[xinetd/f15] Fix tcpmux security
jsynacek
jsynacek at fedoraproject.org
Thu May 17 07:12:03 UTC 2012
commit 45e8dedc63bc1dd9654a07a14b70c559d7846fe7
Author: Jan Synacek <jsynacek at redhat.com>
Date: Thu May 17 09:11:31 2012 +0200
Fix tcpmux security
Resolves: #820318 (CVE-2012-0862)
xinetd-2.3.14-tcpmux-nonmux-security.patch | 49 ++++++++++++++++++++++++++++
xinetd.spec | 9 ++++-
2 files changed, 57 insertions(+), 1 deletions(-)
---
diff --git a/xinetd-2.3.14-tcpmux-nonmux-security.patch b/xinetd-2.3.14-tcpmux-nonmux-security.patch
new file mode 100644
index 0000000..115ae81
--- /dev/null
+++ b/xinetd-2.3.14-tcpmux-nonmux-security.patch
@@ -0,0 +1,49 @@
+--- xinetd-2.3.14/xinetd/builtins.c.old 2012-02-15 16:29:48.263844700 -0600
++++ xinetd-2.3.14/xinetd/builtins.c 2012-02-15 16:37:52.209594438 -0600
+@@ -560,17 +560,16 @@
+ /* Found the pointer. Validate its type.
+ */
+ scp = SVC_CONF( sp );
+-/*
+- if ( ! SVC_IS_MUXCLIENT( sp ) )
++
++ if ( ! SVC_IS_MUXCLIENT( sp ) && ! SVC_IS_MUXPLUSCLIENT( sp ) )
+ {
+ if ( debug.on )
+ {
+ msg(LOG_DEBUG, "tcpmux_handler", "Non-tcpmux service name: %s.",
+ svc_name);
+ }
+- exit(0);
++ continue;
+ }
+-*/
+
+ /* Send the accept string if we're a PLUS (+) client.
+ */
+@@ -597,6 +596,19 @@
+ msg(LOG_DEBUG, "tcpmux_handler", "Service name %s not found.",
+ svc_name);
+ }
++
++ /* If a service was not found, we should say so. */
++ if ( Swrite( descriptor, TCPMUX_NOT_FOUND, sizeof( TCPMUX_NOT_FOUND ) ) !=
++ sizeof ( TCPMUX_NOT_FOUND ) )
++ {
++ msg(LOG_ERR, "tcpmux_handler", "Not found write failed for %s.",
++ svc_name);
++ exit(0);
++ }
++
++ /* Flush and exit, nothing to do */
++ Sflush( descriptor );
++ Sclose( descriptor );
+ exit(0);
+ }
+
+--- xinetd-2.3.14/xinetd/service.h.old 2012-02-15 16:29:34.186942629 -0600
++++ xinetd-2.3.14/xinetd/service.h 2012-02-15 16:30:19.009446694 -0600
+@@ -114,2 +114,3 @@
+ #define TCPMUX_ACK "+Go\r\n"
++#define TCPMUX_NOT_FOUND "-Service name not found\r\n"
+ /*
diff --git a/xinetd.spec b/xinetd.spec
index 8a94d6c..c53f0e2 100644
--- a/xinetd.spec
+++ b/xinetd.spec
@@ -1,7 +1,7 @@
Summary: A secure replacement for inetd
Name: xinetd
Version: 2.3.14
-Release: 36%{?dist}
+Release: 37%{?dist}
License: xinetd
Group: System Environment/Daemons
Epoch: 2
@@ -43,6 +43,8 @@ Patch17: xinetd-2.3.13-log-crash.patch
Patch18: xinetd-2.3.14-rpc-specific-port.patch
Patch19: xinetd-2.3.14-signal-log-hang.patch
Patch20: xinetd-2.3.14-fix-type-punned-ptr.patch
+# CVE-2012-0862
+Patch21: xinetd-2.3.14-tcpmux-nonmux-security.patch
BuildRequires: autoconf, automake
BuildRequires: libselinux-devel >= 1.30
@@ -91,6 +93,7 @@ located in the /etc/xinetd.d directory.
%patch18 -p1 -b .rpc-specific-port
%patch19 -p1 -b .signal-log-hang
%patch20 -p1 -b .fix-type-punned-ptr
+%patch21 -p1 -b .tcpmux-security
aclocal
autoconf
@@ -152,6 +155,10 @@ fi
%{_mandir}/*/*
%changelog
+* Thu May 17 2012 Jan Synáček <jsynacek at redhat.com> - 2:2.3.14-37
+- Fix tcpmux security
+- Resolves: #820318 (CVE-2012-0862)
+
* Thu Apr 21 2011 Vojtech Vitek (V-Teq) <vvitek at redhat.com> - 2:2.3.14-36
- Fix build warning about "dereferencing type-punned pointer"
Related: #695674
More information about the scm-commits
mailing list