From: "Joonas Niilola" <juippis@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/hylafaxplus/, net-misc/hylafaxplus/files/
Date: Tue, 7 Jul 2020 13:56:44 +0000 (UTC) [thread overview]
Message-ID: <1594130191.40bc6b7f79069264f3cbc918ffae4af4feab2bb5.juippis@gentoo> (raw)
commit: 40bc6b7f79069264f3cbc918ffae4af4feab2bb5
Author: John Helmert III <jchelmert3 <AT> posteo <DOT> net>
AuthorDate: Wed Jul 1 04:33:35 2020 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 13:56:31 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40bc6b7f
net-misc/hylafaxplus: Add 7.0.2 (security bump)
Bug: https://bugs.gentoo.org/730290
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net>
Closes: https://github.com/gentoo/gentoo/pull/16541
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
net-misc/hylafaxplus/Manifest | 1 +
.../files/hylafaxplus-CVE-2020-1539x.patch | 110 ++++++++++++++
net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild | 160 +++++++++++++++++++++
3 files changed, 271 insertions(+)
diff --git a/net-misc/hylafaxplus/Manifest b/net-misc/hylafaxplus/Manifest
index 3e0b1d426ce..51882b7cd3d 100644
--- a/net-misc/hylafaxplus/Manifest
+++ b/net-misc/hylafaxplus/Manifest
@@ -1,2 +1,3 @@
DIST hylafax-5.5.5.tar.gz 1353495 BLAKE2B e1b41a5cf5502ad28467625495171c085f43f4352b73bfd633da851a1366502aca04a157790ad4a7f3d634a6adbb5dab4c1eeb294283352e9eedaf03c565cb42 SHA512 ee6225ae044c567093103f35c30d848db757636c1d8db78e8f7cb43eb01ea34ab229a81ca4175e2bf30d3c87b598d5b5797b7d92b0dc852bf4b69c697baca8cf
DIST hylafax-5.6.1.tar.gz 1370677 BLAKE2B bd93d54f2c3e2c5c4c33617a0d95569c82bcbd32f669fb2ea513b86e112a5743ae6b4ddc8d43f3bd4af6006517e8787392c84bf60e715c104ddb0d819b22985a SHA512 c86c33dc9e8feec4e265156fa3bbda18cf187feeef5c812ff3d3c7857de048a688bb979fcd3494ee8fe58a004a384a2a161d05245c86d0c304311d63f62a9eb1
+DIST hylafax-7.0.2.tar.gz 1393586 BLAKE2B cbf99f91a0aa07783dd30e76ce8416b2933240d4bf829220909000519f9c9e14a324163707c14504848ba71e7c1ee7d98455f06bb040c2c50c1493d0138122aa SHA512 ea68404ad79e798b29450683eaa927e73033e0fa8160b803a3e2c9000df487c81193cc8fc0c1187477f5e1b2e26eec1c065ebc17e0be82e9a3e3758b1b5b5e4e
diff --git a/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch b/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch
new file mode 100644
index 00000000000..6c484590c46
--- /dev/null
+++ b/net-misc/hylafaxplus/files/hylafaxplus-CVE-2020-1539x.patch
@@ -0,0 +1,110 @@
+commit e8f8196230ae15f6f7d7104ded3e2633002506e4
+Author: faxguy <faxguy@5505949e-d877-4686-9e03-c53b7a51b376>
+Date: Sat Jun 13 23:46:33 2020 +0000
+
+ Johannes Segitz reported two issues:
+
+ 1) faxaddmodem, faxsetup, and probemodem create temporary directories in a way that is not secure due to a race condition.
+
+ 2) The HylaFAX spool directory bin and etc subdirectories are not secure against uucp deleting and recreating scripts that root runs.
+
+ These changes address these two issues.
