Hello community,
here is the log from the commit of package rpcbind for openSUSE:Factory checked in at 2016-02-25 21:43:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rpcbind (Old)
and /work/SRC/openSUSE:Factory/.rpcbind.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpcbind"
Changes:
--------
--- /work/SRC/openSUSE:Factory/rpcbind/rpcbind.changes 2015-12-03 13:29:22.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.rpcbind.new/rpcbind.changes 2016-02-25 21:43:13.000000000 +0100
@@ -1,0 +2,26 @@
+Fri Feb 19 16:00:46 CET 2016 - kukuk@suse.de
+
+- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset
+ interface for libtirpc, which is limited to 1024 connections.
+
+-------------------------------------------------------------------
+Fri Feb 12 16:18:30 CET 2016 - kukuk@suse.de
+
+- Sync with current git:
+ - Replace 0002-revert-auth.patch with
+ 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
+ - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
+ to fix problems with activation via sockets by systemd
+ - Replace 0032-CVE-2015-7236.patch with
+ 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
+ - Add 0005-security.c-removed-warning.patch to fix compiler warnings
+- Temporary remove 099-poll.patch
+
+-------------------------------------------------------------------
+Wed Jan 27 15:08:00 CET 2016 - kukuk@suse.de
+
+- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
+ patches.
+- Submit for SLE12SP2 [FATE#320393]
+
+-------------------------------------------------------------------
@@ -8,0 +35,13 @@
+Mon Sep 21 13:51:41 UTC 2015 - okir@suse.com
+
+- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
+ remote scans [CVE-2015-7236, bsc#940191, bsc#946204]
+
+-------------------------------------------------------------------
+Mon Jul 27 08:27:14 UTC 2015 - okir@suse.com
+
+- Document how to restrict addresses that rpcbind will listen on
+ [bsc#935102]
+ Added 0031-rpcbind-manpage.patch
+
+-------------------------------------------------------------------
@@ -11,0 +51,6 @@
+
+-------------------------------------------------------------------
+Wed May 27 08:38:26 UTC 2015 - okir@suse.com
+
+- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
+ forwarding (bnc#932423)
Old:
----
0002-revert-auth.patch
099-poll.patch
New:
----
0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
0005-security.c-removed-warning.patch
0006-don-t-use-svc_fdset.patch
0030-systemd-fix-rmtcall.patch
0031-rpcbind-manpage.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rpcbind.spec ++++++
--- /var/tmp/diff_new_pack.O8I3Ib/_old 2016-02-25 21:43:14.000000000 +0100
+++ /var/tmp/diff_new_pack.O8I3Ib/_new 2016-02-25 21:43:14.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rpcbind
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,13 +36,18 @@
PreReq: %fillup_prereq
Requires(pre): /usr/sbin/useradd
Patch1: 0001-systemd-unit-files.patch
-Patch2: 0002-revert-auth.patch
+Patch2: 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
+Patch3: 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
+Patch4: 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
+Patch5: 0005-security.c-removed-warning.patch
+Patch6: 0006-don-t-use-svc_fdset.patch
Patch8: 0008-First-part-of-init_transport-refactoring.patch
Patch9: 0009-init_transport-move-the-registration-code-into-a-sep.patch
Patch10: 0010-Fix-the-behavior-when-specifying-the-h-option.patch
Patch11: 0011-Clean-up-the-way-we-handle-the-h-option-in-init_tran.patch
Patch14: 0014-When-using-systemd-redirect-syslog-calls-to-the-syst.patch
-Patch99: 099-poll.patch
+Patch30: 0030-systemd-fix-rmtcall.patch
+Patch31: 0031-rpcbind-manpage.patch
%define statefile /var/lib/portmap.state
%{?systemd_requires}
@@ -59,13 +64,18 @@
%setup -q
cp %{SOURCE4} .
