[arch-commits] Commit in fish/trunk (4 files)
Bartłomiej Piotrowski
bpiotrowski at archlinux.org
Sat Sep 6 19:31:43 UTC 2014
Date: Saturday, September 6, 2014 @ 21:31:43
Author: bpiotrowski
Revision: 118487
upgpkg: fish 2.1.1-1
new upstream release
Modified:
fish/trunk/PKGBUILD
fish/trunk/fish.install
Deleted:
fish/trunk/CVE-2014-2905.patch
fish/trunk/CVE-2014-2906.patch
---------------------+
CVE-2014-2905.patch | 263 --------------------------------------------------
CVE-2014-2906.patch | 67 ------------
PKGBUILD | 24 +---
fish.install | 4
4 files changed, 14 insertions(+), 344 deletions(-)
Deleted: CVE-2014-2905.patch
===================================================================
--- CVE-2014-2905.patch 2014-09-06 18:51:33 UTC (rev 118486)
+++ CVE-2014-2905.patch 2014-09-06 19:31:43 UTC (rev 118487)
@@ -1,263 +0,0 @@
-From 8412c867a501e3a68e55fef6215e86d3ac9f617b Mon Sep 17 00:00:00 2001
-From: David Adam <zanchey at ucc.gu.uwa.edu.au>
-Date: Sun, 20 Apr 2014 17:51:27 +0800
-Subject: [PATCH] Check effective credentials of socket peers
-
-Fix for CVE-2014-2905.
-
-Code for getpeereid() on non-BSD systems imported from the PostgreSQL
-project under a BSD-style license.
----
- configure.ac | 4 +--
- doc_src/license.hdr | 30 +++++++++++++++++++-
- env_universal.cpp | 9 ++++++
- fallback.cpp | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
- fallback.h | 4 +++
- fishd.cpp | 9 +++++-
- osx/config.h | 6 ++++
- 7 files changed, 137 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index ea7c592..bdfa5f0 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -557,7 +557,7 @@ LIBS=$LIBS_COMMON
- # Check presense of various header files
- #
-
--AC_CHECK_HEADERS([getopt.h termios.h sys/resource.h term.h ncurses/term.h ncurses.h curses.h stropts.h siginfo.h sys/select.h sys/ioctl.h execinfo.h spawn.h sys/sysctl.h])
-+AC_CHECK_HEADERS([getopt.h termios.h sys/resource.h term.h ncurses/term.h ncurses.h curses.h stropts.h siginfo.h sys/select.h sys/ioctl.h execinfo.h spawn.h sys/sysctl.h sys/un.h sys/ucred.h ucred.h ])
-
- if test x$local_gettext != xno; then
- AC_CHECK_HEADERS([libintl.h])
-@@ -698,7 +698,7 @@ fi
- AC_CHECK_FUNCS( wcsdup wcsndup wcslen wcscasecmp wcsncasecmp fwprintf )
- AC_CHECK_FUNCS( futimes wcwidth wcswidth wcstok fputwc fgetwc )
- AC_CHECK_FUNCS( wcstol wcslcat wcslcpy lrand48_r killpg )
--AC_CHECK_FUNCS( backtrace backtrace_symbols sysconf getifaddrs )
-+AC_CHECK_FUNCS( backtrace backtrace_symbols sysconf getifaddrs getpeerucred getpeereid )
-
- if test x$local_gettext != xno; then
- AC_CHECK_FUNCS( gettext dcgettext )
-diff --git a/doc_src/license.hdr b/doc_src/license.hdr
-index 64bab10..f292722 100644
---- a/doc_src/license.hdr
-+++ b/doc_src/license.hdr
-@@ -1400,6 +1400,34 @@ POSSIBILITY OF SUCH DAMAGES.
