commit libcap for openSUSE:11.4
Hello community, here is the log from the commit of package libcap for openSUSE:11.4 checked in at Fri Nov 4 15:10:15 CET 2011. --- old-versions/11.4/all/libcap/libcap.changes 2010-12-02 15:48:24.0 +0100 +++ 11.4/libcap/libcap.changes 2011-11-02 11:41:47.0 +0100 @@ -1,0 +2,6 @@ +Wed Nov 2 11:41:28 CET 2011 - ti...@suse.de + +- Fix VUL-0: libcap2: capsh does not chdir after chroot + (CVE-2011-4099, bnc#727715) + +--- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libcap Destination is old-versions/11.4/UPDATES/all/libcap calling whatdependson for 11.4-i586 New: libcap-CVE-2011-4099.diff Other differences: -- ++ libcap.spec ++ --- /var/tmp/diff_new_pack.WI2pTp/_old 2011-11-04 15:08:38.0 +0100 +++ /var/tmp/diff_new_pack.WI2pTp/_new 2011-11-04 15:08:38.0 +0100 @@ -1,5 +1,5 @@ # -# spec file for package libcap (Version 2.19) +# spec file for package libcap # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -24,9 +24,10 @@ AutoReqProv:on Summary:Library for Capabilities (linux-privs) Support Version:2.19 -Release:1 +Release:9. Source: ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-%{version}.tar.bz2 Source2:baselibs.conf +Patch: libcap-CVE-2011-4099.diff #URL: http://www.kernel.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libattr-devel @@ -91,6 +92,7 @@ %prep %setup -q +%patch -p1 %build # lib=%{_lib} make %{?_smp_mflags} COPTFLAG="$RPM_OPT_FLAGS" ++ libcap-CVE-2011-4099.diff ++ >From af725c50c2930485947bd958dbdf984faf8fc1ba Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sun, 24 Jul 2011 19:17:25 -0700 Subject: [PATCH] Change directory to "/" after --chroot operation. Thanks to Steve Grubb for suggesting this. He wrote: = I was reviewing something recently and discovered a problem in capsh. The capsh program has a --chroot command line option. Inspecting the code shows that it does not do a chdir("/") after calling chroot. This means that '.' is outside the chroot. Additional info: http://cwe.mitre.org/data/definitions/243.html = Signed-off-by: Andrew G. Morgan --- progs/capsh.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/progs/capsh.c +++ b/progs/capsh.c @@ -243,10 +243,16 @@ perror("unable to lower CAP_SYS_CHROOT"); exit(1); } + /* +* Given we are now in a new directory tree, its good practice +* to start off in a sane location +*/ + status = chdir("/"); + cap_free(orig); if (status != 0) { - fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9); + fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit empathy for openSUSE:11.4
Hello community, here is the log from the commit of package empathy for openSUSE:11.4 checked in at Fri Nov 4 15:08:27 CET 2011. --- old-versions/11.4/UPDATES/all/empathy/empathy.changes 2011-10-28 10:42:24.0 +0200 +++ 11.4/empathy/empathy.changes2011-11-01 05:27:41.0 +0100 @@ -1,0 +2,6 @@ +Tue Nov 1 04:23:29 UTC 2011 - sree...@suse.com + +- Update empathy-cve-2011-3635.patch to use escaped name + everywhere in theme_adium_append_message + +--- calling whatdependson for 11.4-i586 Other differences: -- ++ empathy.spec ++ --- /var/tmp/diff_new_pack.OTjHOE/_old 2011-11-04 15:05:49.0 +0100 +++ /var/tmp/diff_new_pack.OTjHOE/_new 2011-11-04 15:05:49.0 +0100 @@ -19,7 +19,7 @@ Name: empathy Version:2.32.2 -Release:7. +Release:7. License:GPLv2+ Summary:Instant Messenger Client for GNOME, based on Telepathy Url:http://live.gnome.org/Empathy ++ empathy-cve-2011-3635.patch ++ --- /var/tmp/diff_new_pack.OTjHOE/_old 2011-11-04 15:05:49.0 +0100 +++ /var/tmp/diff_new_pack.OTjHOE/_new 2011-11-04 15:05:49.0 +0100 @@ -11,19 +11,31 @@ const gchar *body; const gchar *name; const gchar *contact_id; -@@ -599,8 +599,10 @@ theme_adium_append_message (EmpathyChatV - } +@@ -469,12 +469,13 @@ theme_adium_append_message (EmpathyChatV + body_escaped = theme_adium_parse_body (body); + name = empathy_contact_get_alias (sender); + contact_id = empathy_contact_get_id (sender); ++ name_escaped = g_markup_escape_text (name, -1); + + /* If this is a /me, append an event */ + if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) { + gchar *str; + +- str = g_strdup_printf ("%s %s", name, body_escaped); ++ str = g_strdup_printf ("%s %s", name_escaped, body_escaped); + theme_adium_append_event_escaped (view, str); + + g_free (str); +@@ -600,7 +601,7 @@ theme_adium_append_message (EmpathyChatV if (html != NULL) { -+ name_escaped = g_markup_escape_text (name, -1); -+ theme_adium_append_html (theme, func, html, len, body_escaped, - avatar_filename, name, contact_id, + avatar_filename, name_escaped, contact_id, service_name, message_classes->str, timestamp, is_backlog); } else { -@@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatV +@@ -616,6 +617,7 @@ theme_adium_append_message (EmpathyChatV priv->last_is_backlog = is_backlog; g_free (body_escaped); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libcap for openSUSE:11.3
Hello community, here is the log from the commit of package libcap for openSUSE:11.3 checked in at Fri Nov 4 15:05:40 CET 2011. --- old-versions/11.3/all/libcap/libcap.changes 2010-06-09 11:22:55.0 +0200 +++ 11.3/libcap/libcap.changes 2011-11-02 11:40:54.0 +0100 @@ -1,0 +2,6 @@ +Wed Nov 2 11:40:32 CET 2011 - ti...@suse.de + +- Fix VUL-0: libcap2: capsh does not chdir after chroot + (CVE-2011-4099, bnc#727715) + +--- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libcap Destination is old-versions/11.3/UPDATES/all/libcap calling whatdependson for 11.3-i586 New: libcap-CVE-2011-4099.diff Other differences: -- ++ libcap.spec ++ --- /var/tmp/diff_new_pack.DZLrLN/_old 2011-11-04 15:02:46.0 +0100 +++ /var/tmp/diff_new_pack.DZLrLN/_new 2011-11-04 15:02:46.0 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libcap (Version 2.16) +# spec file for package libcap # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,10 +24,11 @@ AutoReqProv:on Summary:Library for Capabilities (linux-privs) Support Version:2.16 -Release:5 +Release:10. Source: ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-%{version}.tar.bz2 Source2:baselibs.conf Patch: libcap-u64-typedef-fix.diff +Patch1: libcap-CVE-2011-4099.diff #URL: http://www.kernel.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libattr-devel @@ -93,6 +94,7 @@ %prep %setup -q %patch -p1 +%patch1 -p1 %build # lib=%{_lib} make %{?jobs:-j %jobs} COPTFLAG="$RPM_OPT_FLAGS" ++ libcap-CVE-2011-4099.diff ++ >From af725c50c2930485947bd958dbdf984faf8fc1ba Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sun, 24 Jul 2011 19:17:25 -0700 Subject: [PATCH] Change directory to "/" after --chroot operation. Thanks to Steve Grubb for suggesting this. He wrote: = I was reviewing something recently and discovered a problem in capsh. The capsh program has a --chroot command line option. Inspecting the code shows that it does not do a chdir("/") after calling chroot. This means that '.' is outside the chroot. Additional info: http://cwe.mitre.org/data/definitions/243.html = Signed-off-by: Andrew G. Morgan --- progs/capsh.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/progs/capsh.c +++ b/progs/capsh.c @@ -243,10 +243,16 @@ perror("unable to lower CAP_SYS_CHROOT"); exit(1); } + /* +* Given we are now in a new directory tree, its good practice +* to start off in a sane location +*/ + status = chdir("/"); + cap_free(orig); if (status != 0) { - fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9); + fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit empathy for openSUSE:11.3
Hello community, here is the log from the commit of package empathy for openSUSE:11.3 checked in at Fri Nov 4 15:02:32 CET 2011. --- old-versions/11.3/UPDATES/all/empathy/empathy.changes 2011-10-28 10:38:20.0 +0200 +++ 11.3/empathy/empathy.changes2011-11-01 05:23:09.0 +0100 @@ -1,0 +2,6 @@ +Tue Nov 1 04:09:49 UTC 2011 - sree...@suse.com + +- Update empathy-cve-2011-3635.patch to use escaped name + everywhere in theme_adium_append_message + +--- calling whatdependson for 11.3-i586 Other differences: -- ++ empathy.spec ++ --- /var/tmp/diff_new_pack.djzMbx/_old 2011-11-04 15:01:24.0 +0100 +++ /var/tmp/diff_new_pack.djzMbx/_new 2011-11-04 15:01:24.0 +0100 @@ -21,7 +21,7 @@ Name: empathy Url:http://live.gnome.org/Empathy Version:2.30.1 -Release:3. +Release:3. # FIXME: 2.29.3 fails a parallel build, but a newer tarball should work since the bug got fixed in gnome-doc-utils License:GPLv2+ Summary:Instant Messenger Client for GNOME, based on Telepathy ++ empathy-cve-2011-3635.patch ++ --- /var/tmp/diff_new_pack.djzMbx/_old 2011-11-04 15:01:24.0 +0100 +++ /var/tmp/diff_new_pack.djzMbx/_new 2011-11-04 15:01:24.0 +0100 @@ -11,19 +11,31 @@ const gchar *body; const gchar *name; const gchar *contact_id; -@@ -594,8 +594,10 @@ theme_adium_append_message (EmpathyChatV - } +@@ -464,12 +464,13 @@ theme_adium_append_message (EmpathyChatV + body_escaped = theme_adium_parse_body (body); + name = empathy_contact_get_name (sender); + contact_id = empathy_contact_get_id (sender); ++ name_escaped = g_markup_escape_text (name, -1); + + /* If this is a /me, append an event */ + if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) { + gchar *str; + +- str = g_strdup_printf ("%s %s", name, body_escaped); ++ str = g_strdup_printf ("%s %s", name_escaped, body_escaped); + theme_adium_append_event_escaped (view, str); + + g_free (str); +@@ -595,7 +596,7 @@ theme_adium_append_message (EmpathyChatV if (html != NULL) { -+ name_escaped = g_markup_escape_text (name, -1); -+ theme_adium_append_html (theme, func, html, len, body_escaped, - avatar_filename, name, contact_id, + avatar_filename, name_escaped, contact_id, service_name, message_classes->str, timestamp); } else { -@@ -611,6 +613,7 @@ theme_adium_append_message (EmpathyChatV +@@ -611,6 +612,7 @@ theme_adium_append_message (EmpathyChatV priv->last_is_backlog = is_backlog; g_free (body_escaped); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit NetworkManager for openSUSE:11.4
Hello community, here is the log from the commit of package NetworkManager for openSUSE:11.4 checked in at Fri Nov 4 10:44:27 CET 2011. --- old-versions/11.4/UPDATES/all/NetworkManager/NetworkManager.changes 2011-10-21 09:56:45.0 +0200 +++ 11.4/NetworkManager/NetworkManager.changes 2011-11-03 09:33:40.0 +0100 @@ -1,0 +2,6 @@ +Thu Nov 3 08:32:20 UTC 2011 - g...@suse.com + +- Add nm-check-for-shared-wifi-authorization.patch to check whether + the shared wifi connection is authorized or not. (bnc#702016) + +--- calling whatdependson for 11.4-i586 New: nm-check-for-shared-wifi-authorization.patch Other differences: -- ++ NetworkManager.spec ++ --- /var/tmp/diff_new_pack.cXQCGd/_old 2011-11-04 10:44:11.0 +0100 +++ /var/tmp/diff_new_pack.cXQCGd/_new 2011-11-04 10:44:11.0 +0100 @@ -20,7 +20,7 @@ Name: NetworkManager Url:http://www.gnome.org/projects/NetworkManager/ Version:0.8.2 -Release:15. +Release:15. License:GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: dbus-1-devel dbus-1-glib-devel gtk-doc intltool iptables libgcrypt-devel libgudev-1_0-devel libiw-devel libnl-devel libtool libuuid-devel mozilla-nss-devel polkit-devel ppp-devel translation-update-upstream wireless-tools @@ -55,6 +55,8 @@ Patch9: nm-settings-subject-match.patch # PATCH-FIX-UPSTREAM nm-probe-ca-cert.patch bnc#574266 g...@suse.com -- Probe the RADIUS server certificate Patch10:nm-probe-ca-cert.patch +# PATCH-FIX-UPSTREAM nm-check-for-shared-wifi-authorization.patch bnc#702016 g...@suse.com -- Check whether the shared wifi is authorized or not +Patch11:nm-check-for-shared-wifi-authorization.patch Requires: %{name}-glib = %{version} Requires: dhcp-client Requires: iproute2 @@ -134,6 +136,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 translation-update-upstream %build ++ nm-check-for-shared-wifi-authorization.patch ++ >From f5dac84c35dc690cfcf025884c10945ac1006e9f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 26 Oct 2011 16:08:52 +0800 Subject: [PATCH] check for authorization when activating shared wifi connections Based on core: check for authorization when activating shared wifi connections http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=NM_0_8&id=e7273c1609ac267e1d77ff03c97c8929f15e3737 policy: don't auto-activate unauthorized shared wifi connections http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=NM_0_8&id=287fe10c40ae9b90ce703b79f3479b755f0956c0 core: adjust shared wifi connections permission handling for a few cases http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=NM_0_8&id=e5085f950730b1e2e68645231e2042127c29a82e --- src/nm-manager-auth.c |6 + src/nm-manager-auth.h |4 + src/nm-manager.c | 272 +++- src/nm-manager.h |4 +- src/nm-policy.c |8 +- 5 files changed, 193 insertions(+), 101 deletions(-) diff --git a/src/nm-manager-auth.c b/src/nm-manager-auth.c index 44c82c2..246fa95 100644 --- a/src/nm-manager-auth.c +++ b/src/nm-manager-auth.c @@ -142,6 +142,12 @@ nm_auth_chain_get_data (NMAuthChain *self, const char *tag) return tmp ? tmp->data : NULL; } +NMAuthCallResult +nm_auth_chain_get_result (NMAuthChain *chain, const char *permission) +{ + return GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, permission)); +} + void nm_auth_chain_set_data (NMAuthChain *self, const char *tag, diff --git a/src/nm-manager-auth.h b/src/nm-manager-auth.h index 6682f91..dde084a 100644 --- a/src/nm-manager-auth.h +++ b/src/nm-manager-auth.h @@ -33,6 +33,8 @@ #define NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN "org.freedesktop.NetworkManager.enable-disable-wwan" #define NM_AUTH_PERMISSION_USE_USER_CONNECTIONS "org.freedesktop.NetworkManager.use-user-connections" #define NM_AUTH_PERMISSION_NETWORK_CONTROL "org.freedesktop.NetworkManager.network-control" +#define NM_AUTH_PERMISSION_WIFI_SHARE_OPEN "org.freedesktop.network-manager-settings.system.wifi.share.open" +#define NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED "org.freedesktop.network-manager-settings.system.wifi.share.protected" typedef struct NMAuthChain NMAuthChain; @@ -68,6 +70,8 @@ NMAuthChain *nm_auth_chain_new_raw_message (PolkitAuthority *authority, gpointer nm_auth_chain_get_data (NMAuthChain *chain, const char *tag); +NMAuthCallResult nm_auth_chain_get_result (NMAuthChain *chain, const char *permission); + void nm_auth_chain_set_data (NMAuthChain *chain, const char *tag, gpointer data, diff --git a/src/nm-manager.c b/s
commit NetworkManager for openSUSE:11.3
Hello community, here is the log from the commit of package NetworkManager for openSUSE:11.3 checked in at Fri Nov 4 10:44:05 CET 2011. --- old-versions/11.3/UPDATES/all/NetworkManager/NetworkManager.changes 2011-10-25 05:34:27.0 +0200 +++ 11.3/NetworkManager/NetworkManager.changes 2011-11-01 07:35:34.0 +0100 @@ -1,0 +2,6 @@ +Tue Nov 1 06:31:41 UTC 2011 - g...@suse.com + +- Add nm-check-for-shared-wifi-authorization.patch to check whether + the shared wifi connection is authorized or not. (bnc#702016) + +--- calling whatdependson for 11.3-i586 New: nm-check-for-shared-wifi-authorization.patch Other differences: -- ++ NetworkManager.spec ++ --- /var/tmp/diff_new_pack.3Zi5vN/_old 2011-11-04 10:43:32.0 +0100 +++ /var/tmp/diff_new_pack.3Zi5vN/_new 2011-11-04 10:43:32.0 +0100 @@ -20,7 +20,7 @@ Name: NetworkManager Url:http://www.gnome.org/projects/NetworkManager/ Version:0.8 -Release:8. +Release:8. #Release:8. License:GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -47,6 +47,8 @@ Patch4: nm-settings-subject-match.patch # PATCH-FIX-UPSTREAM nm-probe-ca-cert.patch bnc#574266 g...@suse.com -- Probe the RADIUS server certificate Patch5: nm-probe-ca-cert.patch +# PATCH-FIX-UPSTREAM nm-check-for-shared-wifi-authorization.patch bnc#702016 g...@suse.com -- Check whether the shared wifi is authorized or not +Patch6: nm-check-for-shared-wifi-authorization.patch Requires: dhcp-client Requires: iproute2 Requires: iputils @@ -118,12 +120,14 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 translation-update-upstream %build pppddir=`ls -1d /usr/%_lib/pppd/2*` test -n "$pppddir" || exit 1 export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" +autoreconf -f -i %configure\ --libexecdir=%{_prefix}/lib/NetworkManager\ --disable-static\ ++ nm-check-for-shared-wifi-authorization.patch ++ 1688 lines (skipped) continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org