summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Buchholz <rbu@gentoo.org>2009-07-15 16:06:25 +0000
committerRobert Buchholz <rbu@gentoo.org>2009-07-15 16:06:25 +0000
commit00f732a08da4a2cd05807fb4eabee34de272ed10 (patch)
tree7584a158f669f3779e50cc95dd74241ad46cc4e1 /net-firewall
parentRemove autotools from inherit since no functions are called from it. (diff)
downloadgentoo-2-00f732a08da4a2cd05807fb4eabee34de272ed10.tar.gz
gentoo-2-00f732a08da4a2cd05807fb4eabee34de272ed10.tar.bz2
gentoo-2-00f732a08da4a2cd05807fb4eabee34de272ed10.zip
Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch tested by Kerin Millar, thanks. Fixes bug 246013.
(Portage version: 2.1.6.13/cvs/Linux x86_64)
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/firehol/ChangeLog9
-rw-r--r--net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch58
-rw-r--r--net-firewall/firehol/firehol-1.273-r1.ebuild78
3 files changed, 144 insertions, 1 deletions
diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog
index a821e28b0be8..4fa93463fbc6 100644
--- a/net-firewall/firehol/ChangeLog
+++ b/net-firewall/firehol/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-firewall/firehol
# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.40 2009/03/09 16:54:00 armin76 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.41 2009/07/15 16:06:24 rbu Exp $
+
+*firehol-1.273-r1 (15 Jul 2009)
+
+ 15 Jul 2009; Robert Buchholz <rbu@gentoo.org>
+ +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild:
+ Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch
+ tested by Kerin Millar, thanks. Fixes bug 246013.
09 Mar 2009; Raúl Porcel <armin76@gentoo.org> firehol-1.273.ebuild:
x86 stable wrt #261699
diff --git a/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch
new file mode 100644
index 000000000000..99a958aa701f
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch
@@ -0,0 +1,58 @@
+From 545db8cd292957158bf3fa1c1c370e4be83c6688 Mon Sep 17 00:00:00 2001
+From: Robert Buchholz <rbu@goodpoint.de>
+Date: Tue, 6 Jan 2009 23:26:00 +0100
+Subject: [PATCH] Use mktemp instead of relying that $$-$RANDOM-$RANDOM does not exist.
+
+References:
+* CVE-2008-4953
+* https://bugs.gentoo.org/246013
+---
+ firehol.sh | 25 +++++++++----------------
+ 1 files changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/firehol.sh b/firehol.sh
+index 6acb497..f5dba16 100755
+--- a/firehol.sh
++++ b/firehol.sh
+@@ -238,8 +238,15 @@ ${IPTABLES_CMD} -nxvL >/dev/null 2>&1
+ # ----------------------------------------------------------------------
+ # Directories and files
+
+-# These files will be created and deleted during our run.
+-FIREHOL_DIR="/tmp/.firehol-tmp-$$-${RANDOM}-${RANDOM}"
++# Create an empty temporary directory we need for this run.
++if ! FIREHOL_DIR="`mktemp -d -t .firehol-tmp-XXXXXX`"
++then
++ echo >&2
++ echo >&2
++ echo >&2 "Cannot create temporary directory."
++ echo >&2
++ exit 1
++fi
+ FIREHOL_CHAINS_DIR="${FIREHOL_DIR}/chains"
+ FIREHOL_OUTPUT="${FIREHOL_DIR}/firehol-out.sh"
+ FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
+@@ -329,20 +336,6 @@ then
+ "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}/services"
+ fi
+
+-# Remove any old directories that might be there.
+-if [ -d "${FIREHOL_DIR}" ]
+-then
+- "${RM_CMD}" -rf "${FIREHOL_DIR}"
+- if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ]
+- then
+- echo >&2
+- echo >&2
+- echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'."
+- echo >&2
+- exit 1
+- fi
+-fi
+-"${MKDIR_CMD}" "${FIREHOL_DIR}" || exit 1
+ "${MKDIR_CMD}" "${FIREHOL_CHAINS_DIR}" || exit 1
+
+ # prepare the file that will hold all modules to be loaded.
+--
+1.6.0.4
+
diff --git a/net-firewall/firehol/firehol-1.273-r1.ebuild b/net-firewall/firehol/firehol-1.273-r1.ebuild
new file mode 100644
index 000000000000..a55cbaa3c921
--- /dev/null
+++ b/net-firewall/firehol/firehol-1.273-r1.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.273-r1.ebuild,v 1.1 2009/07/15 16:06:24 rbu Exp $
+
+EAPI=2
+
+inherit eutils linux-info
+
+DESCRIPTION="iptables firewall generator"
+HOMEPAGE="http://firehol.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE=""
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+
+DEPEND="sys-apps/iproute2"
+RDEPEND="net-firewall/iptables
+ sys-apps/iproute2[-minimal]
+ virtual/modutils
+ || (
+ net-misc/wget
+ net-misc/curl
+ )"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-CVE-2008-4953.patch || die
+}
+
+
+pkg_setup() {
+ # perform checks for kernel config from eclass linux-info
+ # for now we just print warnings as I am not sure if these
+ # are required always...
+ local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK \
+ ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT \
+ ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG ~NF_NAT \
+ ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE"
+ get_version
+ if [ ${KV_PATCH} -ge 25 ]; then
+ CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}"
+ else
+ CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}"
+ fi
+ linux-info_pkg_setup
+}
+
+src_install() {
+ newsbin firehol.sh firehol
+
+ dodir /etc/firehol /etc/firehol/examples /etc/firehol/services
+ insinto /etc/firehol/examples
+ doins examples/* || die
+
+ newconfd "${FILESDIR}/firehol.conf.d" firehol || die
+
+ dodoc ChangeLog README TODO WhatIsNew || die
+ dohtml doc/*.html doc/*.css || die
+
+ docinto scripts
+ dodoc get-iana.sh adblock.sh || die
+
+ doman man/*.1 man/*.5 || die
+
+ newinitd "${FILESDIR}/firehol.initrd" firehol || die
+}
+
+pkg_postinst() {
+ elog "The default path to firehol's configuration file is /etc/firehol/firehol.conf"
+ elog "See /etc/firehol/examples for configuration examples."
+ #
+ # Install a default configuration if none is available yet
+ if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then
+ einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf"
+ cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf"
+ fi
+}