Hello community,
here is the log from the commit of package fonehome for openSUSE:Factory checked in at 2019-10-25 18:43:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fonehome (Old)
and /work/SRC/openSUSE:Factory/.fonehome.new.2990 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fonehome"
Fri Oct 25 18:43:13 2019 rev:9 rq:742953 version:1.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/fonehome/fonehome.changes 2018-11-15 12:41:45.206160970 +0100
+++ /work/SRC/openSUSE:Factory/.fonehome.new.2990/fonehome.changes 2019-10-25 18:43:14.539960847 +0200
@@ -1,0 +2,7 @@
+Fri Oct 25 14:38:52 UTC 2019 -
+
+- Upgrade to version 1.1.1
+ + Filter zero bytes from /proc/X/cmdline to avoid bash warning
+ + Run %post commands with reduced privileges (bsc#1154200)
+
+-------------------------------------------------------------------
Old:
----
fonehome-1.1.0.tar.gz
New:
----
fonehome-1.1.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fonehome.spec ++++++
--- /var/tmp/diff_new_pack.GBoGz7/_old 2019-10-25 18:43:15.011961295 +0200
+++ /var/tmp/diff_new_pack.GBoGz7/_new 2019-10-25 18:43:15.015961299 +0200
@@ -1,7 +1,7 @@
#
# spec file for package fonehome
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2012 Archie L. Cobbs
#
# All modifications and additions to the file contributed by third parties
@@ -42,7 +42,7 @@
%define authkeys_options no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="0.0.0.0:9",command="sleep 99999d"
Name: fonehome
-Version: 1.1.0
+Version: 1.1.1
Release: 0
Summary: Remote access to machines behind firewalls
License: Apache-2.0
++++++ fonehome-1.1.0.tar.gz -> fonehome-1.1.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/CHANGES new/fonehome-1.1.1/CHANGES
--- old/fonehome-1.1.0/CHANGES 2016-01-07 21:18:57.000000000 +0100
+++ new/fonehome-1.1.1/CHANGES 2019-10-25 16:40:03.000000000 +0200
@@ -1,3 +1,8 @@
+Version 1.1.1 Released October 25, 2019
+
+ - Filter zero bytes from /proc/X/cmdline to avoid bash warning
+ - Run %post commands with reduced privileges to avoid security races
+
Version 1.1.0 Released January 7, 2016
- Improvements to fhshow(1); support IPv6 and UDP sockets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/INSTALL new/fonehome-1.1.1/INSTALL
--- old/fonehome-1.1.0/INSTALL 2016-01-07 21:18:57.000000000 +0100
+++ new/fonehome-1.1.1/INSTALL 2019-10-25 16:40:03.000000000 +0200
@@ -1,7 +1,7 @@
Pre-build RPMs are available here:
- http://download.opensuse.org/repositories/home:/archie172/
+ https://build.opensuse.org/package/show/network:utilities/fonehome
Otherwise, use "ant" to build them yourself using rpmbuild(1).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/build.xml new/fonehome-1.1.1/build.xml
--- old/fonehome-1.1.0/build.xml 2016-01-07 21:18:57.000000000 +0100
+++ new/fonehome-1.1.1/build.xml 2019-10-25 16:40:03.000000000 +0200
@@ -1,12 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project name="fonehome" default="build" basedir="." xmlns:dellroad="urn:org.dellroad.ant">
+
<!-- Import ant macros -->
<import file="src/build/macros.xml"/>
<!-- Determine version -->
-
+ antcontrib:if
+ <available file="version.properties" type="file"/>
+ antcontrib:then
+ <property file="version.properties"/>
+
+ antcontrib:else
+
+
+
<echo message=""/>
<echo message="Version is ${fonehome.version}"/>
<echo message=""/>
@@ -19,14 +31,16 @@
<target name="tarball">
<delete dir="build/${tarball.name}"/>
<mkdir dir="build/${tarball.name}"/>
+ <echo file="build/${tarball.name}/version.properties" message="fonehome.version=${fonehome.version}"/>
<copy todir="build/${tarball.name}">
<fileset dir=".">
