summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2005-08-25 22:10:40 +0000
committerMike Frysinger <vapier@gentoo.org>2005-08-25 22:10:40 +0000
commitd248db1bd4b9b4d8e96d1d0ddb5dafe401d1f908 (patch)
tree9f774ff32e3badfa431e6fac83f0d5c8e06fbf15 /net-misc/ntp
parentVersion bump to 2.0.8; sparc support by gustavoz. 2.0.7 stable on x86. (diff)
downloadgentoo-2-d248db1bd4b9b4d8e96d1d0ddb5dafe401d1f908.tar.gz
gentoo-2-d248db1bd4b9b4d8e96d1d0ddb5dafe401d1f908.tar.bz2
gentoo-2-d248db1bd4b9b4d8e96d1d0ddb5dafe401d1f908.zip
Fix security issue where ntpd assigns the wrong group #103719.
(Portage version: 2.0.51.22-r2)
Diffstat (limited to 'net-misc/ntp')
-rw-r--r--net-misc/ntp/ChangeLog10
-rw-r--r--net-misc/ntp/files/digest-ntp-4.2.0.20040617-r32
-rw-r--r--net-misc/ntp/files/digest-ntp-4.2.0.20050303-r12
-rw-r--r--net-misc/ntp/files/ntp-4.2.0-ntpd-using-wrong-group.patch14
-rw-r--r--net-misc/ntp/ntp-4.2.0-r2.ebuild25
-rw-r--r--net-misc/ntp/ntp-4.2.0.20040617-r3.ebuild148
-rw-r--r--net-misc/ntp/ntp-4.2.0.20050303-r1.ebuild147
7 files changed, 335 insertions, 13 deletions
diff --git a/net-misc/ntp/ChangeLog b/net-misc/ntp/ChangeLog
index 1c25c6b65b85..30a7533ebf97 100644
--- a/net-misc/ntp/ChangeLog
+++ b/net-misc/ntp/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for net-misc/ntp
# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.67 2005/08/20 04:10:15 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.68 2005/08/25 22:10:40 vapier Exp $
+
+*ntp-4.2.0.20050303-r1 (25 Aug 2005)
+*ntp-4.2.0.20040617-r3 (25 Aug 2005)
+
+ 25 Aug 2005; Mike Frysinger <vapier@gentoo.org>
+ +files/ntp-4.2.0-ntpd-using-wrong-group.patch, ntp-4.2.0-r2.ebuild,
+ +ntp-4.2.0.20040617-r3.ebuild, +ntp-4.2.0.20050303-r1.ebuild:
+ Fix security issue where ntpd assigns the wrong group #103719.
20 Aug 2005; Mike Frysinger <vapier@gentoo.org> files/ntpd.rc:
Pass --exec to ssd when stopping so we kill the right process #82859 by
diff --git a/net-misc/ntp/files/digest-ntp-4.2.0.20040617-r3 b/net-misc/ntp/files/digest-ntp-4.2.0.20040617-r3
new file mode 100644
index 000000000000..1fec3109247e
--- /dev/null
+++ b/net-misc/ntp/files/digest-ntp-4.2.0.20040617-r3
@@ -0,0 +1,2 @@
+MD5 d0554ae42164bcda990e6318648a7c58 ntp-stable-4.2.0a-20040617.tar.gz 2435648
+MD5 0f2d809eb4a360dd4479b00cfd95bc4e ntp-stable-4.2.0a-20040617-manpages.tar.bz2 25346
diff --git a/net-misc/ntp/files/digest-ntp-4.2.0.20050303-r1 b/net-misc/ntp/files/digest-ntp-4.2.0.20050303-r1
new file mode 100644
index 000000000000..60bb48950e2c
--- /dev/null
+++ b/net-misc/ntp/files/digest-ntp-4.2.0.20050303-r1
@@ -0,0 +1,2 @@
+MD5 20b8d0616b637b8584147db39a754326 ntp-stable-4.2.0a-20050303.tar.gz 2446073
+MD5 d3a5a6185ef5ed71d2fa8e06598fc28f ntp-stable-4.2.0a-20050303-manpages.tar.bz2 25360
diff --git a/net-misc/ntp/files/ntp-4.2.0-ntpd-using-wrong-group.patch b/net-misc/ntp/files/ntp-4.2.0-ntpd-using-wrong-group.patch
new file mode 100644
index 000000000000..c5865753858f
--- /dev/null
+++ b/net-misc/ntp/files/ntp-4.2.0-ntpd-using-wrong-group.patch
@@ -0,0 +1,14 @@
+http://bugs.gentoo.org/103719
+https://ntp.isc.org/bugs/show_bug.cgi?id=392
+
+--- ntpd/ntpd.c
++++ ntpd/ntpd.c
+@@ -881,7 +881,7 @@
+ } else {
+ getgroup:
+ if ((gr = getgrnam(group)) != NULL) {
+- sw_gid = pw->pw_gid;
++ sw_gid = gr->gr_gid;
