From 0308b52a859acb55a84d3cb19bf1bd173b66273d Mon Sep 17 00:00:00 2001 From: salo Date: Fri, 27 May 2005 14:02:23 +0000 Subject: Pullup ticket 513 - requested by Matthias Scheler security fix for net-snmp Revisions pulled up: - pkgsrc/net/net-snmp/Makefile patched by hand - pkgsrc/net/net-snmp/buildlink3.mk patched by hand - pkgsrc/net/net-snmp/distinfo patched by hand - pkgsrc/net/net-snmp/patches/patch-ab 1.5 Module Name: pkgsrc Committed By: tron Date: Wed May 25 13:49:10 UTC 2005 Modified Files: pkgsrc/net/net-snmp: Makefile distinfo Added Files: pkgsrc/net/net-snmp/patches: patch-ab Log Message: Replace "fixproc" script with version from "net-snmp" CVS respository. This fixes the security problem documented in SA15471. Bump package revision because of this change. --- net/net-snmp/Makefile | 4 +- net/net-snmp/buildlink3.mk | 4 +- net/net-snmp/distinfo | 3 +- net/net-snmp/patches/patch-ab | 180 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 186 insertions(+), 5 deletions(-) create mode 100644 net/net-snmp/patches/patch-ab diff --git a/net/net-snmp/Makefile b/net/net-snmp/Makefile index 3106819b4c4..f063034ec0e 100644 --- a/net/net-snmp/Makefile +++ b/net/net-snmp/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.27 2004/12/28 02:47:47 reed Exp $ +# $NetBSD: Makefile,v 1.27.2.1 2005/05/27 14:02:23 salo Exp $ DISTNAME= net-snmp-5.1.2 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=net-snmp/} \ ftp://ftp.net-smnp.org/pub/sourceforge/net-snmp/ diff --git a/net/net-snmp/buildlink3.mk b/net/net-snmp/buildlink3.mk index c018ff3945e..1c94cf810ff 100644 --- a/net/net-snmp/buildlink3.mk +++ b/net/net-snmp/buildlink3.mk @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.3 2004/11/05 10:33:07 seb Exp $ +# $NetBSD: buildlink3.mk,v 1.3.4.1 2005/05/27 14:02:23 salo Exp $ BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ NET_SNMP_BUILDLINK3_MK:= ${NET_SNMP_BUILDLINK3_MK}+ @@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+= net-snmp .if !empty(NET_SNMP_BUILDLINK3_MK:M+) BUILDLINK_DEPENDS.net-snmp+= net-snmp>=5.0.9nb3 -BUILDLINK_RECOMMENDED.net-snmp+= net-snmp>=5.1.2nb2 +BUILDLINK_RECOMMENDED.net-snmp+= net-snmp>=5.1.2nb4 BUILDLINK_PKGSRCDIR.net-snmp?= ../../net/net-snmp .endif # NET_SNMP_BUILDLINK3_MK diff --git a/net/net-snmp/distinfo b/net/net-snmp/distinfo index 1351ce26c3e..d6424caf439 100644 --- a/net/net-snmp/distinfo +++ b/net/net-snmp/distinfo @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.13 2005/02/24 12:13:54 agc Exp $ +$NetBSD: distinfo,v 1.13.2.1 2005/05/27 14:02:23 salo Exp $ SHA1 (net-snmp-5.1.2.tar.gz) = cf82a86d1b44408890cabe471181b62049cb11d0 RMD160 (net-snmp-5.1.2.tar.gz) = e5d50e22dbf59ee75e236abb7359e95d4fc4b6f2 Size (net-snmp-5.1.2.tar.gz) = 3253579 bytes SHA1 (patch-aa) = df9bcea942743e9bcd843724612b7d82ea364eca +SHA1 (patch-ab) = 7e0fc7f52e3947d589bed850e847bd89e8daec1d SHA1 (patch-ac) = 43dbf5519feac2a13b893f659090fa24de773ee8 SHA1 (patch-ad) = 522872c90ac1e442dafb1d210af6e978ac741ce9 SHA1 (patch-ae) = 122cd63fcdfa01e94083a9f635c3c46d364a0237 diff --git a/net/net-snmp/patches/patch-ab b/net/net-snmp/patches/patch-ab new file mode 100644 index 00000000000..9c22ae140b8 --- /dev/null +++ b/net/net-snmp/patches/patch-ab @@ -0,0 +1,180 @@ +$NetBSD: patch-ab,v 1.4.6.1 2005/05/27 14:02:23 salo Exp $ + +--- local/fixproc.orig 2002-04-20 08:30:13.000000000 +0100 ++++ local/fixproc 2005-05-25 14:36:18.000000000 +0100 +@@ -129,6 +129,8 @@ + # + # Timothy Kong 3/1995 + ++use File::Temp qw(tempfile); ++ + $database_file = '/local/etc/fixproc.conf'; + + $debug = 0; # specify debug level using -dN +@@ -191,20 +193,19 @@ + sub create_sh_script + { + local ($file) = pop (@_); ++ local ($fh) = pop (@_); + local ($i) = pop (@_); + +- printf (stderr "create_sh_script\n") if ($debug > 0); ++ printf (STDERR "create_sh_script\n") if ($debug > 0); + + $! = $fixproc_error; +- open (file, ">"."