%patch1 -p1
-%patch2 -p1 -R
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
#%patch8 -p1
#%patch9 -p1
#%patch10 -p1
#%patch11 -p1
#%patch14 -p1
-%patch99 -p1
+#%patch30 -p1
+%patch31 -p1
%build
autoreconf -fiv
++++++ 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch ++++++
From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001
From: Steve Dickson
Date: Mon, 2 Nov 2015 17:05:18 -0500
Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly
In the latest libtirpc version to access the xp_auth
one must use the SVC_XP_AUTH macro. To be backwards
compatible a couple ifdefs were added to use the
macro when it exists.
Signed-off-by: Steve Dickson
---
src/rpcb_svc_com.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 4ae93f1..22d6c84 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
a.rmt_localvers = fi->versnum;
xprt_set_caller(xprt, fi);
+#if defined(SVC_XP_AUTH)
+ SVC_XP_AUTH(xprt) = svc_auth_none;
+#else
xprt->xp_auth = &svc_auth_none;
+#endif
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
+#if !defined(SVC_XP_AUTH)
SVCAUTH_DESTROY(xprt->xp_auth);
xprt->xp_auth = NULL;
+#endif
+
done:
if (buffer)
free(buffer);
--
1.8.5.6
++++++ 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch ++++++
From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville
Date: Wed, 18 Nov 2015 14:34:26 -0500
Subject: [PATCH] Delete the unix socket only if we have created it
From: Laurent Bigonville
If systemd has created the unix socket on our behalf, we shouldn't try
to delete it.
https://bugzilla.redhat.com/show_bug.cgi?id=1279076
Signed-off-by: Laurent Bigonville
---
src/rpcbind.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/rpcbind.c b/src/rpcbind.c
index 045daa1..c4265cd 100644
--- a/src/rpcbind.c
+++ b/src/rpcbind.c
@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {}
int debugging = 0; /* Tell me what's going on */
int doabort = 0; /* When debugging, do an abort on errors */
int dofork = 1; /* fork? */
+int createdsocket = 0; /* Did I create the socket or systemd did it for me? */
rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */
@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf)
memset(&sun, 0, sizeof sun);
sun.sun_family = AF_LOCAL;
unlink(_PATH_RPCBINDSOCK);
+ createdsocket = 1; /* We are now in the process of creating the unix socket */
strcpy(sun.sun_path, _PATH_RPCBINDSOCK);
addrlen = SUN_LEN(&sun);
sa = (struct sockaddr *)&sun;
@@ -846,7 +848,8 @@ static void
terminate(int dummy /*__unused*/)
{
close(rpcbindlockfd);
- unlink(_PATH_RPCBINDSOCK);
+ if(createdsocket)
+ unlink(_PATH_RPCBINDSOCK);
unlink(RPCBINDDLOCK);
#ifdef WARMSTART
write_warmstart(); /* Dump yourself */
--
1.8.5.6
++++++ 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch ++++++
From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
From: Olaf Kirch
Date: Fri, 30 Oct 2015 10:18:20 -0400
Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
- A PMAP_CALLIT call comes in on IPv4 UDP
- rpcbind duplicates the caller's address to a netbuf and stores it in
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
with a size of 16 bytes
- rpcbind forwards the call to the local service, receives a reply
- when processing the reply, it does this in xprt_set_caller:
xprt->xp_rtaddr = *FINFO[0].caller_addr
It sends out the reply, and then frees the netbuf caller_addr and
caller_addr.buf.
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
to memory region A, which is free.
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
be called, which will set xp_rtaddr to the client's address.
It will reuse the buffer inside xp_rtaddr, ie it will write a
sockaddr_in to region A
Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT
- While processing the TCP call, another UDP call comes in, again
overwriting region A with the client's address
- TCP client closes connection. In svc_destroy, we now trip over
the garbage left in region A
We ran into the case where a commercial scanner was triggering
occasional rpcbind segfaults. The core file that was captured showed
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
Signed-off-by: Olaf Kirch
Signed-off-by: Steve Dickson
---
src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..4ae93f1 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
return (ncallbacks_found);
}
+/*
+ * This is really a helper function defined in libtirpc,
+ * but unfortunately, it hasn't been exported yet.