+ } else {
+ errno = 0;
+ msyslog(LOG_ERR, "Cannot find group `%s'", group);
diff --git a/net-misc/ntp/ntp-4.2.0-r2.ebuild b/net-misc/ntp/ntp-4.2.0-r2.ebuild
index 21e16872b79f..b637edc5fd7b 100644
--- a/net-misc/ntp/ntp-4.2.0-r2.ebuild
+++ b/net-misc/ntp/ntp-4.2.0-r2.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.0-r2.ebuild,v 1.24 2005/07/20 22:38:40 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.0-r2.ebuild,v 1.25 2005/08/25 22:10:40 vapier Exp $
inherit eutils flag-o-matic gnuconfig
@@ -36,13 +36,14 @@ hax_bitkeeper() {
src_unpack() {
unpack ${A}
- cd ${S}
+ cd "${S}"
- use alpha && epatch ${FILESDIR}/ntp-4.1.1b-syscall-libc.patch
+ use alpha && epatch "${FILESDIR}"/ntp-4.1.1b-syscall-libc.patch
- epatch ${FILESDIR}/${PV}-ntpdate-quiet.patch
- epatch ${FILESDIR}/${PV}-linux-config-phone.patch #13001
- epatch ${FILESDIR}/${PV}-droproot.patch
+ epatch "${FILESDIR}"/${PV}-ntpdate-quiet.patch
+ epatch "${FILESDIR}"/${PV}-linux-config-phone.patch #13001
+ epatch "${FILESDIR}"/${PV}-droproot.patch
+ epatch "${FILESDIR}"/ntp-4.2.0-ntpd-using-wrong-group.patch #103719
sed -i "s:-Wpointer-arith::" configure.in
# needed in order to make files with right ver info #30220
@@ -90,7 +91,7 @@ src_install() {
dohtml -r html/*
insinto /usr/share/ntp
- doins ${FILESDIR}/ntp.conf
+ doins "${FILESDIR}"/ntp.conf
rm -rf `find scripts/ \
-name '*.in' -o \
-name 'Makefile*' -o \
@@ -99,13 +100,13 @@ src_install() {
cp -r scripts/* ${D}/usr/share/ntp/
chmod -R go-w ${D}/usr/share/ntp
- [ ! -e ${ROOT}/etc/ntp.conf ] && insinto /etc && doins ${FILESDIR}/ntp.conf
+ [ ! -e ${ROOT}/etc/ntp.conf ] && insinto /etc && doins "${FILESDIR}"/ntp.conf
exeinto /etc/init.d
- newexe ${FILESDIR}/ntpd.rc ntpd
- newexe ${FILESDIR}/ntp-client.rc ntp-client
+ newexe "${FILESDIR}"/ntpd.rc ntpd
+ newexe "${FILESDIR}"/ntp-client.rc ntp-client
insinto /etc/conf.d
- newins ${FILESDIR}/ntpd.confd ntpd
- newins ${FILESDIR}/ntp-client.confd ntp-client
+ newins "${FILESDIR}"/ntpd.confd ntpd
+ newins "${FILESDIR}"/ntp-client.confd ntp-client
use nodroproot && dosed "s|-u ntp:ntp||" /etc/conf.d/ntpd
dodir /var/lib/ntp
diff --git a/net-misc/ntp/ntp-4.2.0.20040617-r3.ebuild b/net-misc/ntp/ntp-4.2.0.20040617-r3.ebuild
new file mode 100644
index 000000000000..74c5f34478ed
--- /dev/null
+++ b/net-misc/ntp/ntp-4.2.0.20040617-r3.ebuild
@@ -0,0 +1,148 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.0.20040617-r3.ebuild,v 1.1 2005/08/25 22:10:40 vapier Exp $
+
+inherit eutils
+
+MY_P=${PN}-stable-${PV:0:5}a-${PV:6}
+DESCRIPTION="Network Time Protocol suite/programs"
+HOMEPAGE="http://www.ntp.org/"
+SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/snapshots/ntp-stable/${PV:6:4}/${PV:10:2}/${MY_P}.tar.gz
+ mirror://gentoo/${MY_P}-manpages.tar.bz2"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
+IUSE="parse-clocks nodroproot selinux ssl ipv6 openntpd debug"
+
+RDEPEND=">=sys-libs/ncurses-5.2
+ >=sys-libs/readline-4.1
+ kernel_linux? ( !nodroproot? ( sys-libs/libcap ) )
+ !openntpd? ( !net-misc/openntpd )
+ ssl? ( dev-libs/openssl )
+ selinux? ( sec-policy/selinux-ntp )"
+DEPEND="${RDEPEND}
+ >=sys-apps/portage-2.0.51"
+PDEPEND="openntpd? ( net-misc/openntpd )"
+
+S=${WORKDIR}/${MY_P}
+
+hax_bitkeeper() {
+ # the makefiles have support for bk ...
