Fri Jan 29 07:53:39 2021 UTC ()
opendoas: Apply patch for CVE-2019-25016.
Patch from __skn on IRC. Thanks! Bump PKGREVISION.
(jperkin)
diff -r1.1 -r1.2 pkgsrc/security/opendoas/Makefile
diff -r1.1 -r1.2 pkgsrc/security/opendoas/distinfo
diff -r0 -r1.1 pkgsrc/security/opendoas/patches/patch-doas.c
--- pkgsrc/security/opendoas/Makefile 2021/01/01 14:28:56 1.1
+++ pkgsrc/security/opendoas/Makefile 2021/01/29 07:53:38 1.2
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.1 2021/01/01 14:28:56 pin Exp $ | | 1 | # $NetBSD: Makefile,v 1.2 2021/01/29 07:53:38 jperkin Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= opendoas-6.8 | | 3 | DISTNAME= opendoas-6.8 |
| | | 4 | PKGREVISION= 1 |
| 4 | CATEGORIES= security | | 5 | CATEGORIES= security |
| 5 | MASTER_SITES= ${MASTER_SITE_GITHUB:=duncaen/} | | 6 | MASTER_SITES= ${MASTER_SITE_GITHUB:=duncaen/} |
| 6 | GITHUB_TAG= v${PKGVERSION_NOREV} | | 7 | GITHUB_TAG= v${PKGVERSION_NOREV} |
| 7 | | | 8 | |
| 8 | MAINTAINER= sunil@nimmagadda.net | | 9 | MAINTAINER= sunil@nimmagadda.net |
| 9 | HOMEPAGE= https://github.com/duncaen/opendoas | | 10 | HOMEPAGE= https://github.com/duncaen/opendoas |
| 10 | COMMENT= Execute commands as another user | | 11 | COMMENT= Execute commands as another user |
| 11 | LICENSE= isc | | 12 | LICENSE= isc |
| 12 | | | 13 | |
| 13 | CONFLICTS= doas-[0-9]* | | 14 | CONFLICTS= doas-[0-9]* |
| 14 | | | 15 | |
| 15 | WRKSRC= ${WRKDIR}/OpenDoas-${PKGVERSION_NOREV} | | 16 | WRKSRC= ${WRKDIR}/OpenDoas-${PKGVERSION_NOREV} |
| 16 | | | 17 | |
--- pkgsrc/security/opendoas/distinfo 2021/01/01 14:28:56 1.1
+++ pkgsrc/security/opendoas/distinfo 2021/01/29 07:53:38 1.2
| @@ -1,7 +1,8 @@ | | | @@ -1,7 +1,8 @@ |
| 1 | $NetBSD: distinfo,v 1.1 2021/01/01 14:28:56 pin Exp $ | | 1 | $NetBSD: distinfo,v 1.2 2021/01/29 07:53:38 jperkin Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (opendoas-6.8.tar.gz) = 11963ee647b7166972512740bc7f648c8aa1272f | | 3 | SHA1 (opendoas-6.8.tar.gz) = 11963ee647b7166972512740bc7f648c8aa1272f |
| 4 | RMD160 (opendoas-6.8.tar.gz) = 56f9c02d81f6ad9925323f1b44d7f7087f1108f0 | | 4 | RMD160 (opendoas-6.8.tar.gz) = 56f9c02d81f6ad9925323f1b44d7f7087f1108f0 |
| 5 | SHA512 (opendoas-6.8.tar.gz) = 4a57079bba353247e645bc07a5d4e78fd01471d193e83751fd87b72cffa4e152c0f7ea172563f767a7193b14489f57bc066b4fee50842d30b5b7f7ce918434bb | | 5 | SHA512 (opendoas-6.8.tar.gz) = 4a57079bba353247e645bc07a5d4e78fd01471d193e83751fd87b72cffa4e152c0f7ea172563f767a7193b14489f57bc066b4fee50842d30b5b7f7ce918434bb |
| 6 | Size (opendoas-6.8.tar.gz) = 32307 bytes | | 6 | Size (opendoas-6.8.tar.gz) = 32307 bytes |
| 7 | SHA1 (patch-GNUmakefile) = d301c0334ce6ac7992d61681e1852a301557d300 | | 7 | SHA1 (patch-GNUmakefile) = d301c0334ce6ac7992d61681e1852a301557d300 |
| | | 8 | SHA1 (patch-doas.c) = 3c4e734e3c8f7bf38e2a58ddb1ba4e1eefe99087 |
$NetBSD: patch-doas.c,v 1.1 2021/01/29 07:53:38 jperkin Exp $
Fix for CVE-2019-25016 (Unsafe, incomplete PATH reset).
--- doas.c.orig 2020-11-14 15:44:04.000000000 +0000
+++ doas.c
@@ -386,6 +386,7 @@ main(int argc, char **argv)
#ifdef HAVE_LOGIN_CAP_H
if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+ LOGIN_SETPATH |
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
LOGIN_SETUSER) != 0)
errx(1, "failed to set user context for target");
@@ -396,6 +397,8 @@ main(int argc, char **argv)
err(1, "initgroups");
if (setresuid(target, target, target) != 0)
err(1, "setresuid");
+ if (setenv("PATH", safepath, 1) == -1)
+ err(1, "failed to set PATH '%s'", safepath);
#endif
if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)