diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-06-16 16:04:11 +0000 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-06-16 16:04:11 +0000 |
| commit | 3a4f387101600f7522a58ded98b5e6b78fae677d (patch) | |
| tree | 8af769c84cc60feb480b563a510ea5eb36fb4585 /net-misc | |
| parent | new ebuild prepared by me with additions from kensington wrt Bug #209746 (diff) | |
| download | gentoo-2-3a4f387101600f7522a58ded98b5e6b78fae677d.tar.gz gentoo-2-3a4f387101600f7522a58ded98b5e6b78fae677d.tar.bz2 gentoo-2-3a4f387101600f7522a58ded98b5e6b78fae677d.zip | |
Version bump, security bug #460278
(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key 0xF52D4BBA)
Diffstat (limited to 'net-misc')
| -rw-r--r-- | net-misc/stunnel/ChangeLog | 10 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel-4.56-listen-queue.patch | 51 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel-4.56-xforwarded-for.patch | 226 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel.initd-start-stop-daemon | 5 | ||||
| -rw-r--r-- | net-misc/stunnel/stunnel-4.56.ebuild | 73 |
5 files changed, 362 insertions, 3 deletions
diff --git a/net-misc/stunnel/ChangeLog b/net-misc/stunnel/ChangeLog index b9d3473436e1..9bc47f4c7d49 100644 --- a/net-misc/stunnel/ChangeLog +++ b/net-misc/stunnel/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-misc/stunnel # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.135 2013/06/16 14:42:03 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.136 2013/06/16 16:04:11 blueness Exp $ + +*stunnel-4.56 (16 Jun 2013) + + 16 Jun 2013; Anthony G. Basile <blueness@gentoo.org> + +files/stunnel-4.56-listen-queue.patch, + +files/stunnel-4.56-xforwarded-for.patch, +stunnel-4.56.ebuild, + files/stunnel.initd-start-stop-daemon: + Version bump, security bug #460278 16 Jun 2013; Anthony G. Basile <blueness@gentoo.org> metadata.xml: Add myself as maintainer diff --git a/net-misc/stunnel/files/stunnel-4.56-listen-queue.patch b/net-misc/stunnel/files/stunnel-4.56-listen-queue.patch new file mode 100644 index 000000000000..be0ceb9a47f7 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.56-listen-queue.patch @@ -0,0 +1,51 @@ +diff -Naur stunnel-4.56.orig/src/options.c stunnel-4.56/src/options.c +--- stunnel-4.56.orig/src/options.c 2013-03-13 09:41:12.000000000 -0400 ++++ stunnel-4.56/src/options.c 2013-06-16 11:17:49.000000000 -0400 +@@ -1913,6 +1913,24 @@ + break; + } + ++ /* listenqueue */ ++ switch(cmd) { ++ case CMD_BEGIN: ++ section->listenqueue=SOMAXCONN; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "listenqueue")) ++ break; ++ section->listenqueue=atoi(arg); ++ return (section->listenqueue?NULL:"Bad verify level"); ++ case CMD_DEFAULT: ++ s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN); ++ break; ++ case CMD_HELP: ++ s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to", "listenqueue"); ++ break; ++ } ++ + if(cmd==CMD_EXEC) + return option_not_found; + +diff -Naur stunnel-4.56.orig/src/prototypes.h stunnel-4.56/src/prototypes.h +--- stunnel-4.56.orig/src/prototypes.h 2013-03-19 13:30:55.000000000 -0400 ++++ stunnel-4.56/src/prototypes.h 2013-06-16 11:17:49.000000000 -0400 +@@ -183,6 +183,7 @@ + int timeout_close; /* maximum close_notify time */ + int timeout_connect; /* maximum connect() time */ + int timeout_idle; /* maximum idle connection time */ ++ int listenqueue; /* Listen baklog */ + enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ + + /* service-specific data for protocol.c */ +diff -Naur stunnel-4.56.orig/src/stunnel.c stunnel-4.56/src/stunnel.c +--- stunnel-4.56.orig/src/stunnel.c 2013-03-19 13:30:34.000000000 -0400 ++++ stunnel-4.56/src/stunnel.c 2013-06-16 11:17:49.000000000 -0400 +@@ -388,7 +388,7 @@ + str_free(local_address); + return 1; + } +- if(listen(opt->fd, SOMAXCONN)) { ++ if(listen(opt->fd, opt->listenqueue)) { + sockerror("listen"); + closesocket(opt->fd); + str_free(local_address); diff --git a/net-misc/stunnel/files/stunnel-4.56-xforwarded-for.patch b/net-misc/stunnel/files/stunnel-4.56-xforwarded-for.patch new file mode 100644 index 000000000000..135260bdb9f6 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.56-xforwarded-for.patch @@ -0,0 +1,226 @@ +diff -Naur stunnel-4.56.orig/src/client.c stunnel-4.56/src/client.c +--- stunnel-4.56.orig/src/client.c 2013-03-14 18:54:24.000000000 -0400 ++++ stunnel-4.56/src/client.c 2013-06-16 11:24:39.000000000 -0400 +@@ -75,6 +75,12 @@ + c=str_alloc(sizeof(CLI)); + str_detach(c); + c->opt=opt; ++ /* some options need space to add some information */ ++ if (c->opt->option.xforwardedfor) ++ c->buffsize = BUFFSIZE - BUFF_RESERVED; ++ else ++ c->buffsize = BUFFSIZE; ++ c->crlf_seen=0; + c->local_rfd.fd=rfd; + c->local_wfd.fd=wfd; + return c; +@@ -501,6 +507,28 @@ + } + #endif + ++/* Moves all data from the buffer <buffer> between positions <start> and <stop> ++ * to insert <string> of length <len>. <start> and <stop> are updated to their ++ * new respective values, and the number of characters inserted is returned. ++ * If <len> is too long, nothing is done and -1 is returned. ++ * Note that neither <string> nor <buffer> can be NULL. ++ */ ++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { ++ if (len > limit - *stop) ++ return -1; ++ if (*start > *stop) ++ return -1; ++ memmove(buffer + *start + len, buffer + *start, *stop - *start); ++ memcpy(buffer + *start, string, len); ++ *start += len; ++ *stop += len; ++ return len; ++} ++ ++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { ++ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); ++} ++ + /****************************** transfer data */ + static void transfer(CLI *c) { + int watchdog=0; /* a counter to detect an infinite loop */ +@@ -519,7 +547,7 @@ + do { /* main loop of client data transfer */ + /****************************** initialize *_wants_* */ + read_wants_read=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) +- && c->ssl_ptr<BUFFSIZE && !read_wants_write; ++ && c->ssl_ptr<c->buffsize && !read_wants_write; + write_wants_write=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) + && c->sock_ptr && !write_wants_read; + +@@ -528,7 +556,7 @@ + /* for plain socket open data strem = open file descriptor */ + /* make sure to add each open socket to receive exceptions! */ + if(sock_open_rd) /* only poll if the read file descriptor is open */ +- s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0); ++ s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0); + if(sock_open_wr) /* only poll if the write file descriptor is open */ + s_poll_add(c->fds, c->sock_wfd->fd, 0, c->ssl_ptr); + /* poll SSL file descriptors unless SSL shutdown was completed */ +@@ -683,7 +711,7 @@ + /****************************** read from socket */ + if(sock_open_rd && sock_can_rd) { + num=readsocket(c->sock_rfd->fd, +- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); ++ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); + switch(num) { + case -1: + if(parse_socket_error(c, "readsocket")) +@@ -720,7 +748,7 @@ + /****************************** update *_wants_* based on new *_ptr */ + /* this update is also required for SSL_pending() to be used */ + read_wants_read=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) +- && c->ssl_ptr<BUFFSIZE && !read_wants_write; ++ && c->ssl_ptr<c->buffsize && !read_wants_write; + write_wants_write=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) + && c->sock_ptr && !write_wants_read; + +@@ -730,12 +758,73 @@ + * writesocket() above made some room in c->ssl_buff */ + (read_wants_write && ssl_can_wr)) { + read_wants_write=0; +- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); ++ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); + switch(err=SSL_get_error(c->ssl, num)) { + case