59ae241f71
* gnu/packages/web.scm (xinetd): New variable. * gnu/packages/patches/xinetd-CVE-2013-4342.patch, gnu/packages/patches/xinetd-fix-fd-leak.patch: New files. * gnu/local.mk (dist_patch_DATA): Add patches. Signed-off-by: Leo Famulari <leo@famulari.name>
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
Fix CVE-2013-4342:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864
|
|
|
|
From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Swan <thomas.swan@gmail.com>
|
|
Date: Wed, 2 Oct 2013 23:17:17 -0500
|
|
Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
|
|
TCPMUX services
|
|
|
|
Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
|
|
---
|
|
xinetd/builtins.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/xinetd/builtins.c b/xinetd/builtins.c
|
|
index 3b85579..34a5bac 100644
|
|
--- a/xinetd/builtins.c
|
|
+++ b/xinetd/builtins.c
|
|
@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
|
|
if( SC_IS_INTERNAL( scp ) ) {
|
|
SC_INTERNAL(scp, nserp);
|
|
} else {
|
|
- exec_server(nserp);
|
|
+ child_process(nserp);
|
|
}
|
|
}
|
|
|
|
--
|
|
2.7.4
|
|
|