Hello community, here is the log from the commit of package openwsman for openSUSE:Factory checked in at 2014-06-01 19:40:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openwsman (Old) and /work/SRC/openSUSE:Factory/.openwsman.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openwsman" Changes: -------- --- /work/SRC/openSUSE:Factory/openwsman/openwsman.changes 2014-05-15 19:13:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openwsman.new/openwsman.changes 2014-06-01 19:40:39.000000000 +0200 @@ -1,0 +2,21 @@ +Wed May 21 08:18:22 UTC 2014 - kkaempf@suse.com + +- Update to 2.4.7 + - Bugfixes + - file authenticator: allow password hash of up to 128 characters + - libu: don't exit() on malloc errors + +------------------------------------------------------------------- +Tue May 20 07:55:35 UTC 2014 - kkaempf@suse.com + +- Update to 2.4.6 + - Features + - Support large hashes (like SHA512) in file authentication + - use constant-time password compare to prevent brute-force attacks + - Create server-plugin-ruby as separate RPM + - Add Unisys namespace and CIM class prefix 'SPAR' + - Bugfixes + - Fix crash on invalide resource URI + - Fix resource namespace for DCIM_ classes + +------------------------------------------------------------------- Old: ---- openwsman-2.4.5.tar.bz2 New: ---- openwsman-2.4.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openwsman.spec ++++++ --- /var/tmp/diff_new_pack.Mk50ms/_old 2014-06-01 19:40:40.000000000 +0200 +++ /var/tmp/diff_new_pack.Mk50ms/_new 2014-06-01 19:40:40.000000000 +0200 @@ -114,7 +114,7 @@ %endif Requires(pre): sed coreutils grep /bin/hostname -Version: 2.4.5 +Version: 2.4.7 Release: 0 # Mandriva: # Release %mkrel 1 ++++++ openwsman-2.4.5.tar.bz2 -> openwsman-2.4.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/ChangeLog new/openwsman-2.4.7/ChangeLog --- old/openwsman-2.4.5/ChangeLog 2014-03-14 11:03:31.000000000 +0100 +++ new/openwsman-2.4.7/ChangeLog 2014-05-21 09:46:52.000000000 +0200 @@ -1,3 +1,21 @@ +2.4.7 +- Bugfixes + - file authenticator: allow password hash of up to 128 characters + - libu: don't exit() on malloc errors + +2.4.6 +- Features + - Support large hashes (like SHA512) in file authentication + - use constant-time password compare to prevent brute-force attacks + - Create server-plugin-ruby as separate RPM + - Add Unisys namespace and CIM class prefix 'SPAR' + - Alias openwsman and openwsmand systemd services + - Also create respective rc-commands: rcopenwsman, rcopenwsmand + (SUSE only) +- Bugfixes + - Fix crash on invalide resource URI + - Fix resource namespace for DCIM_ classes + 2.4.5 - Features - enforce SSL operation in systemd service diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/VERSION.cmake new/openwsman-2.4.7/VERSION.cmake --- old/openwsman-2.4.5/VERSION.cmake 2014-03-14 11:03:31.000000000 +0100 +++ new/openwsman-2.4.7/VERSION.cmake 2014-05-21 09:44:53.000000000 +0200 @@ -44,10 +44,10 @@ # set COMPATMINOR to MINOR. (binary incompatible change) # -# Package version 2.4.4 +# Package version 2.4.7 SET(OPENWSMAN_MAJOR "2") SET(OPENWSMAN_MINOR "4") -SET(OPENWSMAN_PATCH "5") +SET(OPENWSMAN_PATCH "7") # Plugin API 2.2 SET(OPENWSMAN_PLUGIN_API_MAJOR "2") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/bindings/openwsman.i new/openwsman-2.4.7/bindings/openwsman.i --- old/openwsman-2.4.5/bindings/openwsman.i 2013-08-30 12:02:30.000000000 +0200 +++ new/openwsman-2.4.7/bindings/openwsman.i 2014-04-29 10:38:51.000000000 +0200 @@ -271,7 +271,9 @@ /* Microsoft HyperV */ { 4, "Msvm", "http://schemas.microsoft.com/wbem/wsman/1/wmi" }, /* Dell DRAC */ - { 4, "DCIM", "http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2" }, + { 