Hello community,
here is the log from the commit of package openvas-scanner for openSUSE:Factory checked in at 2011-11-07 14:28:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvas-scanner (Old)
and /work/SRC/openSUSE:Factory/.openvas-scanner.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvas-scanner", Maintainer is "nadvornik@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openvas-scanner/openvas-scanner.changes 2011-09-23 12:21:01.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openvas-scanner.new/openvas-scanner.changes 2011-11-07 14:28:08.000000000 +0100
@@ -1,0 +2,6 @@
+Fri Nov 4 20:41:28 UTC 2011 - bitshuffler@opensuse.org
+
+- Updated to 3.2.5
+ * The optional use of the external tool "ovaldi" has been made more secure.
+
+-------------------------------------------------------------------
Old:
----
openvas-scanner-3.2.4.tar.gz
ovas-scanner-add-needed.patch
New:
----
debian.series
openvas-scanner-3.2.4-linking.patch
openvas-scanner-3.2.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvas-scanner.spec ++++++
--- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100
+++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100
@@ -15,21 +15,20 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# norootforbuild
-
Name: openvas-scanner
-Version: 3.2.4
-Release: 3
+Version: 3.2.5
+Release: 1.0
License: GPLv2
Group: Productivity/Networking/Security
-Url: http://www.openvas.org
+URL: http://www.openvas.org
Source0: %{name}-%{version}.tar.gz
Source1: openvassd.logrotate
Source2: debian.openvas-scanner.default
Source3: openvassd.init.suse
Source4: openvassd.init.fedora
Source5: openvassd.init.mandriva
+Patch0: openvas-scanner-3.2.4-linking.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?mandriva_version}
@@ -53,7 +52,6 @@
Requires: openssl
Requires: rsync
Summary: The Scanner Module for OpenVAS
-Patch: ovas-scanner-add-needed.patch
%description
This is the scanner module for the Open Vulnerability Assessment System (OpenVAS).
@@ -61,7 +59,7 @@
%prep
%setup -q
-%patch
+%patch0
%build
%if 0%{?mandriva_version}
@@ -190,4 +188,3 @@
%else
%config(noreplace) %{_sysconfdir}/sysconfig/openvas-scanner
%endif
-%changelog
++++++ debian.changelog ++++++
--- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100
+++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100
@@ -1,3 +1,10 @@
+openvas-scanner (3.2.5-1) UNRELEASED; urgency=low
+
+ * New upstream release
+ - The optional use of the external tool "ovaldi" has been made more secure.
+
+ -- Stephan Kleine Fri, 04 Nov 2011 21:42:26 +0100
+
openvas-scanner (3.2.4-1) UNRELEASED; urgency=low
* New upstream release
++++++ debian.series ++++++
openvas-scanner-3.2.4-linking.patch -p0
++++++ openvas-scanner-3.2.4-linking.patch ++++++
Index: src/CMakeLists.txt
===================================================================
--- src/CMakeLists.txt.orig 2011-06-08 14:22:08.000000000 +0200
+++ src/CMakeLists.txt 2011-10-16 17:10:29.093020840 +0200
@@ -133,7 +133,7 @@ endif (NVT_TIMEOUT)
set_target_properties (openvassd PROPERTIES LINK_FLAGS
"${LIB_TEMP} ${GLIB_LDFLAGS} ${OPENVAS_LDFLAGS}")
-target_link_libraries (openvassd gnutls dl gcrypt)
+target_link_libraries (openvassd dl gcrypt glib-2.0 gnutls openvas_base openvas_hg openvas_misc)
set_target_properties (openvassd PROPERTIES COMPILE_FLAGS
"${HEADER_TEMP} ${OPENVAS_CFLAGS} ${GLIB_CFLAGS}")
++++++ openvas-scanner-3.2.4.tar.gz -> openvas-scanner-3.2.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/CHANGES new/openvas-scanner-3.2.5/CHANGES
--- old/openvas-scanner-3.2.4/CHANGES 2011-06-08 14:22:08.000000000 +0200
+++ new/openvas-scanner-3.2.5/CHANGES 2011-11-03 09:50:51.000000000 +0100
@@ -1,3 +1,19 @@
+openvas-scanner 3.2.5 (2011-11-03)
+
+This is the fifth maintenance release of the openvas-scanner 3.2 module for the
+Open Vulnerability Assessment System release 4 (OpenVAS-4).
+
+This release addresses a security issue related to the optional use of the
+external tool "ovaldi" by making file ownership and location more secure. This
+fixes the issue described in OSVDB-75177.
+
+Many thanks to everyone who has contributed to this release:
+Michael Wiegand.
