fix security hole in non-chroot rsync daemon.

<http://www.freebsd.org/ports/portaudit/2689f4cb-ec4c-11d8-9440-000347a4fa7d.html>
author: Oliver Eikemeier <eik@FreeBSD.org> 2004-08-12 10:45:27 +0000
committer: Oliver Eikemeier <eik@FreeBSD.org> 2004-08-12 10:45:27 +0000
commit: a49bbe0700e2bde4d8333342d3d65cd8822a4c38 (patch)
tree: eb797d51324c1c72261012ec0ea598ba93ed2296
parent: 6c018d7960eb49b857c33b16b41b391034747a31 (diff)
download: ports-a49bbe0700e2bde4d8333342d3d65cd8822a4c38.tar.gz
ports-a49bbe0700e2bde4d8333342d3d65cd8822a4c38.zip
8 files changed, 117 insertions, 28 deletions
diff --git a/net/rsync/Makefile b/net/rsync/Makefile
index ff57f5f368a2..113afe9b80d4 100644
--- a/net/rsync/Makefile
+++ b/net/rsync/Makefile
@@ -1,4 +1,3 @@
-# ex:ts=8
 # Ports collection makefile for:  rsync
 # Date created:			  Sat Aug 3, 1996
 # Whom:				  David O'Brien (obrien@cs.ucdavis.edu)
@@ -8,14 +7,14 @@
 
 PORTNAME=	rsync
 PORTVERSION=	2.6.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net ipv6
 MASTER_SITES=	http://rsync.samba.org/ftp/%SUBDIR%/ \
-		ftp://rsync.samba.org/pub/%SUBDIR%/ \
-		ftp://samba.anu.edu.au/pub/%SUBDIR%/  \
 		ftp://sunsite.auc.dk/pub/unix/%SUBDIR%/  \
 		ftp://ftp.sunet.se/pub/unix/admin/%SUBDIR%/  \
-		ftp://ftp.fu-berlin.de/pub/unix/network/%SUBDIR%/
+		ftp://ftp.fu-berlin.de/pub/unix/network/%SUBDIR%/ \
+		http://www.mirror.ac.uk/sites/rsync.samba.org/ \
+		http://public.planetmirror.com/pub/%SUBDIR%/
 MASTER_SITE_SUBDIR=	rsync
 
 MAINTAINER=	eik@FreeBSD.org
@@ -28,6 +27,7 @@ LIB_DEPENDS=	popt.0:${PORTSDIR}/devel/popt
 USE_RC_SUBR=	yes
 USE_REINPLACE=	yes
 GNU_CONFIGURE=	yes
+
 CONFIGURE_ARGS=	--disable-debug \
 		--with-rsyncd-conf=${PREFIX}/etc/rsyncd.conf
 CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
@@ -49,7 +49,8 @@ EXTRA_PATCHES+=	${WRKSRC}/patches/time-limit.diff
 
 .include <bsd.port.pre.mk>
 
-SED_SCRIPT+=	-e 's,%%PREFIX%%,${PREFIX},g' \
+SED_SCRIPT+=	-e 's,%%NAME%%,rsyncd,g' \
+		-e 's,%%PREFIX%%,${PREFIX},g' \
 		-e 's,%%RC_SUBR%%,${RC_SUBR},g'
 
 .if ${OSVERSION} < 400016
@@ -86,13 +87,15 @@ post-build:
 	@${SED} ${SED_SCRIPT} <${FILESDIR}/rsyncd.sh >${WRKDIR}/rsyncd.sh
 
