MAINTAINER = PKG_GROUPS = Development/Tools @@ -44,6 +46,8 @@ endef
PKG_TARBALL = $(THISAPP).tar.gz
+CFLAGS += -D_GNU_SOURCE + define STAGE_TEST cd $(DIR_APP) && make check endef diff --git a/pkgs/patch/patches/patch-2.6.1-CVE-2010-4651.patch b/pkgs/patch/patches/patch-2.6.1-CVE-2010-4651.patch new file mode 100644 index 0000000..3f2de6a --- /dev/null +++ b/pkgs/patch/patches/patch-2.6.1-CVE-2010-4651.patch @@ -0,0 +1,164 @@ +diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in +--- patch-2.6.1/Makefile.in.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 ++++ patch-2.6.1/Makefile.in 2011-02-10 12:29:32.926361705 +0000 +@@ -192,6 +192,7 @@ installcheck:: + TESTS = \ + tests/asymmetric-hunks \ + tests/backup-prefix-suffix \ ++ tests/bad-filenames \ + tests/corrupt-reject-files \ + tests/create-delete \ + tests/crlf-handling \ +diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h +--- patch-2.6.1/src/common.h.CVE-2010-4651 2011-02-10 12:30:29.142797627 +0000 ++++ patch-2.6.1/src/common.h 2011-02-10 12:30:33.566989729 +0000 +@@ -169,6 +169,7 @@ XTERN char *revision; /* prerequisite + #endif + + void fatal_exit (int) __attribute__ ((noreturn)); ++void validate_target_name (char const *n); + + #include <errno.h> + #if !STDC_HEADERS && !defined errno +diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c +--- patch-2.6.1/src/patch.c.CVE-2010-4651 2011-02-10 12:30:20.721432124 +0000 ++++ patch-2.6.1/src/patch.c 2011-02-10 12:30:33.567989772 +0000 +@@ -34,6 +34,7 @@ + #include <util.h> + #include <version.h> + #include <xalloc.h> ++#include <dirname.h> + + /* procedures */ + +@@ -916,6 +917,26 @@ numeric_string (char const *string, + return value; + } + ++void ++validate_target_name (char const *n) ++{ ++ char const *p = n; ++ if (explicit_inname) ++ return; ++ if (IS_ABSOLUTE_FILE_NAME (p)) ++ fatal ("rejecting absolute target file name: %s", quotearg (p)); ++ while (*p) ++ { ++ if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p))) ++ fatal ("rejecting target file name with ".." component: %s", ++ quotearg (n)); ++ while (*p && ! ISSLASH (*p)) ++ p++; ++ while (ISSLASH (*p)) ++ p++; ++ } ++} ++ + /* Attempt to find the right place to apply this hunk of patch. */ + + static LINENUM +diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c +--- patch-2.6.1/src/pch.c.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 ++++ patch-2.6.1/src/pch.c 2011-02-10 12:30:33.573990033 +0000 +@@ -3,7 +3,7 @@ + /* Copyright (C) 1986, 1987, 1988 Larry Wall + + Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001, +- 2002, 2003, 2006, 2009 Free Software Foundation, Inc. ++ 2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no + { + bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty]; + ++ validate_target_name (name); ++ + if (looks_reversed) + reverse ^= + ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!", +@@ -725,6 +727,7 @@ intuit_diff_type (bool need_header) + inerrno = stat_errno[i]; + invc = version_controlled[i]; + instat = st[i]; ++ validate_target_name (inname); + } + + return retval; +diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames +--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651 2011-02-10 12:29:32.931361921 +0000 ++++ patch-2.6.1/tests/bad-filenames 2011-02-10 12:30:33.576990163 +0000 +@@ -0,0 +1,71 @@ ++# Copyright (C) 2011 Free Software