-
- <P>
-
--*/
-+<hr>
-+
-+<h2>License for getpeereid</h2>
-+
-+\c fish contains code imported from the PostgreSQL project under
-+license, namely the getpeereid fallback function. This code is copyrighted
-+by:
-+
-+Portions Copyright (c) 1996-2014, PostgreSQL Global Development Group
-+
-+Portions Copyright (c) 1994, The Regents of the University of California
-+
-+Permission to use, copy, modify, and distribute this software and its
-+documentation for any purpose, without fee, and without a written agreement
-+is hereby granted, provided that the above copyright notice and this
-+paragraph and the following two paragraphs appear in all copies.
-+
-+IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
-+DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
-+LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
-+DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE
-+POSSIBILITY OF SUCH DAMAGE.
-+
-+THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,
-+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-+AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
-+ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO
-+PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
- \htmlonly </div> \endhtmlonly
-+*/
-diff --git a/env_universal.cpp b/env_universal.cpp
-index c7d060a..987f88b 100644
---- a/env_universal.cpp
-+++ b/env_universal.cpp
-@@ -88,6 +88,8 @@ static int try_get_socket_once(void)
-
- wdir = path;
- wuname = user;
-+ uid_t seuid;
-+ gid_t segid;
-
- if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
- {
-@@ -135,6 +137,13 @@ static int try_get_socket_once(void)
- return -1;
- }
-
-+ if ((getpeereid(s, &seuid, &segid) != 0) || seuid != geteuid())
-+ {
-+ debug(1, L"Wrong credentials for socket %s at fd %d", name.c_str(), s);
-+ close(s);
-+ return -1;
-+ }
-+
- if ((make_fd_nonblocking(s) != 0) || (fcntl(s, F_SETFD, FD_CLOEXEC) != 0))
- {
- wperror(L"fcntl");
-diff --git a/fallback.cpp b/fallback.cpp
-index 5e4b3e1..34db397 100644
---- a/fallback.cpp
-+++ b/fallback.cpp
-@@ -15,8 +15,9 @@
- #include <stdio.h>
- #include <unistd.h>
- #include <sys/types.h>
-+#include <sys/socket.h>
- #include <sys/stat.h>
--#include <unistd.h>
-+#include <sys/param.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <wchar.h>
-@@ -1521,3 +1522,80 @@ static int mk_wcswidth(const wchar_t *pwcs, size_t n)
- }
-
- #endif // HAVE_BROKEN_WCWIDTH
-+
-+#ifndef HAVE_GETPEEREID
-+
-+/*-------------------------------------------------------------------------
-+ *
-+ * getpeereid.c
-+ * get peer userid for UNIX-domain socket connection
-+ *
-+ * Portions Copyright (c) 1996-2014, PostgreSQL Global Development Group
-+ *
-+ *
-+ * IDENTIFICATION
-+ * src/port/getpeereid.c
-+ *
-+ *-------------------------------------------------------------------------
-+ */
-+
-+#ifdef HAVE_SYS_UN_H
-+#include <sys/un.h>
-+#endif
-+#ifdef HAVE_UCRED_H
-+#include <ucred.h>
-+#endif
-+#ifdef HAVE_SYS_UCRED_H
-+#include <sys/ucred.h>
-+#endif
-+
-+/*
-+ * BSD-style getpeereid() for platforms that lack it.
