Hello community, here is the log from the commit of package vsftpd for openSUSE:12.3 checked in at 2013-03-01 09:06:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3/vsftpd (Old) and /work/SRC/openSUSE:12.3/.vsftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vsftpd", Maintainer is "MVyskocil@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.3/vsftpd/vsftpd.changes 2013-01-31 01:44:26.000000000 +0100 +++ /work/SRC/openSUSE:12.3/.vsftpd.new/vsftpd.changes 2013-03-01 09:06:06.000000000 +0100 @@ -1,0 +2,6 @@ +Thu Feb 28 13:30:07 UTC 2013 - mvyskocil@suse.com + +- add vsftpd-allow-dev-log-socket.patch (bnc#786024) + * whitelist /dev/log related socket syscall + +------------------------------------------------------------------- New: ---- vsftpd-allow-dev-log-socket.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.Q2jYhf/_old 2013-03-01 09:06:06.000000000 +0100 +++ /var/tmp/diff_new_pack.Q2jYhf/_new 2013-03-01 09:06:06.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -54,6 +54,7 @@ Patch9: vsftpd-2.3.5-conf.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch +Patch12: vsftpd-allow-dev-log-socket.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ftp-server PreReq: %insserv_prereq /usr/sbin/useradd @@ -84,6 +85,7 @@ %patch9 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build %define seccomp_opts %{nil} ++++++ vsftpd-allow-dev-log-socket.patch ++++++ From: mvyskocil@suse.com Subject: enable /dev/log related socket call Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp sandbox, daemon is killed by SIGSYS. Because the attempt is made by process with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in pam. Anyway I would say the risc is small, and other socket syscalls are disabled. Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024 Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str { allow_nr_1_arg_match(__NR_recvmsg, 3, 0); } + + //this is very probably an attempt to open /dev/log + //it fails because process cannot open any file, so it might be safe + //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files) + allow_nr_3_arg_match(__NR_socket, + 1, PF_FILE, + 2, SOCK_DGRAM | SOCK_CLOEXEC, + 3, 0); + } void -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org