+
+Main changes compared to 3.2.4:
+* The optional use of the external tool "ovaldi" has been made more secure.
+
+
openvas-scanner 3.2.4 (2011-06-08)
This is the fourth maintenance release of the openvas-scanner 3.2 module for the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/CMakeLists.txt new/openvas-scanner-3.2.5/CMakeLists.txt
--- old/openvas-scanner-3.2.4/CMakeLists.txt 2011-06-08 14:22:08.000000000 +0200
+++ new/openvas-scanner-3.2.5/CMakeLists.txt 2011-11-03 09:50:51.000000000 +0100
@@ -79,7 +79,7 @@
set (CPACK_TOPLEVEL_TAG "")
set (CPACK_PACKAGE_VERSION_MAJOR "3")
set (CPACK_PACKAGE_VERSION_MINOR "2")
-set (CPACK_PACKAGE_VERSION_PATCH "4${SVN_REVISION}")
+set (CPACK_PACKAGE_VERSION_PATCH "5${SVN_REVISION}")
set (CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
set (CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}")
set (CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/ChangeLog new/openvas-scanner-3.2.5/ChangeLog
--- old/openvas-scanner-3.2.4/ChangeLog 2011-06-08 14:22:08.000000000 +0200
+++ new/openvas-scanner-3.2.5/ChangeLog 2011-11-03 09:50:51.000000000 +0100
@@ -1,3 +1,23 @@
+2011-11-03 Michael Wiegand
+
+ Preparing the openvas-scanner 3.2.5 release.
+
+ * CHANGES: Updated.
+
+2011-09-23 Michael Wiegand
+
+ * src/oval_plugins.c (ovaldi_launch): Tighten security for ovaldi
+ launch: Ensure file names are not easily guessable, drop privileges
+ early and place files in a randomly named temporary directory after
+ privileges have been dropped. Improve cleanup after ovaldi launch.
+ Backport from trunk, originally committed in SVN r11599.
+
+2011-06-08 Michael Wiegand
+
+ Post release version bump.
+
+ * CMakeLists.txt: Set to version to 3.2.5.
+
2011-06-08 Michael Wiegand
Preparing the openvas-scanner 3.2.4 release.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/doc/openvassd.8 new/openvas-scanner-3.2.5/doc/openvassd.8
--- old/openvas-scanner-3.2.4/doc/openvassd.8 2011-06-08 14:22:08.000000000 +0200
+++ new/openvas-scanner-3.2.5/doc/openvassd.8 2011-11-03 09:50:51.000000000 +0100
@@ -23,7 +23,7 @@
.TP
.BI "-c " <config-file> ", --config-file=" <config-file>
Use the alternate configuration file instead of
-.I /home/michael/vol1/openvas-testing-release/etc/openvas/openvassd.conf
+.I /home/michael/openvas-testing-backports/etc/openvas/openvassd.conf
.TP
.BI "-a " <address> ", --listen=" <address>
@@ -81,12 +81,12 @@
The default
.B openvassd
configuration file,
-.I /home/michael/vol1/openvas-testing-release/etc/openvas/openvassd.conf
+.I /home/michael/openvas-testing-backports/etc/openvas/openvassd.conf
contains these options:
.IP plugins_folder
Contains the location of the plugins folder. This is usually
-/home/michael/vol1/openvas-testing-release/var/lib/openvas/plugins, but you may change this.
+/home/michael/openvas-testing-backports/var/lib/openvas/plugins, but you may change this.
.IP logfile
path to the logfile. You can enter
.I syslog
@@ -159,7 +159,7 @@
.SH USERS MANAGEMENT
The utility openvas-adduser(8) creates new openvassd users. Each openvassd user
-is attributed a "home", in /home/michael/vol1/openvas-testing-release/var/lib/openvas/users/<username>. This home contains the following directories :
+is attributed a "home", in /home/michael/openvas-testing-backports/var/lib/openvas/users/<username>. This home contains the following directories :
.IP auth/
This directory contains the authentication information for this user. It might contain the file 'dname' if the user is authenticating using a certificate, or 'hash' (or 'passwd') if the user is authenticating using a password. The file 'hash' contains a MD5 hash of the user password, as well as a random seed. The file 'password' should contain the password in clear text.
@@ -175,7 +175,7 @@
When a user attempts to log in, openvassd first checks that the directory
-/home/michael/vol1/openvas-testing-release/var/lib/openvas/users/<username> exists, then hashes the password sent by the user with the random salt found in <username>/auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then openvassd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in <username>/dname.
+/home/michael/openvas-testing-backports/var/lib/openvas/users/<username> exists, then hashes the password sent by the user with the random salt found in <username>/auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then openvassd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in <username>/dname.