+ # basically we have to do this or bk will try to write
+ # to files in /opt/bitkeeper causing sandbox violations ;(
+ mkdir "${T}"/fakebin
+ echo "#!/bin/sh"$'\n'"exit 1" > "${T}"/fakebin/bk
+ chmod a+x "${T}"/fakebin/bk
+ export PATH="${T}/fakebin:${PATH}"
+}
+
+pkg_setup() {
+ enewgroup ntp 123
+ enewuser ntp 123 -1 /dev/null ntp
+}
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/ntp-4.1.1b-syscall-libc.patch
+ epatch "${FILESDIR}"/4.2.0-linux-config-phone.patch #13001
+ epatch "${FILESDIR}"/${PV}-hostname.patch
+ epatch "${FILESDIR}"/${PV}-errno-fix.patch
+ epatch "${FILESDIR}"/${PV}-ipv6-fixes.patch
+ epatch "${FILESDIR}"/${PV}-debug-fix.patch
+ epatch "${FILESDIR}"/${PV}-freebsd.patch
+ epatch "${FILESDIR}"/ntp-4.2.0-gcc4.patch
+ epatch "${FILESDIR}"/ntp-4.2.0-ntpd-using-wrong-group.patch #103719
+
+ sed -i \
+ -e 's:md5\.h:touch_not_my_md5:g' \
+ -e 's:-Wpointer-arith::' \
+ -e 's:-lelf:-la_doe_a_deer_a_female_deer:g' \
+ -e 's:-lmd5:-li_dont_want_no_stinkin_md5:g' \
+ configure || die "sed failed"
+}
+
+src_compile() {
+ hax_bitkeeper
+ econf \
+ $(use_enable !nodroproot linuxcaps) \
+ $(use_enable parse-clocks) \
+ $(use_enable ipv6) \
+ $(use_enable debug debugging) \
+ $(use_with ssl crypto) \
+ || die
+ emake || die
+}
+
+src_install() {
+ hax_bitkeeper
+ make install DESTDIR="${D}" || die
+ # move ntpd/ntpdate to sbin #66671
+ dodir /usr/sbin
+ mv "${D}"/usr/bin/{ntpd,ntpdate} "${D}"/usr/sbin/ || die "move to sbin"
+
+ dodoc ChangeLog INSTALL NEWS README TODO WHERE-TO-START
+ doman "${WORKDIR}"/man/*.1
+ dohtml -r html/*
+
+ insinto /usr/share/ntp
+ doins "${FILESDIR}"/ntp.conf
+ cp -r scripts/* "${D}"/usr/share/ntp/
+ chmod -R go-w "${D}"/usr/share/ntp
+ find "${D}"/usr/share/ntp \
+ '(' \
+ -name '*.in' -o \
+ -name 'Makefile*' -o \
+ -name 'rc[12]' -o \
+ -name support \
+ ')' \
+ -exec rm -r {} \;
+
+ insinto /etc
+ doins "${FILESDIR}"/ntp.conf
+ newinitd "${FILESDIR}"/ntpd.rc ntpd
+ newconfd "${FILESDIR}"/ntpd.confd ntpd
+ newinitd "${FILESDIR}"/ntp-client.rc ntp-client
+ newconfd "${FILESDIR}"/ntp-client.confd ntp-client
+ use nodroproot && dosed "s|-u ntp:ntp||" /etc/conf.d/ntpd
+ dosed "s:-Q::" /etc/conf.d/ntp-client # no longer needed
+ dosed "s:/usr/bin:/usr/sbin:" /etc/init.d/ntpd
+
+ dodir /var/lib/ntp
+ fowners ntp:ntp /var/lib/ntp
+ touch "${D}"/var/lib/ntp/ntp.drift
+ fowners ntp:ntp /var/lib/ntp/ntp.drift
+
+ if use openntpd ; then
+ cd "${D}"
+ rm usr/sbin/ntpd
+ rm -r var/lib
+ rm etc/{conf,init}.d/ntpd
+ fi
+}
+
+pkg_preinst() {
+ if [[ -e ${ROOT}/etc/ntp.conf ]] ; then
+ rm -f "${D}"/etc/ntp.conf
+ fi
+}
+
+pkg_postinst() {
+ ewarn "You can find an example /etc/ntp.conf in /usr/share/ntp/"
+ ewarn "Review /etc/ntp.conf to setup server info."