SSL_ERROR_NONE: + if(num==0) + s_log(LOG_DEBUG, "SSL_read returned 0"); +- c->ssl_ptr+=num; ++ if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */ ++ int last = c->ssl_ptr; ++ c->ssl_ptr += num; ++ ++ /* Look for end of HTTP headers between last and ssl_ptr. ++ * To achieve this reliably, we have to count the number of ++ * successive [CR]LF and to memorize it in case it's spread ++ * over multiple segments. --WT. ++ */ ++ while (last < c->ssl_ptr) { ++ if (c->ssl_buff[last] == '\n') { ++ if (++c->crlf_seen == 2) ++ break; ++ } else if (last < c->ssl_ptr - 1 && ++ c->ssl_buff[last] == '\r' && ++ c->ssl_buff[last+1] == '\n') { ++ if (++c->crlf_seen == 2) ++ break; ++ last++; ++ } else if (c->ssl_buff[last] != '\r') ++ /* don't refuse '\r' because we may get a '\n' on next read */ ++ c->crlf_seen = 0; ++ last++; ++ } ++ if (c->crlf_seen >= 2) { ++ /* We have all the HTTP headers now. We don't need to ++ * reserve any space anymore. <ssl_ptr> points to the ++ * first byte of unread data, and <last> points to the ++ * exact location where we want to insert our headers, ++ * which is right before the empty line. ++ */ ++ c->buffsize = BUFFSIZE; ++ ++ if (c->opt->option.xforwardedfor) { ++ /* X-Forwarded-For: xxxx \r\n\0 */ ++ char xforw[17 + IPLEN + 3]; ++ ++ /* We will insert our X-Forwarded-For: header here. ++ * We need to write the IP address, but if we use ++ * sprintf, it will pad with the terminating 0. ++ * So we will pass via a temporary buffer allocated ++ * on the stack. ++ */ ++ memcpy(xforw, "X-Forwarded-For: ", 17); ++ if (getnameinfo(&c->peer_addr.sa, ++ c->peer_addr_len, ++ xforw + 17, IPLEN, NULL, 0, ++ NI_NUMERICHOST) == 0) { ++ strcat(xforw + 17, "\r\n"); ++ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, ++ c->buffsize, xforw); ++ } ++ /* last still points to the \r\n and ssl_ptr to the ++ * end of the buffer, so we may add as many headers ++ * as wee need to. ++ */ ++ } ++ } ++ } ++ else ++ c->ssl_ptr+=num; ++ + watchdog=0; /* reset watchdog */ + break; + case SSL_ERROR_WANT_WRITE: +diff -Naur stunnel-4.56.orig/src/common.h stunnel-4.56/src/common.h +--- stunnel-4.56.orig/src/common.h 2013-03-13 09:41:57.000000000 -0400 ++++ stunnel-4.56/src/common.h 2013-06-16 11:23:12.000000000 -0400 +@@ -52,6 +52,12 @@ + /* I/O buffer size - 18432 is the maximum size of SSL record payload */ + #define BUFFSIZE 18432 + ++/* maximum space reserved for header insertion in BUFFSIZE */ ++#define BUFF_RESERVED 1024 ++ ++/* IP address and TCP port textual representation length */ ++#define IPLEN 128 ++ + /* how many bytes of random input to read from files for PRNG */ + /* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */ + #define RANDOM_BYTES 64 +diff -Naur stunnel-4.56.orig/src/options.c stunnel-4.56/src/options.c +--- stunnel-4.56.orig/src/options.c 2013-06-16 11:17:49.000000000 -0400 ++++ stunnel-4.56/src/options.c 2013-06-16 11:23:12.000000000 -0400 +@@ -1032,6 +1032,29 @@ + } + #endif + ++ /* xforwardedfor */ ++ switch(cmd) { ++ case CMD_BEGIN: ++ section->option.xforwardedfor=0; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "xforwardedfor")) ++ break; ++ if(!strcasecmp(arg, "yes")) ++ section->option.xforwardedfor=1; ++ else if(!strcasecmp(arg, "no")) ++ section->option.xforwardedfor=0; ++ else ++ return "argument should be either 'yes' or 'no'"; ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ s_log(LOG_NOTICE, "%-15s = yes|no append an HTTP X-Forwarded-For header", ++ "xforwardedfor"); ++ break; ++ } ++ + /* exec */ + switch(cmd) { + case CMD_BEGIN: +diff -Naur stunnel-4.56.orig/src/prototypes.h stunnel-4.56/src/prototypes.h +--- stunnel-4.56.orig/src/prototypes.h 2013-06-16 11:17:49.000000000 -0400 ++++ stunnel-4.56/src/prototypes.h 2013-06-16 