Foundation, Inc. ++# ++# Copying and distribution of this file, with or without modification, ++# in any medium, are permitted without royalty provided the copyright ++# notice and this notice are preserved. ++ ++. $srcdir/test-lib.sh ++ ++use_local_patch ++use_tmpdir ++ ++# ================================================================ ++ ++emit_2() ++{ ++cat <<EOF ++--- $1 +++++ $2 ++@@ -0,0 +1 @@ +++x ++EOF ++} ++ ++emit_patch() { emit_2 /dev/null "$1"; } ++ ++# Ensure that patch rejects an output file name that is absolute ++# or that contains a ".." component. ++ ++check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF ++$PATCH: **** rejecting absolute target file name: /absolute/path ++status: 2 ++EOF ++ ++check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF ++$PATCH: **** rejecting target file name with ".." component: a/../z ++status: 2 ++EOF ++ ++check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF ++$PATCH: **** rejecting target file name with ".." component: ../z ++status: 2 ++EOF ++ ++check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF ++$PATCH: **** rejecting target file name with ".." component: a/.. ++status: 2 ++EOF ++ ++check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF ++$PATCH: **** rejecting target file name with ".." component: ../z ++status: 2 ++EOF ++ ++check 'emit_2 /abs/path target | patch -p0; echo status: $?' <<EOF ++patching file target ++status: 0 ++EOF ++ ++echo x > target ++check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <<EOF ++patching file target ++status: 0 ++EOF ++ ++# Do not validate any file name from the input when the target ++# is specified on the command line: ++touch abs ++check 'emit_patch /absolute/path | patch `pwd`/abs; echo status: $?' <<EOF ++patching file `pwd`/abs ++status: 0 ++EOF diff --git a/pkgs/patch/patches/patch-2.6.1-backup-if-mismatch.patch b/pkgs/patch/patches/patch-2.6.1-backup-if-mismatch.patch new file mode 100644 index 0000000..0ad0986 --- /dev/null +++ b/pkgs/patch/patches/patch-2.6.1-backup-if-mismatch.patch @@ -0,0 +1,31 @@ +diff -up patch-2.6.1/src/patch.c.backup-if-mismatch patch-2.6.1/src/patch.c +--- patch-2.6.1/src/patch.c.backup-if-mismatch 2011-02-16 16:43:54.575850844 +0000 ++++ patch-2.6.1/src/patch.c 2011-02-16 16:44:56.907995789 +0000 +@@ -106,6 +106,7 @@ main (int argc, char **argv) + char numbuf[LINENUM_LENGTH_BOUND + 1]; + bool written_to_rejname = false; + bool apply_empty_patch = false; ++ bool posixly_correct_set; + + exit_failure = 2; + program_name = argv[0]; +@@ -125,7 +126,7 @@ main (int argc, char **argv) + i < 0 ? shell_quoting_style : (enum quoting_style) i); + } + +- posixly_correct = getenv ("POSIXLY_CORRECT") != 0; ++ posixly_correct_set = posixly_correct = getenv ("POSIXLY_CORRECT") != 0; + backup_if_mismatch = ! posixly_correct; + patch_get = ((val = getenv ("PATCH_GET")) + ? numeric_string (val, true, "PATCH_GET value") +@@ -151,6 +152,10 @@ main (int argc, char **argv) + Argv = argv; + get_some_switches(); + ++ /* Let --posix cause --no-backup-if-mismatch. */ ++ if (! posixly_correct_set && posixly_correct && backup_if_mismatch) ++ backup_if_mismatch = false; ++ + if (make_backups | backup_if_mismatch) + backup_type = get_version (version_control_context, version_control); + diff --git a/pkgs/patch/patches/patch-2.6.1-get-arg.patch b/pkgs/patch/patches/patch-2.6.1-get-arg.patch