+ ewarn "Review /etc/conf.d/ntpd to setup init.d info."
+ echo
+ einfo "The way ntp sets and maintains your system time has changed."
+ einfo "Now you can use /etc/init.d/ntp-client to set your time at"
+ einfo "boot while you can use /etc/init.d/ntpd to maintain your time"
+ einfo "while your machine runs"
+ if [[ -n $(egrep '^[^#].*notrust' "${ROOT}"/etc/ntp.conf) ]] ; then
+ echo
+ eerror "The notrust option was found in your /etc/ntp.conf!"
+ ewarn "If your ntpd starts sending out weird responses,"
+ ewarn "then make sure you have keys properly setup and see"
+ ewarn "http://bugs.gentoo.org/41827"
+ fi
+}
diff --git a/net-misc/ntp/ntp-4.2.0.20050303-r1.ebuild b/net-misc/ntp/ntp-4.2.0.20050303-r1.ebuild
new file mode 100644
index 000000000000..73d285d764f4
--- /dev/null
+++ b/net-misc/ntp/ntp-4.2.0.20050303-r1.ebuild
@@ -0,0 +1,147 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.0.20050303-r1.ebuild,v 1.1 2005/08/25 22:10:40 vapier Exp $
+
+inherit eutils
+
+MY_P=${PN}-stable-${PV:0:5}a-${PV:6}
+DESCRIPTION="Network Time Protocol suite/programs"
+HOMEPAGE="http://www.ntp.org/"
+SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/snapshots/ntp-stable/${PV:6:4}/${PV:10:2}/${MY_P}.tar.gz
+ mirror://gentoo/${MY_P}-manpages.tar.bz2"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="parse-clocks nodroproot selinux ssl ipv6 openntpd debug"
+
+RDEPEND=">=sys-libs/ncurses-5.2
+ >=sys-libs/readline-4.1
+ kernel_linux? ( !nodroproot? ( sys-libs/libcap ) )
+ !openntpd? ( !net-misc/openntpd )
+ ssl? ( dev-libs/openssl )
+ selinux? ( sec-policy/selinux-ntp )"
+DEPEND="${RDEPEND}
+ >=sys-apps/portage-2.0.51"
+PDEPEND="openntpd? ( net-misc/openntpd )"
+
+S=${WORKDIR}/${MY_P}
+
+hax_bitkeeper() {
+ # the makefiles have support for bk ...
