Hello community, here is the log from the commit of package xinetd for openSUSE:Factory checked in at 2014-04-05 16:50:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xinetd (Old) and /work/SRC/openSUSE:Factory/.xinetd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xinetd" Changes: -------- --- /work/SRC/openSUSE:Factory/xinetd/xinetd.changes 2014-03-18 16:21:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.xinetd.new/xinetd.changes 2014-04-05 16:50:14.000000000 +0200 @@ -2 +2,13 @@ -Mon Mar 17 17:44:18 UTC 2014 - mt@suee.de +Mon Mar 31 10:28:32 UTC 2014 - vcizek@suse.com + +- Add support for setting maximum number of open files (bnc#855685) + * added xinetd-2.3.14-file-limit.patch + * added xinetd-2.3.14-restore-nofile-limits.patch + +- fixes for security vulnerabilities + * CVE-2013-4342 (bnc#844230) + - xinetd ignores user and group directives for tcpmux services + - added xinetd-CVE-2013-4342.patch + +------------------------------------------------------------------- +Mon Mar 17 17:44:18 UTC 2014 - mt@suse.de New: ---- xinetd-2.3.14-file-limit.patch xinetd-2.3.14-restore-nofile-limits.patch xinetd-CVE-2013-4342.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xinetd.spec ++++++ --- /var/tmp/diff_new_pack.BQfk47/_old 2014-04-05 16:50:15.000000000 +0200 +++ /var/tmp/diff_new_pack.BQfk47/_new 2014-04-05 16:50:15.000000000 +0200 @@ -40,6 +40,9 @@ Patch12: %{name}-2.3.14-nodeadlock-revisited.patch #PATCH-FIX-SUSE: merge the SUSE's default xinetd.conf with upstream one Patch13: xinetd-config.patch +Patch15: xinetd-CVE-2013-4342.patch +Patch16: xinetd-2.3.14-file-limit.patch +Patch17: xinetd-2.3.14-restore-nofile-limits.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -70,6 +73,9 @@ %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 # FAQ, README.SUSE and logrotate cp %{SOURCE2} %{SOURCE3} %{SOURCE5} . ++++++ xinetd-2.3.14-file-limit.patch ++++++ Index: xinetd-2.3.14/xinetd/attr.h =================================================================== --- xinetd-2.3.14.orig/xinetd/attr.h +++ xinetd-2.3.14/xinetd/attr.h @@ -61,12 +61,13 @@ #define A_DISABLED 43 #define A_MDNS 44 #define A_LIBWRAP 45 +#define A_RLIMIT_FILES 46 /* * SERVICE_ATTRIBUTES is the number of service attributes and also * the number from which defaults-only attributes start. */ -#define SERVICE_ATTRIBUTES ( A_MDNS + 1 ) +#define SERVICE_ATTRIBUTES ( A_MDNS + 2 ) /* * Mask of attributes that must be specified. Index: xinetd-2.3.14/xinetd/child.c =================================================================== --- xinetd-2.3.14.orig/xinetd/child.c +++ xinetd-2.3.14/xinetd/child.c @@ -98,6 +98,10 @@ void exec_server( const struct server *s #ifdef RLIMIT_NOFILE + if ( SC_RLIM_FILES( scp )) + { + ps.ros.max_descriptors = SC_RLIM_FILES( scp ); + } rl.rlim_max = ps.ros.orig_max_descriptors ; rl.rlim_cur = ps.ros.max_descriptors ; (void) setrlimit( RLIMIT_NOFILE, &rl ) ; Index: xinetd-2.3.14/xinetd/parse.c =================================================================== --- xinetd-2.3.14.orig/xinetd/parse.c +++ xinetd-2.3.14/xinetd/parse.c @@ -92,6 +92,9 @@ static const struct attribute service_at #ifdef RLIMIT_DATA { "rlimit_data", A_RLIMIT_DATA, 1, rlim_data_parser }, #endif +#ifdef RLIMIT_NOFILE + { "rlimit_files", A_RLIMIT_FILES, 1, rlim_files_parser }, +#endif #ifdef RLIMIT_RSS { "rlimit_rss", A_RLIMIT_RSS, 1, rlim_rss_parser }, #endif Index: xinetd-2.3.14/xinetd/parsers.c =================================================================== --- xinetd-2.3.14.orig/xinetd/parsers.c +++ xinetd-2.3.14/xinetd/parsers.c @@ -1415,9 +1415,32 @@ status_e rlim_data_parser( pset_h values } #endif +#ifdef RLIMIT_NOFILE +status_e rlim_files_parser( pset_h values, + struct service_config *scp, + enum assign_op op ) +{ + char *mem = (char *) pset_pointer( values, 0 ) ; + const char *func = "rlim_files_parser" ; + + if ( EQ( mem, "UNLIMITED" ) ) + SC_RLIM_FILES(scp) = (rlim_t)RLIM_INFINITY ; + else + { + if ( get_limit ( mem, &SC_RLIM_FILES(scp)) ) + { + parsemsg( LOG_ERR, func, + "Max files limit is invalid: %s", mem ) ; + return( FAILED ) ; + } + } + return( OK ) ; +} +#endif + #ifdef RLIMIT_RSS status_e rlim_rss_parser( pset_h values, - struct