To remove a given user, use the command openvas-rmuser(8).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-scanner-3.2.4/src/oval_plugins.c new/openvas-scanner-3.2.5/src/oval_plugins.c
--- old/openvas-scanner-3.2.4/src/oval_plugins.c 2011-06-08 14:22:08.000000000 +0200
+++ new/openvas-scanner-3.2.5/src/oval_plugins.c 2011-11-03 09:50:51.000000000 +0100
@@ -34,6 +34,7 @@
#include /* for getpwnam() */
#include /* for getpwnam() */
#include /* for signal() */
+#include /* for mkdtemp */
#include
#include /* for internal_send */
@@ -44,6 +45,8 @@
#include /* for setproctitle */
#include /* for nvti_t */
+#include /* for drop_privileges */
+#include /* for openvas_file_remove_recurse */
#include
#include
@@ -580,21 +583,34 @@
gchar *folder = g_strndup ((char *) arg_get_value (g_args, "name"),
strlen ((char *) arg_get_value (g_args, "name")) -
strlen (basename));
+ GError *error;
+ gchar *tmpdirtemplate;
+ char *tmpdir;
+
+ int drop_priv_res = OPENVAS_DROP_PRIVILEGES_OK;
+ drop_priv_res = drop_privileges (NULL, &error);
+ if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_OK)
+ {
+ if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT)
+ {
+ log_write ("Failed to drop privileges for ovaldi launch!");
+ g_error_free (error);
+ return;
+ }
+ g_error_free (error);
+ }
- /** @todo What frees this? */
- sc_filename = g_strconcat (folder, "sc-out.xml", NULL);
- log_write ("SC Filename: %s\n", sc_filename);
- /** @todo What if some other process does an ovaldi scan? */
- results_filename = "/tmp/results.xml";
+ tmpdirtemplate = g_strdup_printf ("%s/openvasovalXXXXXX", g_get_tmp_dir ());
+ tmpdir = mkdtemp (tmpdirtemplate);
- if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
+ if (tmpdir == NULL)
{
- log_write
- ("Found existing results file in %s, deleting it to avoid conflicts.",
- results_filename);
- g_unlink (results_filename);
+ log_write ("Failed to create temporary directory!");
+ return;
}
+ sc_filename = g_strconcat (tmpdir, "/sc-out.xml", NULL);
+
sc_file = fopen (sc_filename, "w");
if (sc_file == NULL)
{
@@ -978,6 +994,8 @@
if (sc_file != NULL)
fclose (sc_file);
+ results_filename = g_strconcat (tmpdir, "/results.xml", NULL);
+
gchar **argv = (gchar **) g_malloc (11 * sizeof (gchar *));
argv[0] = g_strdup ("ovaldi");
argv[1] = g_strdup ("-m"); // Do not check OVAL MD5 signature
@@ -993,7 +1011,7 @@
// log_write ("Launching ovaldi with: %s\n", g_strjoinv (" ", argv));
if (g_spawn_sync
- (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, oval_drop_privileges, NULL, NULL, NULL,
+ (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL,
NULL, NULL))
{
GMarkupParser parser;
@@ -1073,6 +1091,10 @@
}
g_strfreev (argv);
g_free (result_string);
+ g_free (results_filename);
+ g_free (sc_filename);
+ openvas_file_remove_recurse (tmpdir);
+ g_free (tmpdir);
}
pl_class_t oval_plugin_class = {
++++++ openvas-scanner.dsc ++++++
--- /var/tmp/diff_new_pack.xGvijC/_old 2011-11-07 14:28:12.000000000 +0100
+++ /var/tmp/diff_new_pack.xGvijC/_new 2011-11-07 14:28:12.000000000 +0100
@@ -2,13 +2,13 @@
Source: openvas-scanner
Binary: openvas-scanner
Architecture: any
-Version: 3.2.4-1
+Version: 3.2.5-1
Maintainer: Stephan Kleine
Homepage: http://www.openvas.org/
Standards-Version: 3.8.0
Build-Depends: debhelper (>= 6), devscripts, dpatch, cmake, hardening-wrapper, libopenvas4-dev, libwrap0-dev, pkg-config, po-debconf
Files:
- 776ce4e1000137c9aec7863372c8c876 373800 openvas-scanner-3.2.4.orig.tar.gz
- 131e6720b0526ade9405eade0d9150ac 56625 openvas-scanner-3.2.4.diff.gz
+ 776ce4e1000137c9aec7863372c8c876 373800 openvas-scanner-3.2.5.orig.tar.gz
+ 131e6720b0526ade9405eade0d9150ac 56625 openvas-scanner-3.2.5.diff.gz
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org