diff options
| author |   Amadeusz Żołnowski <aidecoe@gentoo.org> | 2016-12-15 21:26:54 +0000 |
|---|---|---|
| committer | Amadeusz Żołnowski <aidecoe@gentoo.org> | 2016-12-15 21:27:10 +0000 |
| commit | af870a94a84b4073fb0db94d2bd2ef852a64cb1d (patch) | |
| tree | 9644290160ef92317e1b577a7c56c5e4065de97e | |
| parent | dev-lang/php: new version 5.6.29 (replaces the unstable 5.6.28-r2). (diff) | |
| download | gentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.tar.gz gentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.tar.bz2 gentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.zip | |
sys-apps/firejail: Backport security fix to 0.9.38.4
Gentoo-Bug: 601994
Package-Manager: portage-2.3.3
| -rw-r--r-- | sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch | 59 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-0.9.38.4-r1.ebuild (renamed from sys-apps/firejail/firejail-0.9.38.4.ebuild) | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch new file mode 100644 index 000000000000..5905b83bfb3d --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch @@ -0,0 +1,59 @@ +From 4f4e59c7529888339fe2337dc893984eb7833d01 Mon Sep 17 00:00:00 2001 +From: netblue30 <netblue30@yahoo.com> +Date: Wed, 2 Nov 2016 09:17:19 -0400 +Subject: [PATCH] /etc/resolv.conf overwrite + +--- + RELNOTES | 7 ++++++- + configure.ac | 2 +- + src/firejail/main.c | 8 ++++++++ + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/RELNOTES b/RELNOTES +index 4b5b662..0957292 100644 +--- a/RELNOTES ++++ b/RELNOTES +@@ -1,4 +1,9 @@ +-firejail (0.9.38.3) baseline; urgency=low ++firejail (0.9.38.5) baseline; urgency=low ++ * this is a development release ++ * security: overwrite /etc/resolv.conf found by Martin Carpenter ++ -- netblue30 <netblue30@yahoo.com> Mon, 2 Nov 2016 10:00:00 -0500 ++ ++firejail (0.9.38.4) baseline; urgency=low + * CVE-2016-7545 submitted by Aleksey Manevich + * bugfixes + -- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500 +diff --git a/configure.ac b/configure.ac +index 718cfd3..edd528d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1,5 +1,5 @@ + AC_PREREQ([2.68]) +-AC_INIT(firejail, 0.9.38.4, netblue30@yahoo.com, , http://firejail.wordpress.com) ++AC_INIT(firejail, 0.9.38.5, netblue30@yahoo.com, , http://firejail.wordpress.com) + AC_CONFIG_SRCDIR([src/firejail/main.c]) + #AC_CONFIG_HEADERS([config.h]) + +diff --git a/src/firejail/main.c b/src/firejail/main.c +index 9e2aec4..9c1b73e 100644 +--- a/src/firejail/main.c ++++ b/src/firejail/main.c +@@ -903,6 +903,14 @@ int main(int argc, char **argv) { + return 1; + } + ++ // don't allow "--chroot=/" ++ char *rpath = realpath(cfg.chrootdir, NULL); ++ if (rpath == NULL || strcmp(rpath, "/") == 0) { ++ fprintf(stderr, "Error: invalid chroot directory\n"); ++ exit(1); ++ } ++ free(rpath); ++ + // check chroot directory structure + if (fs_check_chroot_dir(cfg.chrootdir)) { + fprintf(stderr, "Error: invalid chroot\n"); +-- +2.11.0 + diff --git a/sys-apps/firejail/firejail-0.9.38.4.ebuild b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild index d35fd1c90f5f..1b95976cfc79 100644 --- a/sys-apps/firejail/firejail-0.9.38.4.ebuild +++ b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild @@ -17,6 +17,7 @@ IUSE="+seccomp" src_prepare() { epatch "${FILESDIR}"/${P}-sysmacros.patch + epatch "${FILESDIR}"/${P}-0001-etc-resolv.conf-overwrite.patch find -name Makefile.in -exec sed -i -r \ -e '/CFLAGS/s: (-O2|-ggdb) : :g' \ -e '1iCC=@CC@' {} + || die |