4, "DCIM", "http://schemas.dell.com/wbem/wscim/1/cim-schema/2" }, + /* Unisys */ + { 4, "SPAR", "http://schema.unisys.com/wbem/wscim/1/cim-schema/2" }, { 0, NULL, NULL } }; const char *schema_end; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/etc/openwsman.conf new/openwsman-2.4.7/etc/openwsman.conf --- old/openwsman-2.4.5/etc/openwsman.conf 2013-09-24 08:50:34.000000000 +0200 +++ new/openwsman-2.4.7/etc/openwsman.conf 2014-04-29 10:38:51.000000000 +0200 @@ -91,7 +91,7 @@ #indication_profile_implementation_ns = root/interop # The following are in part fake namespaces for some publicly available CIM implementations. -vendor_namespaces = OpenWBEM=http://schema.openwbem.org/wbem/wscim/1/cim-schema/2,Linux=http://sblim.sf.n... +vendor_namespaces = OpenWBEM=http://schema.openwbem.org/wbem/wscim/1/cim-schema/2,Linux=http://sblim.sf.n... # CIMOM host, default is localhost # host = localhost diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/package/openwsman.spec.in new/openwsman-2.4.7/package/openwsman.spec.in --- old/openwsman-2.4.5/package/openwsman.spec.in 2014-03-11 08:14:31.000000000 +0100 +++ new/openwsman-2.4.7/package/openwsman.spec.in 2014-05-07 09:04:35.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openwsman # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -197,6 +197,16 @@ Openwsman Server and service libraries +%package server-plugin-ruby +Requires: openwsman-server +Summary: Openwsman Server Plugin for Ruby extensions +Group: System/Management + +%description server-plugin-ruby +This package provides a Openwsman server plugin to write a +WS-Management resource handler in Ruby + + %package python Summary: Python bindings for openwsman client API Group: Development/Libraries/Python @@ -339,14 +349,17 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/openwsman/authenticators/*.la [ -d $RPM_BUILD_ROOT%{ruby_sitelib} ] && rm -f $RPM_BUILD_ROOT%{ruby_sitelib}/openwsmanplugin.rb [ -d $RPM_BUILD_ROOT%{ruby_vendorlib} ] && rm -f $RPM_BUILD_ROOT%{ruby_vendorlib}/openwsmanplugin.rb -%if 0%{?suse_version} <= 1220 +%if 0%{?has_systemd} +install -D -m 644 %{S:4} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service +# alias openwsman and openwsmand +ln -s %{_unitdir}/%{name}.service $RPM_BUILD_ROOT%{_unitdir}/%{name}d.service +# rcopenwsman, rcopenwsmand +ln -sf %{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rc%{name} +ln -sf %{_sbindir}/rcopenwsman $RPM_BUILD_ROOT%{_sbindir}/rc%{name}d +%else mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/init.d install -m 755 build/etc/init/openwsmand.sh $RPM_BUILD_ROOT%{_sysconfdir}/init.d/openwsmand ln -sf %{_sysconfdir}/init.d/openwsmand $RPM_BUILD_ROOT%{_sbindir}/rcopenwsmand -%else -# rcopenwsmand for systemd -ln -sf %{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rcopenwsman -ln -sf %{_sbindir}/rcopenwsman $RPM_BUILD_ROOT%{_sbindir}/rcopenwsmand %endif install -m 644 etc/openwsman.conf $RPM_BUILD_ROOT%{_sysconfdir}/openwsman install -m 644 etc/openwsman_client.conf $RPM_BUILD_ROOT%{_sysconfdir}/openwsman @@ -355,9 +368,6 @@ %if 0%{?suse_version} > 1010 install -D -m 644 %{S:3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman %endif -%if 0%{?has_systemd} -install -D -m 644 %{S:4} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service -%endif %post -n libwsman1 -p /sbin/ldconfig @@ -476,10 +486,13 @@ %if 0%{?suse_version} > 1010 %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman %endif -%if 0%{?suse_version} <= 1210 -%attr(0755,root,root) %{_sysconfdir}/init.d/openwsmand +%if 0%{?has_systemd} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}d.service +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}d %else -%{_sbindir}/rcopenwsman +%attr(0755,root,root) %{_sysconfdir}/init.d/openwsmand %endif # backwards compatibility %{_sbindir}/rcopenwsmand @@ -490,11 +503,13 @@ %dir %{_libdir}/openwsman/plugins %{_libdir}/openwsman/plugins/*.so %{_libdir}/openwsman/plugins/*.so.