summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAmadeusz Żołnowski <aidecoe@gentoo.org>2016-12-15 21:26:54 +0000
committerAmadeusz Żołnowski <aidecoe@gentoo.org>2016-12-15 21:27:10 +0000
commitaf870a94a84b4073fb0db94d2bd2ef852a64cb1d (patch)
tree9644290160ef92317e1b577a7c56c5e4065de97e
parentdev-lang/php: new version 5.6.29 (replaces the unstable 5.6.28-r2). (diff)
downloadgentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.tar.gz
gentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.tar.bz2
gentoo-af870a94a84b4073fb0db94d2bd2ef852a64cb1d.zip
sys-apps/firejail: Backport security fix to 0.9.38.4
Gentoo-Bug: 601994 Package-Manager: portage-2.3.3
-rw-r--r--sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch59
-rw-r--r--sys-apps/firejail/firejail-0.9.38.4-r1.ebuild (renamed from sys-apps/firejail/firejail-0.9.38.4.ebuild)1
2 files changed, 60 insertions, 0 deletions
diff --git a/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch
new file mode 100644
index 000000000000..5905b83bfb3d
--- /dev/null
+++ b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch
@@ -0,0 +1,59 @@
+From 4f4e59c7529888339fe2337dc893984eb7833d01 Mon Sep 17 00:00:00 2001
+From: netblue30 <netblue30@yahoo.com>
+Date: Wed, 2 Nov 2016 09:17:19 -0400
+Subject: [PATCH] /etc/resolv.conf overwrite
+
+---
+ RELNOTES | 7 ++++++-
+ configure.ac | 2 +-
+ src/firejail/main.c | 8 ++++++++
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/RELNOTES b/RELNOTES
+index 4b5b662..0957292 100644
+--- a/RELNOTES
++++ b/RELNOTES
+@@ -1,4 +1,9 @@
+-firejail (0.9.38.3) baseline; urgency=low
++firejail (0.9.38.5) baseline; urgency=low
++ * this is a development release
++ * security: overwrite /etc/resolv.conf found by Martin Carpenter
++ -- netblue30 <netblue30@yahoo.com> Mon, 2 Nov 2016 10:00:00 -0500
++
++firejail (0.9.38.4) baseline; urgency=low
+ * CVE-2016-7545 submitted by Aleksey Manevich
+ * bugfixes
+ -- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500
+diff --git a/configure.ac b/configure.ac
+index 718cfd3..edd528d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,5 +1,5 @@
+ AC_PREREQ([2.68])
+-AC_INIT(firejail, 0.9.38.4, netblue30@yahoo.com, , http://firejail.wordpress.com)
++AC_INIT(firejail, 0.9.38.5, netblue30@yahoo.com, , http://firejail.wordpress.com)
+ AC_CONFIG_SRCDIR([src/firejail/main.c])
+ #AC_CONFIG_HEADERS([config.h])
+
+diff --git a/src/firejail/main.c b/src/firejail/main.c
+index 9e2aec4..9c1b73e 100644
+--- a/src/firejail/main.c
++++ b/src/firejail/main.c
+@@ -903,6 +903,14 @@ int main(int argc, char **argv) {
+ return 1;
+ }
+
++ // don't allow "--chroot=/"
++ char *rpath = realpath(cfg.chrootdir, NULL);
++ if (rpath == NULL || strcmp(rpath, "/") == 0) {
++ fprintf(stderr, "Error: invalid chroot directory\n");
++ exit(1);
++ }
++ free(rpath);
++
+ // check chroot directory structure
+ if (fs_check_chroot_dir(cfg.chrootdir)) {
+ fprintf(stderr, "Error: invalid chroot\n");
+--
+2.11.0
+
diff --git a/sys-apps/firejail/firejail-0.9.38.4.ebuild b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild
index d35fd1c90f5f..1b95976cfc79 100644
--- a/sys-apps/firejail/firejail-0.9.38.4.ebuild
+++ b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild
@@ -17,6 +17,7 @@ IUSE="+seccomp"
src_prepare() {
epatch "${FILESDIR}"/${P}-sysmacros.patch
+ epatch "${FILESDIR}"/${P}-0001-etc-resolv.conf-overwrite.patch
find -name Makefile.in -exec sed -i -r \
-e '/CFLAGS/s: (-O2|-ggdb) : :g' \
-e '1iCC=@CC@' {} + || die