$file") || die "$0: cannot open $file\n"; + while ( $shell_lines[$i] ne $shell_end_marker ) + { +- printf (file "%s", $shell_lines[$i]); ++ printf ($fh "%s", $shell_lines[$i]); + $i++; + } +- close (file); +- system "chmod +x $file"; +- return file; ++ close ($fh); ++ chmod 0755, $file; + } + + +@@ -212,7 +213,7 @@ + { + local ($proc) = pop(@_); + +- printf (stderr "do_fix\n") if ($debug > 0); ++ printf (STDERR "do_fix\n") if ($debug > 0); + + if ($fix{$proc} eq '') + { +@@ -230,14 +231,13 @@ + else + { + # it must be "shell", so execute the shell script defined in database ++ local ($tmpfh, $tmpfile) = tempfile("fix_XXXXXXXX", DIR => "/tmp"); + +- local ($tmpfile) = "/tmp/fix_$$"; +- +- &create_sh_script ($fix{$proc}, $tmpfile); ++ &create_sh_script ($fix{$proc}, $tmpfh, $tmpfile); + + # return code is number divided by 256 + $error_code = (system "$tmpfile") / 256; +- system "rm $tmpfile"; ++ unlink($tmpfile); + return ($fix_failed_error) if ($error_code != 0); + # sleep needed here? + return &do_exist ($proc); +@@ -249,7 +249,7 @@ + { + local ($proc) = pop(@_); + +- printf (stderr "do_check\n") if ($debug > 0); ++ printf (STDERR "do_check\n") if ($debug > 0); + + if ($check{$proc} eq '') + { +@@ -262,13 +262,13 @@ + # if not "exist", then it must be "shell", so execute the shell script + # defined in database + +- local ($tmpfile) = "/tmp/check_$$"; ++ local ($tmpfh, $tmpfile) = tempfile("check_XXXXXXXX", DIR => "/tmp"); + +- &create_sh_script ($check{$proc}, $tmpfile); ++ &create_sh_script ($fix{$proc}, $tmpfh, $tmpfile); + + # return code is number divided by 256 + $error_code = (system "$tmpfile") / 256; +- system "rm $tmpfile"; ++ unlink($tmpfile); + return ($check_failed_error) if ($error_code != 0); + + # check passed, continue +@@ -281,13 +281,13 @@ + { + local ($proc) = pop(@_); + +- printf (stderr "do_exist\n") if ($debug > 0); ++ printf (STDERR "do_exist\n") if ($debug > 0); + + # do ps, check to see if min <= no. of processes <= max + $! = $fixproc_error; +- open (command, "/bin/ps -e | /bin/grep $proc | /bin/wc -l |") ++ open (COMMAND, "/bin/ps -e | /bin/grep $proc | /bin/wc -l |") + || die "$0: can't run ps-grep-wc command\n"; +- $proc_count = ; ++ $proc_count = ; + if (($proc_count < $min{$proc}) || ($proc_count > $max{$proc})) + { + return $check_failed_error; +@@ -301,13 +301,13 @@ + local ($proc) = pop(@_); + local ($second_kill_needed); + +- printf (stderr "do_kill\n") if ($debug > 0); ++ printf (STDERR "do_kill\n") if ($debug > 0); + + # first try kill + $! = $fixproc_error; +- open (command, "/bin/ps -e | /bin/grep $proc |") ++ open (COMMAND, "/bin/ps -e | /bin/grep $proc |") + || die "$0: can't run ps-grep-awk command\n"; +- while () ++ while () + { + # match the first field of ps -e + $! = $fixproc_error; +@@ -318,10 +318,10 @@ + # if process still exist, try kill -9 + sleep 2; + $! = $fixproc_error; +- open (command, "/bin/ps -e | /bin/grep $proc |") ++ open (COMMAND, "/bin/ps -e | /bin/grep $proc |") + || die "$0: can't run ps-grep-awk command\n"; + $second_kill_needed = 0; +- while () ++ while () + { + # match the first field of ps -e + $! = $fixproc_error; +@@ -334,9 +334,9 @@ + # see if kill -9 worked + sleep 2; + $! = $fixproc_error; +- open (command, "/bin/ps -e | /bin/grep $proc |") ++ open (COMMAND, "/bin/ps -e | /bin/grep $proc |") + || die "$0: can't run ps-grep-awk command\n"; +- while () ++ while () + { # a process still exist, return error + return $cannot_kill_error; + } +@@ -349,7 +349,7 @@ + local ($proc) = pop(@_); + local ($error_code); + +- printf (stderr "do_restart\n") if ($debug > 0); ++ printf (STDERR "do_restart\n") if ($debug > 0); + + $error_code = &do_kill ($proc); + return $error_code if ($error_code != $no_error); +@@ -369,7 +369,7 @@ + local ($proc) = pop(@_); + local ($error_code); + +- printf (stderr "work_on_proc\n") if ($debug > 0); ++ printf (STDERR "work_on_proc\n") if ($debug > 0); + + if ($cmd_line_action eq '') + { +@@ -475,8 +475,8 @@ + local ($str2); + + $! = $fixproc_error; +- open (db, $database_file) || die 'cannot open database file $database_file\n'; +- while () ++ open (DB, $database_file) || die 'cannot open database file $database_file\n'; ++ while () + { + if ((! /\S/) || (/^[ \t]*#.*$/)) + { -- cgit v1.2.3