* +%exclude %{_libdir}/openwsman/plugins/*ruby*.so* %{_sbindir}/openwsmand %{_libdir}/libwsman_server.so.* -%if 0%{?has_systemd} -%{_unitdir}/%{name}.service -%endif + +%files server-plugin-ruby +%defattr(-,root,root) +%{_libdir}/openwsman/plugins/*ruby*.so %files -n libwsman_clientpp1 %defattr(-,root,root) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/src/authenticators/file/file_auth.c new/openwsman-2.4.7/src/authenticators/file/file_auth.c --- old/openwsman-2.4.5/src/authenticators/file/file_auth.c 2010-09-29 15:17:53.000000000 +0200 +++ new/openwsman-2.4.7/src/authenticators/file/file_auth.c 2014-05-21 09:43:25.000000000 +0200 @@ -70,14 +70,31 @@ return 0; } +/* + * constant-time comparison to prevent brute-force attacks on authorize() + * + * returns zero only if s1 and s2 are bit-wise identical for the first len characters. + */ +static int +safe_cmp(unsigned const char *s1, unsigned const char *s2, size_t len) +{ + size_t i = 0; + unsigned char result = 0; + while (i++ < len) { + result |= *s1++ ^ *s2++; + } + return result; +} int authorize(char *username, const char *password) { int authorized = 0; - char l[256], u[65], passwd[65]; + char l[256], u[65], passwd[129]; char *newpw = NULL ; + size_t username_l; + size_t min_len; debug( "Checking basic for user: %s; password XXXXX", username); @@ -88,6 +105,7 @@ username); return 0; } + username_l = strlen(username); FILE *fp = fopen(filename, "r"); if (!fp) { debug( "Couldn't open basic passwd file %s", @@ -96,13 +114,23 @@ } while (fgets(l, sizeof(l), fp) != NULL) { - if (sscanf(l, "%64[^:]:%64s", u, passwd) != 2) + if (sscanf(l, "%64[^:]:%128s", u, passwd) != 2) continue; /* Ignore malformed lines */ debug( "user: %s, passwd: XXXX", u); - if (!strcmp(username, u)) { + min_len = strlen(u); + if (username_l < min_len) { + min_len = username_l; + } + if (!safe_cmp(username, u, min_len)) { + size_t newpw_l; + min_len = strlen(passwd); newpw = crypt(password, passwd); + newpw_l = strlen(newpw); + if (newpw_l < min_len) { + min_len = newpw_l; + } debug( "user: %s, passwd: XXXXX", u ); - authorized = ( strcmp (newpw, passwd) == 0 ); + authorized = ( safe_cmp (newpw, passwd, min_len) == 0 ); break; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/src/lib/u/iniparser.c new/openwsman-2.4.7/src/lib/u/iniparser.c --- old/openwsman-2.4.5/src/lib/u/iniparser.c 2014-02-27 15:21:20.000000000 +0100 +++ new/openwsman-2.4.7/src/lib/u/iniparser.c 2014-05-20 11:53:13.000000000 +0200 @@ -31,6 +31,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <errno.h> #ifndef WIN32 #include <unistd.h> #endif @@ -320,10 +321,12 @@ content to NULL is equivalent to deleting the variable from the dictionary. It is not possible (in this implementation) to have a key in the dictionary without value. + + return 0 on success, non-zero on failure. */ /*--------------------------------------------------------------------------*/ -static void dictionary_set(dictionary * d, char * key, char * val) +static int dictionary_set(dictionary * d, char * key, char * val) { int i ; unsigned hash ; @@ -355,14 +358,20 @@ /* Reached maximum size: reallocate blackboard */ d->val = (char **)mem_double(d->val, d->size * sizeof(char*)) ; - if (d->val == NULL) - exit(1); + if (d->val == NULL) { + errno = -ENOMEM; + return 1; + } d->key = (char **)mem_double(d->key, d->size * sizeof(char*)) ; - if (d->key == NULL) - exit(1); + if (d->key == NULL) { + errno = -ENOMEM; + return 