+ */
+static struct netbuf *
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
+{
+ if (nb->len != len) {
+ if (nb->len)
+ mem_free(nb->buf, nb->len);
+ nb->buf = mem_alloc(len);
+ if (nb->buf == NULL)
+ return NULL;
+
+ nb->maxlen = nb->len = len;
+ }
+ memcpy(nb->buf, ptr, len);
+ return nb;
+}
+
static void
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
{
+ const struct netbuf *caller = fi->caller_addr;
u_int32_t *xidp;
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
xidp = __rpcb_get_dg_xidp(xprt);
*xidp = fi->caller_xid;
}
--
1.8.5.6
++++++ 0005-security.c-removed-warning.patch ++++++
From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001
From: Steve Dickson
Date: Thu, 17 Sep 2015 15:57:35 -0400
Subject: [PATCH 1/4] security.c: removed warning
From e97a3d42704ac83453cc85d09ed48eb9755696a5 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk
Date: Fri, 19 Feb 2016 15:55:38 +0100
Subject: [PATCH 1/1] rpcbind and libtirpc are both using poll in svc_run(),
but rpcbind used the old svc_fdset interface for this. This limits the
src/security.c:100:8: warning: implicit declaration of function 'xlog'
[-Wimplicit-function-declaration]
Signed-off-by: Steve Dickson
---
src/security.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security.c b/src/security.c
index 0c9453f..c54ce26 100644
--- a/src/security.c
+++ b/src/security.c
@@ -17,6 +17,8 @@
#include
#include
+#include "xlog.h"
+
/*
* XXX for special case checks in check_callit.
*/
--
1.8.5.6
++++++ 0006-don-t-use-svc_fdset.patch ++++++
possible connections to 1024, while both could handle much more. rpcbind is
now accessing directly the svc_pollfd data of libtirpc.
Signed-off-by: Thorsten Kukuk
---
src/rpcb_svc_com.c | 48 ++++++++++++++++--------------------------------
1 file changed, 16 insertions(+), 32 deletions(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 22d6c84..148fe42 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -536,10 +536,6 @@ create_rmtcall_fd(struct netconfig *nconf)
rmttail->next = rmt;
rmttail = rmt;
}
- /* XXX not threadsafe */
- if (fd > svc_maxfd)
- svc_maxfd = fd;
- FD_SET(fd, &svc_fdset);
return (fd);
}
@@ -1056,9 +1052,6 @@ free_slot_by_index(int index)
fi = &FINFO[index];
if (fi->flag & FINFO_ACTIVE) {
netbuffree(fi->caller_addr);
- /* XXX may be too big, but can't access xprt array here */
- if (fi->forward_fd >= svc_maxfd)
- svc_maxfd--;
free(fi->uaddr);
fi->flag &= ~FINFO_ACTIVE;
rpcb_rmtcalls--;
@@ -1097,35 +1090,28 @@ netbuffree(struct netbuf *ap)
}
-#define MASKVAL (POLLIN | POLLPRI | POLLRDNORM | POLLRDBAND)
-extern bool_t __svc_clean_idle(fd_set *, int, bool_t);
-
void
my_svc_run()
{
- size_t nfds;
- struct pollfd pollfds[FD_SETSIZE];
int poll_ret, check_ret;
int n;
-#ifdef SVC_RUN_DEBUG
- int i;
-#endif
- register struct pollfd *p;
- fd_set cleanfds;
for (;;) {
- p = pollfds;
- for (n = 0; n <= svc_maxfd; n++) {
- if (FD_ISSET(n, &svc_fdset)) {
- p->fd = n;
- p->events = MASKVAL;
- p++;
- }
- }
- nfds = p - pollfds;
- poll_ret = 0;
+ struct pollfd my_pollfd[svc_max_pollfd];
+ int i;
+
+ if (svc_max_pollfd == 0 && svc_pollfd == NULL)
+ return;
+
+
+ for (i = 0; i < svc_max_pollfd; ++i)
+ {
+ my_pollfd[i].fd = svc_pollfd[i].fd;
+ my_pollfd[i].events = svc_pollfd[i].events;
+ my_pollfd[i].revents = 0;
+ }
- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
+ switch (poll_ret = poll(my_pollfd, svc_max_pollfd, 30 * 1000)) {
case -1:
/*
* We ignore all errors, continuing with the assumption
@@ -1133,8 +1119,6 @@ my_svc_run()
* other outside event) and not caused by poll().