+
+
+
+ git-svn-id: https://svn.code.sf.net/p/hylafax/HylaFAX+@2534 5505949e-d877-4686-9e03-c53b7a51b376
+
+diff --git a/CONTRIBUTORS b/CONTRIBUTORS
+index 057739f..a9d4f21 100644
+--- a/CONTRIBUTORS
++++ b/CONTRIBUTORS
+@@ -203,6 +203,7 @@ following for their contributions:
+ Travis Schafer LogSend and LogRecv modem config options, documentation fixes
+ Sven Schmidt
+ Steven Schoch faxrcvd faxinfo text parsing
++ Johannes Segitz code security audit
+ John Sellens
+ Chris Severance documentation fixes, scripting improvements
+ Simon <iahnl@iah.nl>
+diff --git a/Makefile.in b/Makefile.in
+index 1ee4d76..ec0cda7 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -208,7 +208,10 @@ makeServerDirs::
+ -idb hylafax.sw.server -root ${INSTALLROOT} -dir ${SPOOL}
+ -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \
+ -idb hylafax.sw.server -dir \
+- -root ${INSTALLROOT} -F ${SPOOL} bin client config dev etc info log recvq status
++ -root ${INSTALLROOT} -F ${SPOOL} client config dev info log recvq status
++ -${INSTALL} -u root -g root -m ${DIRMODE} \
++ -idb hylafax.sw.server -dir \
++ -root ${INSTALLROOT} -F ${SPOOL} bin etc
+ -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \
+ -idb hylafax.sw.server -dir \
+ -root ${INSTALLROOT} -F ${SPOOL} sendq doneq docq tmp pollq archive
+diff --git a/etc/faxaddmodem.sh.in b/etc/faxaddmodem.sh.in
+index dc39917..c4d3ff1 100644
+--- a/etc/faxaddmodem.sh.in
++++ b/etc/faxaddmodem.sh.in
+@@ -113,12 +113,14 @@ if [ "$euid" != "root" ]; then
+ fi
+
+ # security
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.faxaddmodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -rf $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ CPATH=$SPOOL/etc/config # prefix of configuration file
+diff --git a/etc/faxsetup.sh.in b/etc/faxsetup.sh.in
+index 556eef5..b4aae40 100644
+--- a/etc/faxsetup.sh.in
++++ b/etc/faxsetup.sh.in
+@@ -922,12 +922,14 @@ if onServer; then
+ #
+
+ # Setup TMPDIR before anything can trap and rm it
++ o="`umask`"
++ umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
++ umask "$o"
+ if test x$TMPDIR = x; then
+- TMPDIR=/tmp/.faxsetup$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+- $RM -rf $TMPDIR
+- (umask 077 ; mkdir $TMPDIR) || exit 1
+
+ JUNK="etc/setup.tmp"
+ trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
+diff --git a/etc/probemodem.sh.in b/etc/probemodem.sh.in
+index 55b5d9b..c0abf15 100644
+--- a/etc/probemodem.sh.in
++++ b/etc/probemodem.sh.in
+@@ -85,12 +85,14 @@ test -f $SPOOL/etc/setup.cache || {
+ . $SPOOL/etc/setup.cache # common configuration stuff
+ . $SPOOL/etc/setup.modem # modem-specific stuff
+
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.probemodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -fr $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ OUT=$TMPDIR/probemodem$$ # temp file in which modem output is recorded
diff --git a/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild b/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild
new file mode 100644
index 00000000000..2e43871ac72
--- /dev/null
+++ b/net-misc/hylafaxplus/hylafaxplus-7.0.2.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam toolchain-funcs
+
+MY_PN="${PN/plus/}"
+MY_P="${MY_PN}-${PV}"
+
+DESCRIPTION="Enterprise client-server fax package for class 1 and 2 fax modems"
+HOMEPAGE="https://hylafax.sourceforge.net"
+SRC_URI="mirror://sourceforge/hylafax/${MY_P}.tar.gz"
+
+SLOT="0"
+LICENSE="hylafaxplus"
+KEYWORDS="~amd64 ~x86"
+IUSE="html jbig lcms ldap mgetty pam"
+
+DEPEND="
+ app-text/ghostscript-gpl
+ media-libs/tiff:0[jbig?]
+ !net-dialup/mgetty[fax]
+ >=sys-libs/zlib-1.1.4
+ virtual/awk
+ virtual/jpeg:0
+ virtual/mta
+ jbig? ( media-libs/jbigkit )
+ lcms? ( media-libs/lcms )
+ ldap? ( net-nds/openldap )
+ mgetty? ( net-dialup/mgetty[-fax] )
+ pam? ( sys-libs/pam )
+"
+RDEPEND="${DEPEND}
+ !net-dialup/sendpage
+ net-mail/metamail
+"
+
+S="${WORKDIR}/${MY_P}"
+
+CONFIG_PROTECT="${CONFIG_PROTECT} /var/spool/fax/etc /usr/lib/fax"
+CONFIG_PROTECT_MASK="${CONFIG_PROTECT_MASK} /var/spool/fax/etc/xferfaxlog"
+
+PATCHES=(
+ "${FILESDIR}/ldconfig-patch"
+ "${FILESDIR}/${PN}-CVE-2020-1539x.patch"
+)
+
+src_prepare() {
+ default
+
+ # force it not to strip binaries
+ for dir in etc util faxalter faxcover faxd faxmail faxrm faxstat \
+ hfaxd sendfax sendpage ; do
+ sed -i -e "s:-idb:-idb \"nostrip\" -idb:g" \
+ "${dir}"/Makefile.in || die "sed on ${dir}/Makefile.in failed"
+ done
+
+ sed -i -e "s:hostname:hostname -f:g" util/{faxrcvd,pollrcvd}.sh.in || die "sed on hostname failed"
+
+ # Respect LDFLAGS(at least partially)
+ sed -i -e "/^LDFLAGS/s/LDOPTS}/LDOPTS} ${LDFLAGS}/" defs.in || die "sed on defs.in failed"
+
+ sed -i -e "s|-fpic|-fPIC|g" \
+ configure || die
+}
+
+src_configure() {
+ do_configure() {
+ echo ./configure --nointeractive ${1}
+ # eval required for quoting in ${my_conf} to work properly, better way?