new file mode 100644 index 0000000..45f3bc8 --- /dev/null +++ b/pkgs/patch/patches/patch-2.6.1-get-arg.patch @@ -0,0 +1,12 @@ +diff -up patch-2.6.1/src/patch.c.get-arg patch-2.6.1/src/patch.c +--- patch-2.6.1/src/patch.c.get-arg 2010-07-27 18:05:26.217150510 +0100 ++++ patch-2.6.1/src/patch.c 2010-07-27 18:05:47.464150892 +0100 +@@ -558,7 +558,7 @@ static struct option const longopts[] = + {"remove-empty-files", no_argument, NULL, 'E'}, + {"force", no_argument, NULL, 'f'}, + {"fuzz", required_argument, NULL, 'F'}, +- {"get", no_argument, NULL, 'g'}, ++ {"get", required_argument, NULL, 'g'}, + {"input", required_argument, NULL, 'i'}, + {"ignore-whitespace", no_argument, NULL, 'l'}, + #ifdef ENABLE_MERGE diff --git a/pkgs/patch/patches/patch-selinux.patch b/pkgs/patch/patches/patch-selinux.patch new file mode 100644 index 0000000..904539c --- /dev/null +++ b/pkgs/patch/patches/patch-selinux.patch @@ -0,0 +1,171 @@ +diff -up patch-2.6.1/Makefile.in.selinux patch-2.6.1/Makefile.in +--- patch-2.6.1/Makefile.in.selinux 2011-02-08 11:29:34.590271489 +0000 ++++ patch-2.6.1/Makefile.in 2011-02-08 11:29:34.602271607 +0000 +@@ -40,7 +40,7 @@ EXEEXT = @EXEEXT@ + LDFLAGS = @LDFLAGS@ + LIBOBJDIR = gl/lib/ + LIBOBJS = @LIBOBJS@ ${LIBOBJDIR}full-write$U.o +-LIBS = @LIBS@ ++LIBS = @LIBS@ -lselinux + OBJEXT = @OBJEXT@ + PACKAGE_NAME = @PACKAGE_NAME@ + PACKAGE_VERSION = @PACKAGE_VERSION@ +diff -up patch-2.6.1/src/common.h.selinux patch-2.6.1/src/common.h +--- patch-2.6.1/src/common.h.selinux 2009-12-30 12:56:30.000000000 +0000 ++++ patch-2.6.1/src/common.h 2011-02-08 11:29:34.602271607 +0000 +@@ -32,6 +32,8 @@ + #include <sys/types.h> + #include <time.h> + ++#include <selinux/selinux.h> ++ + #include <sys/stat.h> + #if ! defined S_ISDIR && defined S_IFDIR + # define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) +@@ -118,6 +120,7 @@ XTERN char *outfile; + XTERN int inerrno; + XTERN int invc; + XTERN struct stat instat; ++XTERN security_context_t incontext; + XTERN bool dry_run; + XTERN bool posixly_correct; + +diff -up patch-2.6.1/src/inp.c.selinux patch-2.6.1/src/inp.c +--- patch-2.6.1/src/inp.c.selinux 2011-02-08 11:29:34.576271352 +0000 ++++ patch-2.6.1/src/inp.c 2011-02-08 11:29:34.604271627 +0000 +@@ -152,8 +152,18 @@ get_input_file (char const *filename, ch + char *diffbuf; + char *getbuf; + +- if (inerrno == -1) +- inerrno = stat (filename, &instat) == 0 ? 0 : errno; ++ inerrno = stat (filename, &instat) == 0 ? 0 : errno; ++ if (inerrno == 0) ++ { ++ inerrno = getfilecon (inname, &incontext) == -1 ? errno : 0; ++ if (inerrno == ENODATA || inerrno == ENOTSUP) ++ { ++ inerrno = 0; ++ incontext = NULL; ++ } ++ } ++ else ++ incontext = NULL; + + /* Perhaps look for RCS or SCCS versions. */ + if (patch_get +@@ -197,7 +207,7 @@ get_input_file (char const *filename, ch + } + + if (cs && version_get (filename, cs, ! inerrno, elsewhere, getbuf, +- &instat)) ++ &instat, &incontext)) + inerrno = 0; + + free (getbuf); +@@ -209,6 +219,7 @@ get_input_file (char const *filename, ch + { + instat.st_mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH; + instat.st_size = 0; ++ incontext = NULL; + } + else if (! S_ISREG (instat.st_mode)) + fatal ("File %s is not a regular file -- can't patch", +diff -up patch-2.6.1/src/patch.c.selinux patch-2.6.1/src/patch.c +--- patch-2.6.1/src/patch.c.selinux 2011-02-08 11:29:34.586271450 +0000 ++++ patch-2.6.1/src/patch.c 2011-02-08 11:29:34.606271646 +0000 +@@ -421,6 +421,21 @@ main (int argc, char **argv) + /* Fails if we are not in group instat.st_gid. */ + chown (outname, -1, instat.st_gid); + } ++ ++ if (! inerrno && incontext) ++ { ++ security_context_t outcontext; ++ if (getfilecon (outname, &outcontext) != -1 && ++ outcontext && ++ strcmp(outcontext, incontext) && ++ setfilecon (outname, incontext) != 0) ++ { ++ if (errno != ENOTSUP && errno != EPERM) ++ pfatal ("Can't set security context " ++ "on file %s", quotearg (outname)); ++ } ++ } ++ + /* FIXME: There may be other attributes to preserve. */ + } + } +diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c +--- patch-2.6.1/src/pch.c.selinux 2011-02-08 11:29:34.591271499 +0000 ++++ patch-2.6.1/src/pch.c 2011-02-08 11:30:08.810621570 +0000 +@@ -307,7 +307,12 @@ there_is_another_patch (bool need_header + inname[t - buf - 1] = 0; + if (stat (inname, &instat) == 0) + { +- inerrno = 0; ++ inerrno = getfilecon (inname, &incontext) == -1 ? errno : 0; ++ if (inerrno == ENODATA || inerrno == ENOTSUP) ++ { ++ inerrno = 0; ++ incontext = NULL; ++ } + invc = -1; + } + else +@@ -681,7 +686,7 @@ intuit_diff_type (bool need_header) + if (cs) + { + if (version_get (p_name[i], cs, false, readonly, +- getbuf, &st[i])) ++ getbuf, &st[i], NULL)) + stat_errno[i] = 0; + else + version_controlled[i] = 0; +@@ -746,6 +751,7 @@ intuit_diff_type (bool need_header) + invc = version_controlled[i]; + instat = st[i]; + validate_target_name (inname); ++ getfilecon (inname, &incontext); + } + + return retval; +diff -up patch-2.6.1/src/util.c.selinux patch-2.6.1/src/util.c +--- patch-2.6.1/src/util.c.selinux 2009-11-02 19:09:57.000000000 +0000 ++++ patch-2.6.1/src/util.c 2011-02-08 11:29:34.613271715 +0000 +@@ -574,7 +574,8 @@ version_controller (char const *filename + Return true if successful. */ + bool + version_get (char const *filename, char const *cs, bool exists, bool readonly, +- char const *getbuf, struct stat *filestat) ++ char const *getbuf, struct stat *filestat, ++ security_context_t *filecontext) + { + if (patch_get < 0) + { +@@ -599,6 +600,13 @@ version_get (char const *filename, char + fatal ("Can't get file %s from %s", quotearg (filename), cs); + if (stat (filename, filestat) != 0) + pfatal ("%s", quotearg (filename)); ++ if (filecontext && getfilecon (filename, filecontext) == -1) ++ { ++ if (errno == ENODATA || errno == ENOTSUP) ++ *filecontext = NULL; ++ else ++ pfatal ("%s", quotearg (filename)); ++ } + } + + return 1; +diff -up patch-2.6.1/src/util.h.selinux patch-2.6.1/src/util.h +--- patch-2.6.1/src/util.h.selinux 2009-11-02 19:09:57.000000000 +0000 ++++ patch-2.6.1/src/util.h 2011-02-08 11:29:34.614271726 +0000 +@@ -51,7 +51,7 @@ char *fetchname (char *, int, char **, t + char *savebuf (char const *, size_t); + char *savestr (char const *); + char const *version_controller (char const *, bool, struct stat const *, char **, char **); +-bool version_get (char const *, char const *, bool, bool, char const *, struct stat *); ++bool version_get (char const *, char const *, bool, bool, char const *, struct stat *, security_context_t *); + int create_file (char const *, int, mode_t, bool); + int systemic (char const *); + char *format_linenum (char[LINENUM_LENGTH_BOUND + 1], LINENUM);
hooks/post-receive -- IPFire 3.x development tree