- <include name="*"/>
- <include name="src/build/**/*"/>
- <include name="src/conf/**/*"/>
- <include name="src/init.d/**/*"/>
- <include name="src/scripts/**/*"/>
- <include name="src/man/**/*"/>
+ <include name="CHANGES"/>
+ <include name="INSTALL"/>
+ <include name="COPYING"/>
+ <include name="README"/>
+ <include name="README.md"/>
+ <include name="build.xml"/>
+ <include name="src/**/*"/>
</fileset>
</copy>
<tar compression="gzip" basedir="build" includes="${tarball.name}/**/*" destfile="build/${tarball.file}"/>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/src/rpm/fonehome.spec new/fonehome-1.1.1/src/rpm/fonehome.spec
--- old/fonehome-1.1.0/src/rpm/fonehome.spec 2016-01-07 21:18:57.000000000 +0100
+++ new/fonehome-1.1.1/src/rpm/fonehome.spec 2019-10-25 16:40:03.000000000 +0200
@@ -164,6 +164,8 @@
Group: System/Daemons
Requires(pre): pwdutils
Requires(post): openssh
+Requires(post): sed
+Requires(post): util-linux
%description server
fonehome allows remote access to machines behind firewalls using SSH
@@ -185,20 +187,17 @@
# Generate ssh key pair for user fonehome
if ! [ -e %{servprikey} ]; then
+ # Run commands below with reduced privileges to avoid security race conditions
+ RUN_FONEHOME='runuser -u %{username} -g %{usergroup} --'
+
# Generate key
echo "creating SSH public key pair for user '%{username}'"
- rm -f %{servpubkey}
- ssh-keygen -t rsa -N '' -C '%{username}' -f %{servprikey}
- chmod 600 %{servprikey}
- chmod 644 %{servpubkey}
- chown root:root %{servprikey}
- chown %{username}:%{usergroup} %{servpubkey}
+ ${RUN_FONEHOME} ssh-keygen -t rsa -N '' -C %{username} -f %{servprikey}
# Allow incoming ssh connections using key, but with lots of restrictions
- sed -r 's/^((ssh|ecdsa)-[^[:space:]]+[[:space:]].*)$/# %{authkeys_comment}\n%{authkeys_options} \1/g' \
- < %{servpubkey}> %{authkeys}
- chmod 644 %{authkeys}
- chown %{username}:%{usergroup} %{authkeys}
+ ${RUN_FONEHOME} cat %{servpubkey} \
+ | ${RUN_FONEHOME} sed -r 's/^((ssh|ecdsa)-[^[:space:]]+[[:space:]].*)$/# %{authkeys_comment}\n%{authkeys_options} \1/g' \
+ | ${RUN_FONEHOME} tee %{authkeys} >/dev/null
fi
%files server
@@ -213,7 +212,7 @@
%config(noreplace missingok) %{portsfile}
%dir %attr(755,%{username},%{usergroup}) %{serverdir}
%dir %attr(700,%{username},%{usergroup}) %{serverdir}/.ssh
-%ghost %verify(not size md5 mtime) %attr(600,root,root) %{servprikey}
+%ghost %verify(not size md5 mtime) %attr(600,%{username},%{usergroup}) %{servprikey}
%ghost %verify(not size md5 mtime) %attr(644,%{username},%{usergroup}) %{servpubkey}
%ghost %verify(not size md5 mtime) %attr(644,%{username},%{usergroup}) %{authkeys}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/src/scripts/fhshow.sh new/fonehome-1.1.1/src/scripts/fhshow.sh
--- old/fonehome-1.1.0/src/scripts/fhshow.sh 2016-01-07 21:18:57.000000000 +0100
+++ new/fonehome-1.1.1/src/scripts/fhshow.sh 2019-10-25 16:40:03.000000000 +0200
@@ -76,7 +76,7 @@
warn multiple processes listening on port ${PORT} \(${CHILD_ID}\)
continue
fi
- PROCESS="${CHILD_ID} `cat /proc/"${CHILD_ID}"/cmdline`"
+ PROCESS="${CHILD_ID} `cat /proc/"${CHILD_ID}"/cmdline | tr -d '\000'`"
# Find parent process
PARENT_ID=`sed -rn "s|^${WORD}${SPACE}\([^)]*\)${SPACE}${WORD}${SPACE}(${WORD}).*$|\1|gp" /proc/${CHILD_ID}/stat`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fonehome-1.1.0/version.properties new/fonehome-1.1.1/version.properties
--- old/fonehome-1.1.0/version.properties 1970-01-01 01:00:00.000000000 +0100
+++ new/fonehome-1.1.1/version.properties 2019-10-25 16:40:03.000000000 +0200
@@ -0,0 +1 @@
+fonehome.version=1.1.1
\ No newline at end of file