-+ */
-+int getpeereid(int sock, uid_t *uid, gid_t *gid)
-+{
-+#if defined(SO_PEERCRED)
-+ /* Linux: use getsockopt(SO_PEERCRED) */
-+ struct ucred peercred;
-+ socklen_t so_len = sizeof(peercred);
-+
-+ if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) != 0 ||
-+ so_len != sizeof(peercred))
-+ return -1;
-+ *uid = peercred.uid;
-+ *gid = peercred.gid;
-+ return 0;
-+#elif defined(LOCAL_PEERCRED)
-+ /* Debian with FreeBSD kernel: use getsockopt(LOCAL_PEERCRED) */
-+ struct xucred peercred;
-+ socklen_t * so_len = sizeof(peercred);
-+
-+ if (getsockopt(sock, 0, LOCAL_PEERCRED, &peercred, &so_len) != 0 ||
-+ so_len != sizeof(peercred) ||
-+ peercred.cr_version != XUCRED_VERSION)
-+ return -1;
-+ *uid = peercred.cr_uid;
-+ *gid = peercred.cr_gid;
-+ return 0;
-+#elif defined(HAVE_GETPEERUCRED)
-+ /* Solaris: use getpeerucred() */
-+ ucred_t *ucred;
-+
-+ ucred = NULL; /* must be initialized to NULL */
-+ if (getpeerucred(sock, &ucred) == -1)
-+ return -1;
-+
-+ *uid = ucred_geteuid(ucred);
-+ *gid = ucred_getegid(ucred);
-+ ucred_free(ucred);
-+
-+ if (*uid == (uid_t) (-1) || *gid == (gid_t) (-1))
-+ return -1;
-+ return 0;
-+#else
-+ /* No implementation available on this platform */
-+ errno = ENOSYS;
-+ return -1;
-+#endif
-+}
-+#endif // HAVE_GETPEEREID
-diff --git a/fallback.h b/fallback.h
-index eba91be..6898ea5 100644
---- a/fallback.h
-+++ b/fallback.h
-@@ -482,3 +482,7 @@ double nan(char *tagp);
-
-
- #endif
-+
-+#ifndef HAVE_GETPEEREID
-+int getpeereid(int sock, uid_t *uid, gid_t *gid);
-+#endif
-diff --git a/fishd.cpp b/fishd.cpp
-index edb79c2..1e09524 100644
---- a/fishd.cpp
-+++ b/fishd.cpp
-@@ -880,6 +880,8 @@ int main(int argc, char ** argv)
- int child_socket;
- struct sockaddr_un remote;
- socklen_t t;
-+ uid_t sock_euid;
-+ gid_t sock_egid;
- int max_fd;
- int update_count=0;
-
-@@ -1000,7 +1002,12 @@ int main(int argc, char ** argv)
- {
- debug(4, L"Connected with new child on fd %d", child_socket);
-
-- if (make_fd_nonblocking(child_socket) != 0)
-+ if (((getpeereid(child_socket, &sock_euid, &sock_egid) != 0) || sock_euid != geteuid()))
-+ {
-+ debug(1, L"Wrong credentials for child on fd %d", child_socket);
-+ close(child_socket);
-+ }
-+ else if (make_fd_nonblocking(child_socket) != 0)
- {
- wperror(L"fcntl");
- close(child_socket);
-diff --git a/osx/config.h b/osx/config.h
-index 4968a78..bc058ae 100644
---- a/osx/config.h
-+++ b/osx/config.h
-@@ -40,6 +40,12 @@
- /* Define to 1 if you have the <getopt.h> header file. */
- #define HAVE_GETOPT_H 1
-
-+/* Define to 1 if you have the `getpeereid' function. */
-+#define HAVE_GETPEEREID 1
-+
-+/* Define to 1 if you have the `getpeerucred' function. */
-+/* #undef HAVE_GETPEERUCRED */
-+
- /* Define to 1 if you have the `gettext' function. */
- /* #undef HAVE_GETTEXT */
-
---
-1.9.1
-
Deleted: CVE-2014-2906.patch
===================================================================
--- CVE-2014-2906.patch 2014-09-06 18:51:33 UTC (rev 118486)
+++ CVE-2014-2906.patch 2014-09-06 19:31:43 UTC (rev 118487)
@@ -1,67 +0,0 @@
-From c0989dce2d882c94eb3183e7b94402ba53534abb Mon Sep 17 00:00:00 2001
-From: David Adam <zanchey at ucc.gu.uwa.edu.au>
-Date: Sun, 20 Apr 2014 23:51:20 +0800
-Subject: [PATCH] use mktemp(1) to generate temporary file names
-
-Fix for CVE-2014-2906.
-
-Closes a race condition in funced which would allow execution of
-arbitrary code; closes a race condition in psub which would allow
-alternation of the data stream.
-
-Note that `psub -f` does not work (#1040); a fix should be committed
-separately for ease of maintenance.
