3
5
Fork 0
mirror of git://git.savannah.gnu.org/guix.git synced 2023-12-14 03:33:07 +01:00

gnu: Add xinetd.

* gnu/packages/web.scm (xinetd): New variable.
* gnu/packages/patches/xinetd-CVE-2013-4342.patch,
gnu/packages/patches/xinetd-fix-fd-leak.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add patches.

Signed-off-by: Leo Famulari <leo@famulari.name>
This commit is contained in:
Thomas Danckaert 2017-01-26 11:35:50 +01:00 committed by Leo Famulari
parent 9b11eee955
commit 59ae241f71
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
4 changed files with 89 additions and 0 deletions

View file

@ -956,6 +956,8 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-session-fix-xflock4.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xinetd-fix-fd-leak.patch \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
%D%/packages/patches/zathura-plugindir-environment-variable.patch

View file

@ -0,0 +1,36 @@
Fix CVE-2013-4342:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678
Patch copied from upstream source repository:
https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864
From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
From: Thomas Swan <thomas.swan@gmail.com>
Date: Wed, 2 Oct 2013 23:17:17 -0500
Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
TCPMUX services
Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
---
xinetd/builtins.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xinetd/builtins.c b/xinetd/builtins.c
index 3b85579..34a5bac 100644
--- a/xinetd/builtins.c
+++ b/xinetd/builtins.c
@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
if( SC_IS_INTERNAL( scp ) ) {
SC_INTERNAL(scp, nserp);
} else {
- exec_server(nserp);
+ child_process(nserp);
}
}
--
2.7.4

View file

@ -0,0 +1,26 @@
Fix a file descriptor leak:
https://github.com/xinetd-org/xinetd/issues/23
Patch copied from Debian:
https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches/000012-fix_fd_leak
Patch sent upstream at https://github.com/xinetd-org/xinetd/pull/26.
diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
index 5a26214..fe0f872 100644
--- a/xinetd/xgetloadavg.c
+++ b/xinetd/xgetloadavg.c
@@ -34,7 +34,7 @@ double xgetloadavg(void)
if( fscanf(fd, "%lf", &ret) != 1 ) {
perror("fscanf");
- return -1;
+ ret = -1;
}
fclose(fd);
--
2.7.4

View file

@ -3995,3 +3995,28 @@ programs' code. Its architecture is optimized for security, portability, and
scalability (including load-balancing), making it suitable for large
deployments.")
(license l:gpl2+)))
(define-public xinetd
(package
(name "xinetd")
(version "2.3.15")
(source
(origin
(method url-fetch)
(uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
(patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch"))
(sha256
(base32
"0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags '("--with-loadavg")
#:tests? #f )) ; no tests
(home-page "https://github.com/xinetd-org/xinetd")
(synopsis "Internet services daemon")
(description "@code{xinetd}, a more secure replacement for @code{inetd},
listens for incoming requests over a network and launches the appropriate
service for that request. Requests are made using port numbers as identifiers
and xinetd usually launches another daemon to handle the request. It can be
used to start services with both privileged and non-privileged port numbers.")
(license (l:fsf-free "file://COPYRIGHT"))))