diff options
author | gdt <gdt@pkgsrc.org> | 2008-10-24 13:25:50 +0000 |
---|---|---|
committer | gdt <gdt@pkgsrc.org> | 2008-10-24 13:25:50 +0000 |
commit | f406a93c38e61a3e62961b17494be906e5ae81bb (patch) | |
tree | 3f91e33a0bc756d1eae63e962fc53b3ad8ee550b /geography/gpsd | |
parent | 2a488d8b37b01ec8e833db11a1f2dd11512277ed (diff) | |
download | pkgsrc-f406a93c38e61a3e62961b17494be906e5ae81bb.tar.gz |
Security fix: by default, only listen on INADDR_LOOPBACK, so that
position is only provided on on-machine clients. Previously, gpsd
listened on INADDR_ANY, providing position of the computer to any host
that asked. (The fix is in upstream bugzilla, with link in
patches/patch-ac.)
Diffstat (limited to 'geography/gpsd')
-rw-r--r-- | geography/gpsd/Makefile | 3 | ||||
-rw-r--r-- | geography/gpsd/distinfo | 4 | ||||
-rw-r--r-- | geography/gpsd/patches/patch-ac | 45 | ||||
-rw-r--r-- | geography/gpsd/patches/patch-ad | 41 |
4 files changed, 91 insertions, 2 deletions
diff --git a/geography/gpsd/Makefile b/geography/gpsd/Makefile index 5196ce54fbd..eea6fa06576 100644 --- a/geography/gpsd/Makefile +++ b/geography/gpsd/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.12 2008/10/24 13:08:13 gdt Exp $ +# $NetBSD: Makefile,v 1.13 2008/10/24 13:25:50 gdt Exp $ DISTNAME= gpsd-2.37 +PKGREVISION= 1 CATEGORIES= geography MASTER_SITES= http://download.berlios.de/gpsd/ diff --git a/geography/gpsd/distinfo b/geography/gpsd/distinfo index d2c80ff8f18..63d4928ec5f 100644 --- a/geography/gpsd/distinfo +++ b/geography/gpsd/distinfo @@ -1,7 +1,9 @@ -$NetBSD: distinfo,v 1.10 2008/10/24 13:08:13 gdt Exp $ +$NetBSD: distinfo,v 1.11 2008/10/24 13:25:50 gdt Exp $ SHA1 (gpsd-2.37.tar.gz) = 5bf4e1db9e570cc14b70bd0cf902926f96131ace RMD160 (gpsd-2.37.tar.gz) = 72387ef3c8da39ed1a1dffa9aecfff1622023fcc Size (gpsd-2.37.tar.gz) = 712943 bytes SHA1 (patch-aa) = 0f581183a114d63733c57ed9f0ceead43e2e5607 SHA1 (patch-ab) = 869942effbfc22ece1716dce0ffb5c907dd66906 +SHA1 (patch-ac) = 2cfd090f2c7bf1d526b5d6125c451b5f45617dd0 +SHA1 (patch-ad) = 551701d43016f9fefd0bd488415bfecb62c55d1a diff --git a/geography/gpsd/patches/patch-ac b/geography/gpsd/patches/patch-ac new file mode 100644 index 00000000000..2bb560e7bc6 --- /dev/null +++ b/geography/gpsd/patches/patch-ac @@ -0,0 +1,45 @@ +$NetBSD: patch-ac,v 1.3 2008/10/24 13:25:50 gdt Exp $ + +Don't expose position via INADDR_ANY by default. Security fix for +http://developer.berlios.de/bugs/?func=detailbug&bug_id=14707&group_id=2116 + +--- gpsd.c.orig 2008-01-28 15:04:33.000000000 -0500 ++++ gpsd.c +@@ -86,6 +86,7 @@ + static fd_set all_fds; + static int maxfd; + static int debuglevel; ++static bool listen_global = false; + static bool in_background = false; + static bool nowait = false; + static jmp_buf restartbuf; +@@ -230,7 +231,10 @@ static int passivesock(char *service, ch + /*@ -mustfreefresh @*/ + memset((char *) &sin, 0, sizeof(sin)); + /*@i1@*/sin.sin_family = AF_INET; +- sin.sin_addr.s_addr = INADDR_ANY; ++ if (listen_global) ++ sin.sin_addr.s_addr = htonl(INADDR_ANY); ++ else ++ sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + if ((pse = getservbyname(service, protocol))) + sin.sin_port = htons(ntohs((in_port_t)pse->s_port)); +@@ -1271,7 +1275,7 @@ int main(int argc, char *argv[]) + (void)setlocale(LC_NUMERIC, "C"); + #endif + debuglevel = 0; +- while ((option = getopt(argc, argv, "F:D:S:bhNnP:V" ++ while ((option = getopt(argc, argv, "F:D:S:bhNnP:VG" + #ifdef RTCM104_SERVICE + "R:" + #endif /* RTCM104_SERVICE */ +@@ -1280,6 +1284,8 @@ int main(int argc, char *argv[]) + case 'D': + debuglevel = (int) strtol(optarg, 0, 0); + break; ++ case 'G': ++ listen_global = true; + case 'F': + control_socket = optarg; + break; diff --git a/geography/gpsd/patches/patch-ad b/geography/gpsd/patches/patch-ad new file mode 100644 index 00000000000..ab01a2b9c67 --- /dev/null +++ b/geography/gpsd/patches/patch-ad @@ -0,0 +1,41 @@ +$NetBSD: patch-ad,v 1.3 2008/10/24 13:25:50 gdt Exp $ + +Don't expose position via INADDR_ANY by default. Security fix for +http://developer.berlios.de/bugs/?func=detailbug&bug_id=14707&group_id=2116 + +--- gpsd.xml.orig 2008-01-21 13:35:31.000000000 -0500 ++++ gpsd.xml +@@ -20,6 +20,7 @@ + <command>gpsd</command> + <arg choice='opt'>-f <replaceable>GPS-devicename</replaceable></arg> + <arg choice='opt'>-F <replaceable>control-socket</replaceable></arg> ++ <arg choice='opt'>-G </arg> + <!-- arg choice='opt'>-R + <replaceable>rtcm-listener-port</replaceable></arg --> + <arg choice='opt'>-S <replaceable>listener-port</replaceable></arg> +@@ -107,6 +108,12 @@ commands that edit the daemon's internal + clients.</para></listitem> + </varlistentry --> + <varlistentry> ++<term>-G</term> ++<listitem><para>If present, listen for connections from other ++systems. Otherwise, listen only for connections from this system. ++</para></listitem> ++</varlistentry> ++<varlistentry> + <term>-S</term> + <listitem><para>Set TCP/IP port on which to listen for GPSD clients + (default is 2947).</para></listitem> +@@ -871,6 +878,12 @@ will not attempt to document this interf + </refsect1> + <refsect1 id='security'><title>SECURITY AND PERMISSIONS ISSUES</title> + ++<para><application>gpsd</application>, if given the -G flag, will ++listen for connections from any reachable host, and then disclose the ++current position. Before using the -G flag, consider whether you ++consider your computer's location to be sensitive data to be kept ++private or something that you wish to publish.</para> ++ + <para><application>gpsd</application> must start up as root in order + to open the NTPD shared-memory segment, open its logfile, and create + its local control socket. Before doing any processing of GPS data, it |