service_config *scp, + struct service_config *scp, enum assign_op op ) { char *mem = (char *) pset_pointer( values, 0 ) ; Index: xinetd-2.3.14/xinetd/parsers.h =================================================================== --- xinetd-2.3.14.orig/xinetd/parsers.h +++ xinetd-2.3.14/xinetd/parsers.h @@ -57,6 +57,9 @@ status_e rlim_cpu_parser(pset_h, struct #ifdef RLIMIT_DATA status_e rlim_data_parser(pset_h, struct service_config *, enum assign_op) ; #endif +#ifdef RLIMIT_NOFILE +status_e rlim_files_parser(pset_h, struct service_config *, enum assign_op) ; +#endif #ifdef RLIMIT_RSS status_e rlim_rss_parser(pset_h, struct service_config *, enum assign_op) ; #endif Index: xinetd-2.3.14/xinetd/sconf.h =================================================================== --- xinetd-2.3.14.orig/xinetd/sconf.h +++ xinetd-2.3.14/xinetd/sconf.h @@ -142,6 +142,7 @@ struct service_config rlim_t sc_rlim_as; rlim_t sc_rlim_cpu; rlim_t sc_rlim_data; + rlim_t sc_rlim_files; rlim_t sc_rlim_rss; rlim_t sc_rlim_stack; mode_t sc_umask; @@ -190,6 +191,7 @@ struct service_config #define SC_RLIM_AS( scp ) (scp)->sc_rlim_as #define SC_RLIM_CPU( scp ) (scp)->sc_rlim_cpu #define SC_RLIM_DATA( scp ) (scp)->sc_rlim_data +#define SC_RLIM_FILES( scp ) (scp)->sc_rlim_files #define SC_RLIM_RSS( scp ) (scp)->sc_rlim_rss #define SC_RLIM_STACK( scp ) (scp)->sc_rlim_stack #define SC_TYPE( scp ) (scp)->sc_type Index: xinetd-2.3.14/xinetd/xinetd.conf.man =================================================================== --- xinetd-2.3.14.orig/xinetd/xinetd.conf.man +++ xinetd-2.3.14/xinetd/xinetd.conf.man @@ -568,6 +568,12 @@ is implemented, it is more useful to set rlimit_rss and rlimit_stack. This resource limit is only implemented on Linux systems. .TP +.B rlimit_files +Sets the maximum number of open files that the service may use. +One parameter is required, which is a positive integer representing +the number of open file descriptors. Practical limit of this number +is around 1024000. +.TP .B rlimit_cpu Sets the maximum number of CPU seconds that the service may use. One parameter is required, which is either a positive integer representing ++++++ xinetd-2.3.14-restore-nofile-limits.patch ++++++ Index: xinetd-2.3.14/xinetd/child.c =================================================================== --- xinetd-2.3.14.orig/xinetd/child.c +++ xinetd-2.3.14/xinetd/child.c @@ -205,6 +205,24 @@ static void set_credentials( const struc const char *func = "set_credentials" ; if ( SC_SPECIFIED( scp, A_GROUP ) || SC_SPECIFIED( scp, A_USER ) ) { +#ifdef RLIMIT_NOFILE + /* + * init.c/set_fd_limit changes hard limit for nofile to FD_SETSIZE to + * prevent fd_set overflow. This must be restored before setgid/setuid, + * because non-root process will be limited to FD_SETSIZE and not + * properly inherited + * + * value of rlim_cur is not important as subsequent code in exec_server + * will use proper values + * + * https://bugzilla.novell.com/show_bug.cgi?id=855685 + */ + struct rlimit rl ; + rl.rlim_max = ps.ros.orig_max_descriptors ; + rl.rlim_cur = ps.ros.max_descriptors ; + (void) setrlimit( RLIMIT_NOFILE, &rl ) ; +#endif + if ( ps.ros.is_superuser ) { gid_t gid = SC_GETGID( scp ) ; ++++++ xinetd-CVE-2013-4342.patch ++++++
From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001 From: Thomas Swan
Date: Wed, 2 Oct 2013 23:17:17 -0500 Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for TCPMUX services
Originally reported to Debian in 2005 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678 and rediscovered https://bugzilla.redhat.com/show_bug.cgi?id=1006100, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root). --- xinetd/builtins.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: xinetd-2.3.14/xinetd/builtins.c =================================================================== --- xinetd-2.3.14.orig/xinetd/builtins.c 2014-02-25 14:38:03.754473556 +0100 +++ xinetd-2.3.14/xinetd/builtins.c 2014-02-25 14:38:03.760473625 +0100 @@ -615,7 +615,7 @@ static void tcpmux_handler( const struct if( SC_IS_INTERNAL( scp ) ) { SC_INTERNAL(scp, nserp); } else { - exec_server(nserp); + child_process(nserp); } } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org