11:23:12.000000000 -0400 +@@ -205,6 +205,7 @@ + unsigned int accept:1; /* endpoint: accept */ + unsigned int client:1; + unsigned int delayed_lookup:1; ++ unsigned int xforwardedfor:1; + #ifdef USE_LIBWRAP + unsigned int libwrap:1; + #endif +@@ -434,6 +435,8 @@ + FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */ + int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */ + s_poll_set *fds; /* file descriptors */ ++ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ ++ int crlf_seen; /* the number of successive CRLF seen */ + } CLI; + + CLI *alloc_client_session(SERVICE_OPTIONS *, int, int); diff --git a/net-misc/stunnel/files/stunnel.initd-start-stop-daemon b/net-misc/stunnel/files/stunnel.initd-start-stop-daemon index 550ef9d54b8a..4d3202b17f28 100644 --- a/net-misc/stunnel/files/stunnel.initd-start-stop-daemon +++ b/net-misc/stunnel/files/stunnel.initd-start-stop-daemon @@ -1,7 +1,7 @@ #!/sbin/runscript -# Copyright 1999-2012 Gentoo Foundation +# Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/files/stunnel.initd-start-stop-daemon,v 1.2 2012/12/25 04:25:06 ramereth Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/files/stunnel.initd-start-stop-daemon,v 1.3 2013/06/16 16:04:11 blueness Exp $ SERVICENAME=${SVCNAME#*.} SERVICENAME=${SERVICENAME:-stunnel} @@ -25,6 +25,7 @@ get_config() { start() { get_config || return 1 + checkpath -d -m 0775 -o root:stunnel /var/run/stunnel if [ "$(dirname ${PIDFILE})" != "/var/run" ]; then checkpath -d -m 0755 -o stunnel:stunnel -q $(dirname ${PIDFILE}) fi diff --git a/net-misc/stunnel/stunnel-4.56.ebuild b/net-misc/stunnel/stunnel-4.56.ebuild new file mode 100644 index 000000000000..8c08e513c225 --- /dev/null +++ b/net-misc/stunnel/stunnel-4.56.ebuild @@ -0,0 +1,73 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.56.ebuild,v 1.1 2013/06/16 16:04:11 blueness Exp $ + +EAPI="5" + +inherit ssl-cert eutils user + +DESCRIPTION="TLS/SSL - Port Wrapper" +HOMEPAGE="http://stunnel.mirt.net/" +SRC_URI="ftp://ftp.stunnel.org/stunnel/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos" +IUSE="ipv6 selinux tcpd xforward listen-queue" + +DEPEND="tcpd? ( sys-apps/tcp-wrappers ) + >=dev-libs/openssl-0.9.8k" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-stunnel )" + +pkg_setup() { + enewgroup stunnel + enewuser stunnel -1 -1 -1 stunnel +} + +src_prepare() { + use xforward && epatch "${FILESDIR}/${P}-xforwarded-for.patch" + use listen-queue && epatch "${FILESDIR}/${P}-listen-queue.patch" + + # Hack away generation of certificate + sed -i -e "s/^install-data-local:/do-not-run-this:/" \ + tools/Makefile.in || die "sed failed" +} + +src_configure() { + econf \ + $(use_enable ipv6) \ + $(use_enable tcpd libwrap) \ + --with-ssl="${EPREFIX}"/usr +} + +src_install() { + emake DESTDIR="${D}" install + rm -rf "${ED}"/usr/share/doc/${PN} + rm -f "${ED}"/etc/stunnel/stunnel.conf-sample "${ED}"/usr/bin/stunnel3 \ + "${ED}"/usr/share/man/man8/stunnel.{fr,pl}.8 + + # The binary was moved to /usr/bin with 4.21, + # symlink for backwards compatibility + dosym ../bin/stunnel /usr/sbin/stunnel + + dodoc AUTHORS BUGS CREDITS PORTS README TODO ChangeLog + dohtml doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \ + tools/importCA.html + + insinto /etc/stunnel + doins "${FILESDIR}"/stunnel.conf + newinitd "${FILESDIR}"/stunnel.initd-start-stop-daemon stunnel +} + +pkg_postinst() { + if [ ! -f "${EROOT}"/etc/stunnel/stunnel.key ]; then + install_cert /etc/stunnel/stunnel + chown stunnel:stunnel "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + chmod 0640 "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + fi + + einfo "If you want to run multiple instances of stunnel, create a new config" + einfo "file ending with .conf in /etc/stunnel/. **Make sure** you change " + einfo "\'pid= \' with a unique filename." +} |