*/
case 0:
- cleanfds = svc_fdset;
- __svc_clean_idle(&cleanfds, 30, FALSE);
continue;
default:
/*
@@ -1144,10 +1128,10 @@ my_svc_run()
* don't call svc_getreq_poll. Otherwise, there
* must be another so we must call svc_getreq_poll.
*/
- if ((check_ret = check_rmtcalls(pollfds, nfds)) ==
+ if ((check_ret = check_rmtcalls(my_pollfd, svc_max_pollfd)) ==
poll_ret)
continue;
- svc_getreq_poll(pollfds, poll_ret-check_ret);
+ svc_getreq_poll(my_pollfd, poll_ret-check_ret);
}
}
}
--
1.8.5.6
++++++ 0030-systemd-fix-rmtcall.patch ++++++
The init_transport changes broke rmtcall forwarding. Fix it.
---
src/rpcbind.c | 4 ++++
1 file changed, 4 insertions(+)
Index: rpcbind-0.2.1_rc4/src/rpcbind.c
===================================================================
--- rpcbind-0.2.1_rc4.orig/src/rpcbind.c
+++ rpcbind-0.2.1_rc4/src/rpcbind.c
@@ -837,6 +837,10 @@ init_transports_systemd()
rpcbind_log_error("unable to create transport for socket fd %d", fd);
exit(1);
}
+
+ if (nconf->nc_semantics == NC_TPI_CLTS && create_rmtcall_fd(nconf) < 0) {
+ rpcbind_log_error("unable to create rmtcall fd for %s", nconf->nc_netid);
+ }
}
if (nc_handle)
++++++ 0031-rpcbind-manpage.patch ++++++
De-emphasize the -h option and refer people to systemd instead
---
man/rpcbind.8 | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
Index: rpcbind-0.2.1_rc4/man/rpcbind.8
===================================================================
--- rpcbind-0.2.1_rc4.orig/man/rpcbind.8
+++ rpcbind-0.2.1_rc4/man/rpcbind.8
@@ -86,27 +86,21 @@ checks are shown in detail.
Do not fork and become a background process.
.It Fl h
Specify specific IP addresses to bind to for UDP requests.
-This option
-may be specified multiple times and is typically necessary when running
-on a multi-homed host.
-If no
-.Fl h
-option is specified,
-.Nm
-will bind to
-.Dv INADDR_ANY ,
-which could lead to problems on a multi-homed host due to
+This option may be specified multiple times and can be used to
+restrict the interfaces rpcbind will respond to.
+Note that when
.Nm
-returning a UDP packet from a different IP address than it was
-sent to.
-Note that when specifying IP addresses with
-.Fl h ,
-.Nm
-will automatically add
-.Li 127.0.0.1
-and if IPv6 is enabled,
-.Li ::1
-to the list.
+is controlled via systemd's socket activation,
+the
+.Fl h
+option is ignored. In this case, you need to edit
+the
+.Nm ListenStream
+and
+.Nm ListenDgram
+definitions in
+.Nm /usr/lib/systemd/system/rpcbind.socket
+instead.
.It Fl i
.Dq Insecure
mode.