+ eval ./configure --nointeractive ${1} || die "./configure failed"
+ }
+ local my_conf="
+ --with-DIR_BIN=/usr/bin
+ --with-DIR_SBIN=/usr/sbin
+ --with-DIR_LIB=/usr/$(get_libdir)
+ --with-DIR_LIBEXEC=/usr/sbin
+ --with-DIR_LIBDATA=/usr/$(get_libdir)/fax
+ --with-DIR_LOCALE=/usr/share/locale
+ --with-DIR_LOCKS=/var/lock
+ --with-DIR_MAN=/usr/share/man
+ --with-DIR_SPOOL=/var/spool/fax
+ --with-DIR_HTML=/usr/share/doc/${P}/html
+ --with-DIR_CGI="${WORKDIR}"
+ --with-PATH_DPSRIP=/var/spool/fax/bin/ps2fax
+ --with-PATH_IMPRIP=\"\"
+ --with-SYSVINIT=no
+ --with-REGEX=yes
+ --with-LIBTIFF=\"-ltiff -ljpeg -lz\"
+ --with-OPTIMIZER=\"${CFLAGS}\"
+ --with-DSO=auto
+ --with-HTML=$(usex html)"
+
+ if use mgetty; then
+ my_conf="${my_conf} \
+ --with-PATH_GETTY=/sbin/mgetty \
+ --with-PATH_EGETTY=/sbin/mgetty \
+ --with-PATH_VGETTY=/usr/sbin/vgetty"
+ else
+ # GETTY defaults to /sbin/agetty
+ my_conf="${my_conf} \
+ --with-PATH_EGETTY=/bin/false \
+ --with-PATH_VGETTY=/bin/false"
+ fi
+
+ #--enable-pam isn't valid
+ use pam || my_conf="${my_conf} $(use_enable pam)"
+ use lcms || my_conf="${my_conf} $(use_enable lcms)"
+ use ldap || my_conf="${my_conf} $(use_enable ldap)"
+ use jbig || my_conf="${my_conf} $(use_enable jbig)"
+
+ tc-export CC CXX AR RANLIB
+
+ do_configure "${my_conf}"
+}
+
+src_compile() {
+ # Parallel building is borked, bug #????
+ emake -j1
+}
+
+src_install() {
+ dodir /usr/{bin,sbin} /usr/$(get_libdir)/fax /usr/share/man
+ dodir /var/spool /var/spool/fax
+ fowners uucp:uucp /var/spool/fax
+ fperms 0600 /var/spool/fax
+ dodir "/usr/share/doc/${P}/samples"
+
+ emake DESTDIR="${D}" \
+ BIN="${D}/usr/bin" \
+ SBIN="${D}/usr/sbin" \
+ LIBDIR="${D}/usr/$(get_libdir)" \
+ LIB="${D}/usr/$(get_libdir)" \
+ LIBEXEC="${D}/usr/sbin" \
+ LIBDATA="${D}/usr/$(get_libdir)/fax" \
+ DIR_LOCALE="${D}/usr/share/locale" \
+ MAN="${D}/usr/share/man" \
+ SPOOL="${D}/var/spool/fax" \
+ HTMLDIR="${D}/usr/share/doc/${PF}/html" \
+ install
+
+ keepdir /var/spool/fax/{archive,client,etc,pollq,recvq,tmp}
+ keepdir /var/spool/fax/{status,sendq,log,info,doneq,docq,dev}
+
+ einfo "Adding env.d entry for ${PN}"
+ newenvd - 99hylafaxplus <<-EOF
+ PATH="/var/spool/fax/bin"
+ CONFIG_PROTECT="/var/spool/fax/etc /usr/$(get_libdir)/fax"
+ CONFIG_PROTECT_MASK="/var/spool/fax/etc/xferfaxlog"
+ EOF
+
+ newconfd "${FILESDIR}/${PN}-conf" ${PN}
+ newinitd "${FILESDIR}/${PN}-init" ${PN}
+
+ use pam && pamd_mimic_system ${MY_PN} auth account session
+
+ einstalldocs
+ docinto samples
+}
next reply other threads:[~2020-07-07 13:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-07 13:56 Joonas Niilola [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-01-06 8:17 [gentoo-commits] repo/gentoo:master commit in: net-misc/hylafaxplus/, net-misc/hylafaxplus/files/ Sam James
2022-08-27 13:21 Sam James
2022-08-27 13:03 Sam James
2018-06-20 18:32 Pacho Ramos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1594130191.40bc6b7f79069264f3cbc918ffae4af4feab2bb5.juippis@gentoo \
--to=juippis@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox