Your message dated Wed, 02 Jun 2010 11:17:37 +0000
with message-id <[email protected]>
and subject line Bug#582334: fixed in tacacs+ 4.0.4.19-8
has caused the Debian Bug report #582334,
regarding tacacs+ uses obsolete gethostbyname()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
582334: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582334
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tacacs+
Version: 4.0.4.19-7
Severity: wishlist
Tags: ipv6 patch
Hello,
While looking at the source code of tacacs+ I noticed that it uses
gethostbyname(). This has two problems:
* It's an obsolete call, see gethostbyname()
* Depending on the libc6, you may get IPv6 addresses returned which
will mean you will try to wedge a IPv6 address into an IPv4 sockaddr
and you end up with a horrible mess.
See http://lists.debian.org/debian-ipv6/2010/05/msg00000.html for some
discussion about this.
The attached patch uses getaddrinfo() and fixes it to IPv4 addresses
only. It could probably work with IPv6 too with some more checking.
- Craig
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages tacacs+ depends on:
ii adduser 3.112 add and remove users and groups
ii libc6 2.10.2-8 Embedded GNU C Library: Shared lib
ii libpam0g 1.1.1-3 Pluggable Authentication Modules l
ii libtacacs+1 4.0.4.19-7 TACACS+ authentication daemon
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii python 2.5.4-9 An interactive high-level object-o
tacacs+ recommends no packages.
tacacs+ suggests no packages.
-- Configuration Files:
/etc/tacacs+/tac_plus.conf [Errno 13] Permission denied:
u'/etc/tacacs+/tac_plus.conf'
-- no debconf information
#! /bin/sh /usr/share/dpatch/dpatch-run
## gethostbyname.dpatch by <[email protected]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: uses getaddrinfo instead of gethostbyname
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' tacacs+-4.0.4.19~/maxsess.c tacacs+-4.0.4.19/maxsess.c
--- tacacs+-4.0.4.19~/maxsess.c 2010-05-20 11:18:17.000000000 +1000
+++ tacacs+-4.0.4.19/maxsess.c 2010-05-20 11:18:50.000000000 +1000
@@ -351,39 +351,22 @@
static int
ckfinger(char *user, char *nas, struct identity *idp)
{
- struct sockaddr_in sin;
- struct servent *serv;
- int count, s, bufsize;
+ struct addrinfo hints, *res;
+ int count, s, bufsize, errcode;
char *buf, *p, *pn;
int incr = 4096, slop = 32;
- u_long inaddr;
char *curport = portname(idp->NAS_port);
char *name;
- /* The finger service, aka port 79 */
- serv = getservbyname("finger", "tcp");
- if (serv) {
- sin.sin_port = serv->s_port;
- } else {
- sin.sin_port = 79;
- }
- /* Get IP addr for the NAS */
- inaddr = inet_addr(nas);
- if (inaddr != -1) {
- /* A dotted decimal address */
- memcpy(&sin.sin_addr, &inaddr, sizeof(inaddr));
- sin.sin_family = AF_INET;
- } else {
- struct hostent *host = gethostbyname(nas);
+ memset(&hints, 0, sizeof(struct addrinfo));
+ hints.ai_family = AF_INET; /* IPv4 only until all code is checked */
+ hints.ai_socktype = SOCK_STREAM;
- if (host == NULL) {
- report(LOG_ERR, "ckfinger: gethostbyname %s failure: %s",
- nas, strerror(errno));
+ if ( (errcode = getaddrinfo(nas, "finger", &hints, &res)) != 0) {
+ report(LOG_ERR, "ckfinger: getaddrinfo %s failure: %s",
+ nas, gai_strerror(errcode));
return(0);
- }
- memcpy(&sin.sin_addr, host->h_addr, host->h_length);
- sin.sin_family = host->h_addrtype;
}
s = socket(AF_INET, SOCK_STREAM, 0);
@@ -391,11 +374,19 @@
report(LOG_ERR, "ckfinger: socket: %s", strerror(errno));
return(0);
}
- if (connect(s, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
+ errcode=-1;
+ while (res) {
+ if ( (errcode = connect(s,res->ai_addr,res->ai_addrlen)) == 0)
+ break;
+ res = res->ai_next;
+ }
+ freeaddrinfo(res);
+ if (errcode != 0) {
report(LOG_ERR, "ckfinger: connect failure %s", strerror(errno));
close(s);
return(0);
}
+
/* Read in the finger output into a single flat buffer */
buf = NULL;
bufsize = 0;
--- End Message ---
--- Begin Message ---
Source: tacacs+
Source-Version: 4.0.4.19-8
We believe that the bug you reported is fixed in the latest version of
tacacs+, which is due to be installed in the Debian FTP archive:
libtacacs+1-dev_4.0.4.19-8_all.deb
to main/t/tacacs+/libtacacs+1-dev_4.0.4.19-8_all.deb
libtacacs+1_4.0.4.19-8_amd64.deb
to main/t/tacacs+/libtacacs+1_4.0.4.19-8_amd64.deb
tacacs+_4.0.4.19-8.diff.gz
to main/t/tacacs+/tacacs+_4.0.4.19-8.diff.gz
tacacs+_4.0.4.19-8.dsc
to main/t/tacacs+/tacacs+_4.0.4.19-8.dsc
tacacs+_4.0.4.19-8_amd64.deb
to main/t/tacacs+/tacacs+_4.0.4.19-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Henry-Nicolas Tourneur <[email protected]> (supplier of updated tacacs+
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 23 May 2010 11:46:24 +0100
Source: tacacs+
Binary: tacacs+ libtacacs+1 libtacacs+1-dev
Architecture: source amd64 all
Version: 4.0.4.19-8
Distribution: unstable
Urgency: low
Maintainer: Henry-Nicolas Tourneur <[email protected]>
Changed-By: Henry-Nicolas Tourneur <[email protected]>
Description:
libtacacs+1 - TACACS+ authentication daemon
libtacacs+1-dev - TACACS+ authentication daemon
tacacs+ - TACACS+ authentication daemon
Closes: 582334
Changes:
tacacs+ (4.0.4.19-8) unstable; urgency=low
.
* Closes: #582334 (replace gethostbyname() with getaddrinfo())
Checksums-Sha1:
10375593455f0954b6abbd3c07c94deba7b30aef 1115 tacacs+_4.0.4.19-8.dsc
3d916e774659216efd2d6ab614bc17ba27c9fd98 9369 tacacs+_4.0.4.19-8.diff.gz
7c0b8bffa996fb4888f24c4516ec879614cd3bb4 92816 tacacs+_4.0.4.19-8_amd64.deb
525e0fe1f4ae589d4e2fab69af114e78b35c9c54 18444 libtacacs+1_4.0.4.19-8_amd64.deb
f1b2697942856ce2e35e85d4f901cdcea9d855c8 16948
libtacacs+1-dev_4.0.4.19-8_all.deb
Checksums-Sha256:
4ff6429f81e7ba212585e704853f012b06d139954b9fc94f71e6f97ffc943c64 1115
tacacs+_4.0.4.19-8.dsc
cfa09840c0d2f533f3fa05b2780dcb18d357e83a1bc4a9233c0d607c303e3186 9369
tacacs+_4.0.4.19-8.diff.gz
11696fa2d4c4a522e06ebee5ba5e22d1d884545c9f56daeddf8c917fc4447031 92816
tacacs+_4.0.4.19-8_amd64.deb
e6f5d003d446fc11a00c3d1ea39f2156dcb7ba0be7608c347554bd762f3d4284 18444
libtacacs+1_4.0.4.19-8_amd64.deb
42fb7dddde447befc1d2533490a6d2a606837d5c19fe7b6cb1b6bb0f290289f1 16948
libtacacs+1-dev_4.0.4.19-8_all.deb
Files:
4cdd9925e025b35c41831cefeecdd078 1115 net extra tacacs+_4.0.4.19-8.dsc
e5ee05778df64159b3740032df5f2945 9369 net extra tacacs+_4.0.4.19-8.diff.gz
6a0fe314deccb8cf9ca877b25469347d 92816 net extra tacacs+_4.0.4.19-8_amd64.deb
004c8bbf4a8c32ecf1e1c99a904676e8 18444 net extra
libtacacs+1_4.0.4.19-8_amd64.deb
1dcacd141445d1b7b29cfaa2f1c06cf6 16948 libdevel extra
libtacacs+1-dev_4.0.4.19-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMBitjx2zlrBLK36URAhBNAKCRzz1ziNHv5UZtz0U5kQU/cJmteQCdFP23
iDLfrhuvm74LqgkjD/+CefE=
=ITLi
-----END PGP SIGNATURE-----
--- End Message ---