1; + } d->hash = (unsigned int *)mem_double(d->hash, d->size * sizeof(unsigned)) ; - if (d->hash == NULL) - exit(1); + if (d->hash == NULL) { + errno = -ENOMEM; + return 1; + } /* Double size */ d->size *= 2 ; @@ -377,10 +386,21 @@ } /* Copy key */ d->key[i] = strdup(key); - d->val[i] = val ? strdup(val) : NULL ; + if (d->key[i] == NULL) { + return 1; + } + if (val) { + d->val[i] = strdup(val); + if (d->val[i] == NULL) { + return 1; + } + } + else { + d->val[i] = NULL; + } d->hash[i] = hash; d->n ++ ; - return ; + return 0; } /*-------------------------------------------------------------------------*/ @@ -466,8 +486,10 @@ #define ASCIILINESZ 1024 #define INI_INVALID_KEY ((char*)-1) -/* Private: add an entry to the dictionary */ -static void iniparser_add_entry( +/* Private: add an entry to the dictionary + return 0 on success, non-zero on error + */ +static int iniparser_add_entry( dictionary * d, char * sec, char * key, @@ -483,8 +505,7 @@ } /* Add (key,val) to dictionary */ - dictionary_set(d, longkey, val); - return ; + return dictionary_set(d, longkey, val); } @@ -833,8 +854,7 @@ int iniparser_setstr(dictionary * ini, char * entry, char * val) { - dictionary_set(ini, strlwc(entry), val); - return 0 ; + return dictionary_set(ini, strlwc(entry), val); } /*-------------------------------------------------------------------------*/ @@ -901,7 +921,9 @@ if (sscanf(where, "[%[^]]", sec)==1) { /* Valid section name */ strcpy(sec, strlwc(sec)); - iniparser_add_entry(d, sec, NULL, NULL); + if (iniparser_add_entry(d, sec, NULL, NULL) != 0) { + return NULL; + } } else if (sscanf (where, "%[^=] = "%[^"]"", key, val) == 2 || sscanf (where, "%[^=] = '%[^']'", key, val) == 2 || sscanf (where, "%[^=] = %[^;#]", key, val) == 2) { @@ -915,7 +937,9 @@ } else { strcpy(val, strcrop(val)); } - iniparser_add_entry(d, sec, key, val); + if (iniparser_add_entry(d, sec, key, val) != 0) { + return NULL; + } } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/src/lib/u/uoption.c new/openwsman-2.4.7/src/lib/u/uoption.c --- old/openwsman-2.4.5/src/lib/u/uoption.c 2010-09-29 15:17:53.000000000 +0200 +++ new/openwsman-2.4.7/src/lib/u/uoption.c 2014-05-21 10:11:12.000000000 +0200 @@ -199,8 +199,6 @@ print_help_buf(&help_buf); free_help_buf(&help_buf); - - exit (0); } static void print_long_help(u_option_context_t *ctx, char *hoption) @@ -260,8 +258,6 @@ print_help_buf(&help_buf); free_help_buf(&help_buf); - - exit (0); } static unsigned int context_get_number_entries(u_option_context_t *ctx) @@ -418,6 +414,7 @@ if (!strncmp(option, "help", strlen("help")) ) { if (ctx->mode & U_OPTION_CONTEXT_HELP_ENABLED) { print_long_help(ctx, option); + return NULL; } } @@ -455,6 +452,7 @@ if (option == '?') { if (ctx->mode & U_OPTION_CONTEXT_HELP_ENABLED) { print_short_help(ctx); + return NULL; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.4.5/src/plugins/cim/sfcc-interface.c new/openwsman-2.4.7/src/plugins/cim/sfcc-interface.c --- old/openwsman-2.4.5/src/plugins/cim/sfcc-interface.c 2013-08-08 09:46:43.000000000 +0200 +++ new/openwsman-2.4.7/src/plugins/cim/sfcc-interface.c 2014-03-20 13:50:56.000000000 +0100 @@ -1141,7 +1141,14 @@ epr_t *epr; if (filter) { epr = (epr_t *)filter->epr; - class = strrchr(epr->refparams.uri, '/') + 1; + class = strrchr(epr->refparams.uri, '/'); + if (class == NULL) { + /* oops, resource uri has no slash ?! */ + status->fault_code = WSA_ENDPOINT_UNAVAILABLE; + status->fault_detail_code = WSMAN_DETAIL_INVALID_RESOURCEURI; + goto cleanup; + } + class++; /* inc behind slash */ objectpath = newCMPIObjectPath(client->cim_namespace, class, NULL); wsman_epr_selector_cb(filter->epr, -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org