 post-install:
-	@${STRIP_CMD} ${PREFIX}/bin/rsync
-	@${INSTALL_DATA} ${FILESDIR}/rsyncd.conf.sample ${PREFIX}/etc/
-	@[ -f ${PREFIX}/etc/rsyncd.conf ] || ${CP} ${PREFIX}/etc/rsyncd.conf.sample ${PREFIX}/etc/rsyncd.conf
-	@${INSTALL_SCRIPT} ${WRKDIR}/rsyncd.sh ${PREFIX}/etc/rc.d/
+	@${STRIP_CMD} ${DESTDIR}${PREFIX}/bin/rsync
+	@${INSTALL_DATA} ${FILESDIR}/rsyncd.conf.sample ${DESTDIR}${PREFIX}/etc/
+	@[ -f ${DESTDIR}${PREFIX}/etc/rsyncd.conf ] || \
+		${CP} ${DESTDIR}${PREFIX}/etc/rsyncd.conf.sample \
+		${DESTDIR}${PREFIX}/etc/rsyncd.conf
+	@${INSTALL_SCRIPT} ${WRKDIR}/rsyncd.sh ${DESTDIR}${PREFIX}/etc/rc.d/
 .if !defined(NOPORTDOCS)
-	@${MKDIR} ${DOCSDIR}
-	@${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${DOCSDIR}
+	@${MKDIR} ${DESTDIR}${DOCSDIR}
+	@${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${DESTDIR}${DOCSDIR}
 .endif
 .if !defined(WITHOUT_SSH)
 	@${CAT} ${PKGMESSAGE}
diff --git a/net/rsync/files/patch-backup.c b/net/rsync/files/patch-backup.c
new file mode 100644
index 000000000000..db279de66bd9
--- /dev/null
+++ b/net/rsync/files/patch-backup.c
@@ -0,0 +1,48 @@
+#
+# fix --backup-dir
+#  <http://lists.samba.org/archive/rsync/2004-May/009395.html>
+#
+--- backup.c	13 Mar 2004 20:18:03 -0000	1.28
++++ backup.c	4 May 2004 03:06:52 -0000
+@@ -169,8 +169,9 @@ static int keep_backup(char *fname)
+ 	/* Check to see if this is a device file, or link */
+ 	if (IS_DEVICE(file->mode)) {
+ 		if (am_root && preserve_devices) {
+-			make_bak_dir(backup_dir_buf);
+-			if (do_mknod(backup_dir_buf, file->mode, file->u.rdev) != 0) {
++			if (do_mknod(backup_dir_buf, file->mode, file->u.rdev) < 0
++			    && (errno != ENOENT || make_bak_dir(backup_dir_buf) < 0
++			     || do_mknod(backup_dir_buf, file->mode, file->u.rdev) < 0)) {
+ 				rprintf(FERROR, "mknod %s failed: %s\n",
+ 					full_fname(backup_dir_buf), strerror(errno));
+ 			} else if (verbose > 2) {
+@@ -186,10 +187,14 @@ static int keep_backup(char *fname)
+ 
+ 	if (!kept && S_ISDIR(file->mode)) {
+ 		/* make an empty directory */
+-		make_bak_dir(backup_dir_buf);
+-		do_mkdir(backup_dir_buf, file->mode);
+-		ret_code = do_rmdir(fname);
++		if (do_mkdir(backup_dir_buf, file->mode) < 0
++		    && (errno != ENOENT || make_bak_dir(backup_dir_buf) < 0
++		     || do_mkdir(backup_dir_buf, file->mode) < 0)) {
++			rprintf(FINFO, "mkdir %s failed: %s\n",
++				full_fname(backup_dir_buf), strerror(errno));
++		}
+ 
++		ret_code = do_rmdir(fname);
+ 		if (verbose > 2) {
+ 			rprintf(FINFO, "make_backup: RMDIR %s returns %i\n",
+ 				full_fname(fname), ret_code);
+@@ -207,8 +212,9 @@ static int keep_backup(char *fname)
+ 			}
+ 			kept = 1;
+ 		}
+-		make_bak_dir(backup_dir_buf);
+-		if (do_symlink(file->u.link, backup_dir_buf) != 0) {
++		if (do_symlink(file->u.link, backup_dir_buf) < 0
++		    && (errno != ENOENT || make_bak_dir(backup_dir_buf) < 0
++		     || do_symlink(file->u.link, backup_dir_buf) < 0)) {
+ 			rprintf(FERROR, "link %s -> %s : %s\n",
+ 				full_fname(backup_dir_buf), file->u.link, strerror(errno));
+ 		}
diff --git a/net/rsync/files/patch-flist.c b/net/rsync/files/patch-flist.c
index a3c92a756169..78fc767b30d1 100644
--- a/net/rsync/files/patch-flist.c
+++ b/net/rsync/files/patch-flist.c
@@ -21,4 +21,3 @@
  		lastdir_len = -1;
  