----
- share/functions/funced.fish | 6 +-----
- share/functions/psub.fish | 11 +++--------
- 2 files changed, 4 insertions(+), 13 deletions(-)
-
-diff --git a/share/functions/funced.fish b/share/functions/funced.fish
-index 3c2de06..ca2e277 100644
---- a/share/functions/funced.fish
-+++ b/share/functions/funced.fish
-@@ -81,11 +81,7 @@ function funced --description 'Edit function definition'
- return 0
- end
-
-- set -q TMPDIR; or set -l TMPDIR /tmp
-- set -l tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-- while test -f $tmpname
-- set tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-- end
-+ set tmpname (mktemp -t fish_funced.XXXXXXXXXX)
-
- if functions -q -- $funcname
- functions -- $funcname > $tmpname
-diff --git a/share/functions/psub.fish b/share/functions/psub.fish
-index 42e34c7..7877aa4 100644
---- a/share/functions/psub.fish
-+++ b/share/functions/psub.fish
-@@ -45,21 +45,16 @@ function psub --description "Read from stdin into a file and output the filename
- return
- end
-
-- # Find unique file name for writing output to
-- while true
-- set filename /tmp/.psub.(echo %self).(random);
-- if not test -e $filename
-- break;
-- end
-- end
--
- if test use_fifo = 1
- # Write output to pipe. This needs to be done in the background so
- # that the command substitution exits without needing to wait for
- # all the commands to exit
-+ set dir (mktemp -d /tmp/.psub.XXXXXXXXXX); or return
-+ set filename $dir/psub.fifo
- mkfifo $filename
- cat >$filename &
- else
-+ set filename (mktemp /tmp/.psub.XXXXXXXXXX)
- cat >$filename
- end
-
---
-1.9.1
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-09-06 18:51:33 UTC (rev 118486)
+++ PKGBUILD 2014-09-06 19:31:43 UTC (rev 118487)
@@ -6,8 +6,8 @@
# Contributor: Jan Fader <jan.fader at web.de>
pkgname=fish
-pkgver=2.1.0
-pkgrel=4
+pkgver=2.1.1
+pkgrel=1
pkgdesc='Smart and user friendly shell intended mostly for interactive use'
arch=('i686' 'x86_64')
url='http://fishshell.com/'
@@ -14,23 +14,19 @@
license=('GPL2')
depends=('bc' 'gcc-libs' 'inetutils' 'ncurses' 'which')
optdepends=('python: for manual page completion parser and web configuration tool')
+makedepends=('doxygen')
install=fish.install
-source=(http://fishshell.com/files/$pkgver/fish-$pkgver.tar.gz
- CVE-2014-2905.patch
- CVE-2014-2906.patch)
-md5sums=('3a29aebde522b8f52d9975d7423db99e'
- '1e194b61bb7ec49e2e005383724037b7'
- 'cf0c216f528c9d9adac2aa5f8e9b716b')
+source=(https://github.com/fish-shell/fish-shell/archive/$pkgver.tar.gz)
+md5sums=('c4abceed44a2f0c133fdcaf12dd299c2')
prepare() {
- cd $pkgname-$pkgver
- patch -p1 -i ../CVE-2014-2905.patch
- patch -p1 -i ../CVE-2014-2906.patch
- autoconf -f
+ cd fish-shell-$pkgver
+ echo $pkgver > version
+ autoconf -i
}
build() {
- cd $pkgname-$pkgver
+ cd fish-shell-$pkgver
./configure --prefix=/usr \
--sysconfdir=/etc
make
@@ -37,5 +33,5 @@
}
package() {
- make -C $pkgname-$pkgver DESTDIR="$pkgdir" install
+ make -C fish-shell-$pkgver DESTDIR="$pkgdir" install
}
Modified: fish.install
===================================================================
--- fish.install 2014-09-06 18:51:33 UTC (rev 118486)
+++ fish.install 2014-09-06 19:31:43 UTC (rev 118487)
@@ -4,6 +4,10 @@
post_upgrade() {
post_install
+
+ if [[ "$(vercmp $2 2.1.1)" -lt 0 ]]; then
+ killall fishd || true
+ fi
}
pre_remove() {
More information about the arch-commits
mailing list