aboutsummaryrefslogtreecommitdiff
path: root/package/xinetd
diff options
context:
space:
mode:
Diffstat (limited to 'package/xinetd')
-rw-r--r--package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch29
-rw-r--r--package/xinetd/xinetd.hash2
-rw-r--r--package/xinetd/xinetd.mk9
3 files changed, 37 insertions, 3 deletions
diff --git a/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
new file mode 100644
index 0000000000..bb2ee1fc9a
--- /dev/null
+++ b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
@@ -0,0 +1,29 @@
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <thomas.swan@gmail.com>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+ if( SC_IS_INTERNAL( scp ) ) {
+ SC_INTERNAL(scp, nserp);
+ } else {
+- exec_server(nserp);
++ child_process(nserp);
+ }
+ }
+
+--
+2.20.1
+
diff --git a/package/xinetd/xinetd.hash b/package/xinetd/xinetd.hash
index 1b7ee09b09..ce5a93f571 100644
--- a/package/xinetd/xinetd.hash
+++ b/package/xinetd/xinetd.hash
@@ -1,3 +1,3 @@
# locally computed
-sha256 620b25f4ab4d72fdf32b13797156ea40df2049f1c07e640177e5fec544e9a94c xinetd-2-3-15.tar.gz
+sha256 620b25f4ab4d72fdf32b13797156ea40df2049f1c07e640177e5fec544e9a94c xinetd-2.3.15.tar.gz
sha256 2f3dd19831b1837f7360f80a7700a130c04a59e387d4359299d6df712308bbed COPYRIGHT
diff --git a/package/xinetd/xinetd.mk b/package/xinetd/xinetd.mk
index a2ba10df74..f58c26f02a 100644
--- a/package/xinetd/xinetd.mk
+++ b/package/xinetd/xinetd.mk
@@ -4,10 +4,15 @@
#
################################################################################
-XINETD_VERSION = 2-3-15
-XINETD_SITE = $(call github,xinetd-org,xinetd,xinetd-$(XINETD_VERSION))
+XINETD_VERSION = 2.3.15
+XINETD_SITE = \
+ $(call github,xinetd-org,xinetd,xinetd-$(subst .,-,$(XINETD_VERSION)))
XINETD_LICENSE = xinetd license
XINETD_LICENSE_FILES = COPYRIGHT
+XINETD_CPE_ID_VENDOR = xinetd
+
+# 0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
+XINETD_IGNORE_CVES += CVE-2013-4342
XINETD_CFLAGS = $(TARGET_CFLAGS)