  	if (strlcpy(thisname, fname, sizeof thisname)
-
diff --git a/net/rsync/files/patch-generator.c b/net/rsync/files/patch-generator.c
new file mode 100644
index 000000000000..aad06f9a9a7d
--- /dev/null
+++ b/net/rsync/files/patch-generator.c
@@ -0,0 +1,23 @@
+#
+# fix --read-batch
+#  <http://lists.samba.org/archive/rsync/2004-May/009404.html>
+#
+--- generator.c.orig	Thu Apr 15 18:55:23 2004
++++ generator.c	Wed May 12 13:55:13 2004
+@@ -46,6 +46,7 @@
+ extern int whole_file;
+ extern int local_server;
+ extern int write_batch;
++extern int read_batch;
+ extern int list_only;
+ extern int only_existing;
+ extern int orig_umask;
+@@ -213,7 +214,7 @@
+ {
+ 	if (whole_file > 0)
+ 		return True;
+-	if (whole_file == 0 || write_batch)
++	if (whole_file == 0 || write_batch || read_batch)
+ 		return False;
+ 	return local_server;
+ }
diff --git a/net/rsync/files/patch-util.c b/net/rsync/files/patch-util.c
new file mode 100644
index 000000000000..485e1092c690
--- /dev/null
+++ b/net/rsync/files/patch-util.c
@@ -0,0 +1,15 @@
+#
+# fix security hole in non-chroot rsync daemon
+#  <http://lists.samba.org/archive/rsync-announce/2004/000017.html>
+#
+--- orig/util.c	2004-04-27 12:59:37 -0700
++++ util.c	2004-08-11 23:37:27 -0700
+@@ -743,7 +743,7 @@
+ 				allowdotdot = 1;
+ 			} else {
+ 				p += 2;
+-				if (*p == '/')
++				while (*p == '/')
+ 					p++;
+ 				if (sanp != start) {
+ 					/* back up sanp one level */
diff --git a/net/rsync/files/rsyncd.sh b/net/rsync/files/rsyncd.sh
index 28a85e8bef02..b86b09e12543 100644
--- a/net/rsync/files/rsyncd.sh
+++ b/net/rsync/files/rsyncd.sh
@@ -3,32 +3,31 @@
 # $FreeBSD$
 #
 
-# PROVIDE: rsyncd
+# PROVIDE: %%NAME%%
 # REQUIRE: LOGIN
+# BEFORE:  securelevel
 # KEYWORD: FreeBSD shutdown
 
+# Add the following line to /etc/rc.conf to enable `%%NAME%%':
 #
-# Add the following lines to /etc/rc.conf to enable rsyncd:
+#%%NAME%%_enable="YES"
 #
-#rsyncd_enable="YES"
-#
-# See rsync(1) for flags
+# See rsync(1) for %%NAME%%_flags
 #
 
-. %%RC_SUBR%%
+. "%%RC_SUBR%%"
 
-name=rsyncd
+name="%%NAME%%"
 rcvar=`set_rcvar`
 
-command=%%PREFIX%%/bin/rsync
+command="%%PREFIX%%/bin/rsync"
 command_args="--daemon"
-pidfile=/var/run/${name}.pid
-required_files=%%PREFIX%%/etc/${name}.conf
-
-# set defaults
+pidfile="/var/run/$name.pid"
+required_files="%%PREFIX%%/etc/$name.conf"
 
-rsyncd_enable=${rsyncd_enable:-"NO"}
-rsyncd_flags=${rsyncd_flags:-""}
+# read configuration and set defaults
+load_rc_config "$name"
+: ${%%NAME%%_enable="NO"}
+: ${%%NAME%%_flags=""}
 