+ # basically we have to do this or bk will try to write
+ # to files in /opt/bitkeeper causing sandbox violations ;(
+ mkdir "${T}"/fakebin
+ echo "#!/bin/sh"$'\n'"exit 1" > "${T}"/fakebin/bk
+ chmod a+x "${T}"/fakebin/bk
+ export PATH="${T}/fakebin:${PATH}"
+}
+
+pkg_setup() {
+ enewgroup ntp 123
+ enewuser ntp 123 -1 /dev/null ntp
+}
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/4.2.0-linux-config-phone.patch #13001
+ epatch "${FILESDIR}"/4.2.0.20040617-hostname.patch
+ epatch "${FILESDIR}"/4.2.0.20040617-errno-fix.patch
+ epatch "${FILESDIR}"/4.2.0.20040617-debug-fix.patch
+ epatch "${FILESDIR}"/4.2.0.20040617-freebsd.patch
+ epatch "${FILESDIR}"/ntp-4.2.0-gcc4.patch
+ epatch "${FILESDIR}"/ntp-4.2.0.20050303-rlimit-memlock.patch #99713
+ epatch "${FILESDIR}"/ntp-4.2.0-ntpd-using-wrong-group.patch #103719
+
+ sed -i \
+ -e 's:md5\.h:touch_not_my_md5:g' \
+ -e 's:-Wpointer-arith::' \
+ -e 's:-lelf:-la_doe_a_deer_a_female_deer:g' \
+ -e 's:-lmd5:-li_dont_want_no_stinkin_md5:g' \
+ configure || die "sed failed"
+}
+
+src_compile() {
+ hax_bitkeeper
+ econf \
+ $(use_enable !nodroproot linuxcaps) \
+ $(use_enable parse-clocks) \
+ $(use_enable ipv6) \
+ $(use_enable debug debugging) \
+ $(use_with ssl crypto) \
+ || die
+ emake || die
+}
+
+src_install() {
+ hax_bitkeeper
+ make install DESTDIR="${D}" || die "install failed"
+ # move ntpd/ntpdate to sbin #66671
+ dodir /usr/sbin
+ mv "${D}"/usr/bin/{ntpd,ntpdate} "${D}"/usr/sbin/ || die "move to sbin"
+
+ dodoc ChangeLog INSTALL NEWS README TODO WHERE-TO-START
+ doman "${WORKDIR}"/man/*.1
+ dohtml -r html/*
+
+ insinto /usr/share/ntp
+ doins "${FILESDIR}"/ntp.conf
+ cp -r scripts/* "${D}"/usr/share/ntp/
+ chmod -R go-w "${D}"/usr/share/ntp
+ find "${D}"/usr/share/ntp \
+ '(' \
+ -name '*.in' -o \
+ -name 'Makefile*' -o \
+ -name 'rc[12]' -o \
+ -name support \
+ ')' \
+ -exec rm -r {} \;
+
+ insinto /etc
+ doins "${FILESDIR}"/ntp.conf
+ newinitd "${FILESDIR}"/ntpd.rc ntpd
+ newconfd "${FILESDIR}"/ntpd.confd ntpd
+ newinitd "${FILESDIR}"/ntp-client.rc ntp-client
+ newconfd "${FILESDIR}"/ntp-client.confd ntp-client
+ use nodroproot && dosed "s|-u ntp:ntp||" /etc/conf.d/ntpd
+ dosed "s:-Q::" /etc/conf.d/ntp-client # no longer needed
+ dosed "s:/usr/bin:/usr/sbin:" /etc/init.d/ntpd
+
+ dodir /var/lib/ntp
+ fowners ntp:ntp /var/lib/ntp
+ touch "${D}"/var/lib/ntp/ntp.drift
+ fowners ntp:ntp /var/lib/ntp/ntp.drift
+
+ if use openntpd ; then
+ cd "${D}"
+ rm usr/sbin/ntpd
+ rm -r var/lib
+ rm etc/{conf,init}.d/ntpd
+ fi
+}
+
+pkg_preinst() {
+ if [[ -e ${ROOT}/etc/ntp.conf ]] ; then
+ rm -f "${D}"/etc/ntp.conf
+ fi
+}
+
+pkg_postinst() {
+ ewarn "You can find an example /etc/ntp.conf in /usr/share/ntp/"
+ ewarn "Review /etc/ntp.conf to setup server info."
+ ewarn "Review /etc/conf.d/ntpd to setup init.d info."
+ echo
+ einfo "The way ntp sets and maintains your system time has changed."
+ einfo "Now you can use /etc/init.d/ntp-client to set your time at"
+ einfo "boot while you can use /etc/init.d/ntpd to maintain your time"
+ einfo "while your machine runs"
+ if [[ -n $(egrep '^[^#].*notrust' "${ROOT}"/etc/ntp.conf) ]] ; then
+ echo
+ eerror "The notrust option was found in your /etc/ntp.conf!"
+ ewarn "If your ntpd starts sending out weird responses,"
+ ewarn "then make sure you have keys properly setup and see"
+ ewarn "http://bugs.gentoo.org/41827"
+ fi
+}