pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/opendoas security/opendoas: update to 6.8.1
details: https://anonhg.NetBSD.org/pkgsrc/rev/2a46d87afa60
branches: trunk
changeset: 770155:2a46d87afa60
user: pin <pin%pkgsrc.org@localhost>
date: Fri Nov 26 08:40:40 2021 +0000
description:
security/opendoas: update to 6.8.1
-This release fixes one major issue that has been assigned CVE-2019-25016.
Rules that allowed the user to execute any command would inherit the
executing users PATH instead of resetting it to a default PATH.
The path will now be correctly reset (d5acd52) to the defined default PATH.
Those rules still allow the user to execute any program from their PATH
but executed commands won't inherit the users PATH anymore.
Rules that limit the user to execute only a specific command are not affected
by this and are only executed from the default PATH and with the PATH
environment variable set to the safe default.
Other changes are:
-apply missing man page changes
-Fixes to the configuration parser 2d7431c, 01ac841 and 36cc28e
-Minor documentation and error message wording changes.
diffstat:
security/opendoas/Makefile | 5 ++---
security/opendoas/distinfo | 9 ++++-----
security/opendoas/patches/patch-doas.c | 23 -----------------------
3 files changed, 6 insertions(+), 31 deletions(-)
diffs (55 lines):
diff -r 5b7f87f4e72b -r 2a46d87afa60 security/opendoas/Makefile
--- a/security/opendoas/Makefile Fri Nov 26 08:37:52 2021 +0000
+++ b/security/opendoas/Makefile Fri Nov 26 08:40:40 2021 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.2 2021/01/29 07:53:38 jperkin Exp $
+# $NetBSD: Makefile,v 1.3 2021/11/26 08:40:40 pin Exp $
-DISTNAME= opendoas-6.8
-PKGREVISION= 1
+DISTNAME= opendoas-6.8.1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=duncaen/}
GITHUB_TAG= v${PKGVERSION_NOREV}
diff -r 5b7f87f4e72b -r 2a46d87afa60 security/opendoas/distinfo
--- a/security/opendoas/distinfo Fri Nov 26 08:37:52 2021 +0000
+++ b/security/opendoas/distinfo Fri Nov 26 08:40:40 2021 +0000
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.4 2021/10/26 11:17:22 nia Exp $
+$NetBSD: distinfo,v 1.5 2021/11/26 08:40:40 pin Exp $
-BLAKE2s (opendoas-6.8.tar.gz) = e3880bf703bbc0d038da43edc032ab927aeac8ed3a86d417f6d7da226476e065
-SHA512 (opendoas-6.8.tar.gz) = 4a57079bba353247e645bc07a5d4e78fd01471d193e83751fd87b72cffa4e152c0f7ea172563f767a7193b14489f57bc066b4fee50842d30b5b7f7ce918434bb
-Size (opendoas-6.8.tar.gz) = 32307 bytes
+BLAKE2s (opendoas-6.8.1.tar.gz) = b85a68323ab88d02d9a0a1e6eb5591ae46fd9080d5657c466bb14ccd1541f581
+SHA512 (opendoas-6.8.1.tar.gz) = d96fe1cdd70e9211de9996ad05bcf7a127facd02af48f7ab2561869d9d16708f1b61722c6e6b9fe15a62e9ef501e09b1ba444b7b43a066f1895e543ebc9402e7
+Size (opendoas-6.8.1.tar.gz) = 32398 bytes
SHA1 (patch-GNUmakefile) = d301c0334ce6ac7992d61681e1852a301557d300
-SHA1 (patch-doas.c) = 3c4e734e3c8f7bf38e2a58ddb1ba4e1eefe99087
diff -r 5b7f87f4e72b -r 2a46d87afa60 security/opendoas/patches/patch-doas.c
--- a/security/opendoas/patches/patch-doas.c Fri Nov 26 08:37:52 2021 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-$NetBSD: patch-doas.c,v 1.1 2021/01/29 07:53:38 jperkin Exp $
-
-Fix for CVE-2019-25016 (Unsafe, incomplete PATH reset).
-
---- doas.c.orig 2020-11-14 15:44:04.000000000 +0000
-+++ doas.c
-@@ -386,6 +386,7 @@ main(int argc, char **argv)
-
- #ifdef HAVE_LOGIN_CAP_H
- if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
-+ LOGIN_SETPATH |
- LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
- LOGIN_SETUSER) != 0)
- errx(1, "failed to set user context for target");
-@@ -396,6 +397,8 @@ main(int argc, char **argv)
- err(1, "initgroups");
- if (setresuid(target, target, target) != 0)
- err(1, "setresuid");
-+ if (setenv("PATH", safepath, 1) == -1)
-+ err(1, "failed to set PATH '%s'", safepath);
- #endif
-
- if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
Home |
Main Index |
Thread Index |
Old Index