From 7fa270d574cee7601c0965e6ab90648a517252ca Mon Sep 17 00:00:00 2001
From: gdt <gdt>
Date: Fri, 24 Oct 2008 13:25:50 +0000
Subject: Security fix: by default, only listen on INADDR_LOOPBACK, so that
 position is only provided on on-machine clients.  Previously, gpsd listened
 on INADDR_ANY, providing position of the computer to any host that asked. 
 (The fix is in upstream bugzilla, with link in patches/patch-ac.)

---
 geography/gpsd/Makefile         |  3 ++-
 geography/gpsd/distinfo         |  4 +++-
 geography/gpsd/patches/patch-ac | 45 +++++++++++++++++++++++++++++++++++++++++
 geography/gpsd/patches/patch-ad | 41 +++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 geography/gpsd/patches/patch-ac
 create mode 100644 geography/gpsd/patches/patch-ad

(limited to 'geography')

diff --git a/geography/gpsd/Makefile b/geography/gpsd/Makefile
index 5196ce54fbd..eea6fa06576 100644
--- a/geography/gpsd/Makefile
+++ b/geography/gpsd/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.12 2008/10/24 13:08:13 gdt Exp $
+# $NetBSD: Makefile,v 1.13 2008/10/24 13:25:50 gdt Exp $
 
 DISTNAME=	gpsd-2.37
+PKGREVISION=	1
 CATEGORIES=	geography
 MASTER_SITES=	http://download.berlios.de/gpsd/
 
diff --git a/geography/gpsd/distinfo b/geography/gpsd/distinfo
index d2c80ff8f18..63d4928ec5f 100644
--- a/geography/gpsd/distinfo
+++ b/geography/gpsd/distinfo
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.10 2008/10/24 13:08:13 gdt Exp $
+$NetBSD: distinfo,v 1.11 2008/10/24 13:25:50 gdt Exp $
 
 SHA1 (gpsd-2.37.tar.gz) = 5bf4e1db9e570cc14b70bd0cf902926f96131ace
 RMD160 (gpsd-2.37.tar.gz) = 72387ef3c8da39ed1a1dffa9aecfff1622023fcc
 Size (gpsd-2.37.tar.gz) = 712943 bytes
 SHA1 (patch-aa) = 0f581183a114d63733c57ed9f0ceead43e2e5607
 SHA1 (patch-ab) = 869942effbfc22ece1716dce0ffb5c907dd66906
+SHA1 (patch-ac) = 2cfd090f2c7bf1d526b5d6125c451b5f45617dd0
+SHA1 (patch-ad) = 551701d43016f9fefd0bd488415bfecb62c55d1a
diff --git a/geography/gpsd/patches/patch-ac b/geography/gpsd/patches/patch-ac
new file mode 100644
index 00000000000..2bb560e7bc6
--- /dev/null
+++ b/geography/gpsd/patches/patch-ac
@@ -0,0 +1,45 @@
+$NetBSD: patch-ac,v 1.3 2008/10/24 13:25:50 gdt Exp $
+
+Don't expose position via INADDR_ANY by default.  Security fix for
+http://developer.berlios.de/bugs/?func=detailbug&bug_id=14707&group_id=2116
+
+--- gpsd.c.orig	2008-01-28 15:04:33.000000000 -0500
++++ gpsd.c
+@@ -86,6 +86,7 @@
+ static fd_set all_fds;
+ static int maxfd;
+ static int debuglevel;
++static bool listen_global = false;
+ static bool in_background = false;
+ static bool nowait = false;
+ static jmp_buf restartbuf;
+@@ -230,7 +231,10 @@ static int passivesock(char *service, ch
+     /*@ -mustfreefresh @*/
+     memset((char *) &sin, 0, sizeof(sin));
+     /*@i1@*/sin.sin_family = AF_INET;
+-    sin.sin_addr.s_addr = INADDR_ANY;
++    if (listen_global)
++      sin.sin_addr.s_addr = htonl(INADDR_ANY);
++    else
++      sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ 
+     if ((pse = getservbyname(service, protocol)))
+ 	sin.sin_port = htons(ntohs((in_port_t)pse->s_port));
+@@ -1271,7 +1275,7 @@ int main(int argc, char *argv[])
+     (void)setlocale(LC_NUMERIC, "C");
+ #endif
+     debuglevel = 0;
+-    while ((option = getopt(argc, argv, "F:D:S:bhNnP:V"
++    while ((option = getopt(argc, argv, "F:D:S:bhNnP:VG"
+ #ifdef RTCM104_SERVICE
+ 			    "R:"
+ #endif /* RTCM104_SERVICE */
+@@ -1280,6 +1284,8 @@ int main(int argc, char *argv[])
+ 	case 'D':
+ 	    debuglevel = (int) strtol(optarg, 0, 0);
+ 	    break;
++	case 'G':
++	    listen_global = true;
+ 	case 'F':
+ 	    control_socket = optarg;
+ 	    break;
diff --git a/geography/gpsd/patches/patch-ad b/geography/gpsd/patches/patch-ad
new file mode 100644
index 00000000000..ab01a2b9c67
--- /dev/null
+++ b/geography/gpsd/patches/patch-ad
@@ -0,0 +1,41 @@
+$NetBSD: patch-ad,v 1.3 2008/10/24 13:25:50 gdt Exp $
+
+Don't expose position via INADDR_ANY by default.  Security fix for
+http://developer.berlios.de/bugs/?func=detailbug&bug_id=14707&group_id=2116
+
+--- gpsd.xml.orig	2008-01-21 13:35:31.000000000 -0500
++++ gpsd.xml
+@@ -20,6 +20,7 @@
+   <command>gpsd</command>  
+       <arg choice='opt'>-f <replaceable>GPS-devicename</replaceable></arg>
+       <arg choice='opt'>-F <replaceable>control-socket</replaceable></arg>
++      <arg choice='opt'>-G </arg>
+       <!-- arg choice='opt'>-R
+       <replaceable>rtcm-listener-port</replaceable></arg -->
+       <arg choice='opt'>-S <replaceable>listener-port</replaceable></arg>
+@@ -107,6 +108,12 @@ commands that edit the daemon's internal
+ clients.</para></listitem>
+ </varlistentry -->
+ <varlistentry>
++<term>-G</term>
++<listitem><para>If present, listen for connections from other
++systems.  Otherwise, listen only for connections from this system.
++</para></listitem>
++</varlistentry>
++<varlistentry>
+ <term>-S</term>
+ <listitem><para>Set TCP/IP port on which to listen for GPSD clients 
+ (default is 2947).</para></listitem>
+@@ -871,6 +878,12 @@ will not attempt to document this interf
+ </refsect1>
+ <refsect1 id='security'><title>SECURITY AND PERMISSIONS ISSUES</title> 
+ 
++<para><application>gpsd</application>, if given the -G flag, will
++listen for connections from any reachable host, and then disclose the
++current position.  Before using the -G flag, consider whether you
++consider your computer's location to be sensitive data to be kept
++private or something that you wish to publish.</para>
++
+ <para><application>gpsd</application> must start up as root in order
+ to open the NTPD shared-memory segment, open its logfile, and create
+ its local control socket.  Before doing any processing of GPS data, it
-- 
cgit v1.2.3