Wed Apr 24 09:40:38 2013 UTC ()
Update to 3.01a14:

All:

-	Fixed a typo in include/schily/stat.h related to nanosecond
	handling for NetBSD and OpenBSD

-	New autoconf tests for sys/capability.h and cap_*() functions
	from Linux -lcap

	WARNING: If you do not see this:

		checking for cap_get_proc in -lcap... yes
		checking for cap_get_proc... yes
		checking for cap_set_proc... yes
		checking for cap_set_flag... yes
		checking for cap_clear_flag... yes

	your Linux installation is insecure in case you ever use the
	command "setcap" to set up file capabilities for executable commands.

	Note that cdrtools (as any other command) need to be capabylity aware
	in order to avoid security leaks with enhanced privileges. In most
	cases, privileges are only needed for a very limited set of operations.
	If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
	functions to control privileges are in the basic set of supported
	functions and thus there is no problem for any program to control it's
	privileges - if they have been obtained via suid root, you are on a
	secure system.

	If you are however on an incomplete installation, that supports to
	raise privileges via fcaps but that does not include developer support
	for caps, the programs get the privileges without being able to know
	about the additional privileges and thus keep them because they cannot
	control them.

	WARNING: If you are on a Linux system that includes support for
	fcaps (this is seems to be true for all newer systems with
	Linux >= 2.6.24) and there is no development support for capabilities
	in the base system, you are on an inherently insecure system that allows
	to compile and set up programs with enhanced privileges that cannot
	control them.

	In such a case, try to educate the security manager for the related
	Linux distribution. Note that you may turn your private installation
	into a secure installation by installing development support for libcap.

-	The autofconf tests for broken Linux kernel headers now avoid to
	warn for /usr/src/linux/include if this directory is missing.

-	include/schily/priv.h now includes sys/capabilitiy.h if available.

Libscg:

-	Trying to support suid-root-less installation of librscg users on Linux.
	librscg now understands that a non-root program may be able to
	create sockets for a privileged port.

Cdrecord:

-	Trying to support suid-root-less installation of cdrecord on Linux.
	NOTE: You need "file caps" support built into your Linux installation.

	Call:

		setcap cap_sys_resource,cap_dac_override,cap_sys_admin,cap_sys_nice,cap_net_bind_service,cap_ipc_lock,cap_sys_rawio+ep /opt/schily/bin/cdrecord
	To set up the capabilities on Linux.

Cdda2wav (Maintained/enhanced by J�rg Schilling, originated by Heiko Ei゚feldt heiko@hexco.de):

-	Trying to support suid-root-less installation of cdda2wav on Linux.
	NOTE: You need "file caps" support built into your Linux installation.

	Call:

		setcap cap_dac_override,cap_sys_admin,cap_sys_nice,cap_net_bind_service,cap_sys_rawio+ep /opt/schily/bin/cdda2wav
	To set up the capabilities on Linux.

Readcd:

-	Trying to support suid-root-less installation of readcd on Linux.
	NOTE: You need "file caps" support built into your Linux installation.

	Call:

		setcap cap_dac_override,cap_sys_admin,cap_net_bind_service,cap_sys_rawio+ep /opt/schily/bin/readcd
	To set up the capabilities on Linux.

Scgcheck:

-	Link now against $(LIB_CAP) also as librscg needs it on Linux

Scgskeleton:

-	Link now against $(LIB_CAP) also as librscg needs it on Linux

Btcflash:

-	Link now against $(LIB_CAP) also as librscg needs it on Linux

Mkisofs (Maintained/enhanced by J�rg Schilling since 1997, originated by Eric Youngdale):

-	-new-dir-mode now just superseeds the effect of -dir-mode on
	directories that have been "invented" by mkisofs.
	This is a more intuitive behavior.

-	Link now against $(LIB_CAP) also as librscg needs it on Linux


(wiz)
diff -r1.94 -r1.95 pkgsrc/sysutils/cdrtools/Makefile
diff -r1.72 -r1.73 pkgsrc/sysutils/cdrtools/distinfo
diff -r1.1 -r0 pkgsrc/sysutils/cdrtools/patches/patch-include_schily_stat.h
cvs diff -r1.94 -r1.95 pkgsrc/sysutils/cdrtools/Makefile (expand / switch to context diff)
--- pkgsrc/sysutils/cdrtools/Makefile 2013/02/27 08:40:37 1.94
+++ pkgsrc/sysutils/cdrtools/Makefile 2013/04/24 09:40:38 1.95
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.94 2013/02/27 08:40:37 wiz Exp $
+# $NetBSD: Makefile,v 1.95 2013/04/24 09:40:38 wiz Exp $
 
-DISTNAME=	cdrtools-3.01a13
+DISTNAME=	cdrtools-3.01a14
 PKGNAME=	${DISTNAME:S/a/alpha/:S/-pre/pre/}
 CATEGORIES=	sysutils
 #MASTER_SITES=	ftp://ftp.berlios.de/pub/cdrecord/ \
cvs diff -r1.72 -r1.73 pkgsrc/sysutils/cdrtools/distinfo (expand / switch to context diff)
--- pkgsrc/sysutils/cdrtools/distinfo 2013/02/27 08:40:37 1.72
+++ pkgsrc/sysutils/cdrtools/distinfo 2013/04/24 09:40:38 1.73
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.72 2013/02/27 08:40:37 wiz Exp $
+$NetBSD: distinfo,v 1.73 2013/04/24 09:40:38 wiz Exp $
 
-SHA1 (cdrtools-3.01a13.tar.bz2) = 0b65c16e0e18f6b16ab2d8daa0b0c39e0c8a2b1d
-RMD160 (cdrtools-3.01a13.tar.bz2) = d5a5dfa57a5aa48d1ebc204f6dedba1d0745eab4
-Size (cdrtools-3.01a13.tar.bz2) = 2053012 bytes
+SHA1 (cdrtools-3.01a14.tar.bz2) = 6ca420d07e34e2d1546671d1d8e62cec309d01f1
+RMD160 (cdrtools-3.01a14.tar.bz2) = b310cc346ff80244c24f974f15446135a20c3e3d
+Size (cdrtools-3.01a14.tar.bz2) = 2055811 bytes
 SHA1 (patch-include_schily_sha2.h) = dab2dd40b20a37f1f2ff8cbd64f8361e800e1753
-SHA1 (patch-include_schily_stat.h) = cb5a1af437a62413da020e7f5962edc845310907
File Deleted: pkgsrc/sysutils/cdrtools/patches/Attic/patch-include_schily_stat.h