-load_rc_config ${name}
 run_rc_command "$1"
diff --git a/ports-mgmt/portaudit-db/database/portaudit.txt b/ports-mgmt/portaudit-db/database/portaudit.txt
index a91e1dfdcac9..fefc3fd6d47a 100644
--- a/ports-mgmt/portaudit-db/database/portaudit.txt
+++ b/ports-mgmt/portaudit-db/database/portaudit.txt
@@ -67,3 +67,4 @@ cfengine2<2.1.8|http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccio
 libxine<=1.0.r5_1|http://www.open-security.org/advisories/6 http://secunia.com/advisories/12194 http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923|libxine vcd MRL input identifier management overflow|bef4515b-eaa9-11d8-9440-000347a4fa7d
 kdelibs<=3.2.3_1|http://www.kde.org/info/security/advisory-20040811-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://www.kde.org/info/security/advisory-20040811-2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 http://www.kde.org/info/security/advisory-20040811-3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://secunia.com/advisories/11978/ http://www.heise.de/newsticker/meldung/48793 http://bugs.kde.org/show_bug.cgi?id=84352|Temporary Directory Vulnerability, DCOPServer Temporary Filename Vulnerability, Konqueror Frame Injection Vulnerability|a4bd1cd3-eb25-11d8-978e-00e018f69096
 kdebase<=3.2.3|http://www.kde.org/info/security/advisory-20040811-3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://www.heise.de/newsticker/meldung/48793 http://bugs.kde.org/show_bug.cgi?id=84352|Konqueror Frame Injection Vulnerability|2e395baa-eb26-11d8-978e-00e018f69096
+rsync<2.6.2_2|http://lists.samba.org/archive/rsync-announce/2004/000017.html|security hole in non-chroot rsync daemon|2689f4cb-ec4c-11d8-9440-000347a4fa7d
diff --git a/security/portaudit-db/database/portaudit.txt b/security/portaudit-db/database/portaudit.txt
index a91e1dfdcac9..fefc3fd6d47a 100644
--- a/security/portaudit-db/database/portaudit.txt
+++ b/security/portaudit-db/database/portaudit.txt
@@ -67,3 +67,4 @@ cfengine2<2.1.8|http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccio
 libxine<=1.0.r5_1|http://www.open-security.org/advisories/6 http://secunia.com/advisories/12194 http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923|libxine vcd MRL input identifier management overflow|bef4515b-eaa9-11d8-9440-000347a4fa7d
 kdelibs<=3.2.3_1|http://www.kde.org/info/security/advisory-20040811-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://www.kde.org/info/security/advisory-20040811-2.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 http://www.kde.org/info/security/advisory-20040811-3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://secunia.com/advisories/11978/ http://www.heise.de/newsticker/meldung/48793 http://bugs.kde.org/show_bug.cgi?id=84352|Temporary Directory Vulnerability, DCOPServer Temporary Filename Vulnerability, Konqueror Frame Injection Vulnerability|a4bd1cd3-eb25-11d8-978e-00e018f69096
 kdebase<=3.2.3|http://www.kde.org/info/security/advisory-20040811-3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://www.heise.de/newsticker/meldung/48793 http://bugs.kde.org/show_bug.cgi?id=84352|Konqueror Frame Injection Vulnerability|2e395baa-eb26-11d8-978e-00e018f69096
+rsync<2.6.2_2|http://lists.samba.org/archive/rsync-announce/2004/000017.html|security hole in non-chroot rsync daemon|2689f4cb-ec4c-11d8-9440-000347a4fa7d
author	Oliver Eikemeier <eik@FreeBSD.org>	2004-08-12 10:45:27 +0000
committer	Oliver Eikemeier <eik@FreeBSD.org>	2004-08-12 10:45:27 +0000
commit	a49bbe0700e2bde4d8333342d3d65cd8822a4c38 (patch)
tree	eb797d51324c1c72261012ec0ea598ba93ed2296
parent	6c018d7960eb49b857c33b16b41b391034747a31 (diff)
download	ports-a49bbe0700e2bde4d8333342d3d65cd8822a4c38.tar.gz ports-a49bbe0700e2bde4d8333342d3d65cd8822a4c38.zip