Bumping for security bug #134194, special thanks to Eugene Ilkov

(Portage version: 2.1_rc3-r2)

4 files changed, 145 insertions, 1 deletions

diff --git a/sys-process/vixie-cron/ChangeLog b/sys-process/vixie-cron/ChangeLog
index 91b4173bc8e9..4dc86595a521 100644
--- a/sys-process/vixie-cron/ChangeLog
+++ b/sys-process/vixie-cron/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-process/vixie-cron
 # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/ChangeLog,v 1.27 2006/04/27 23:26:56 antarus Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/ChangeLog,v 1.28 2006/06/01 13:15:11 dercorny Exp $
+
+*vixie-cron-4.1-r9 (01 Jun 2006)
+
+  01 Jun 2006; Stefan Cornelius <dercorny@gentoo.org>
+  +files/vixie-cron-4.1-setuid_check.patch, +vixie-cron-4.1-r9.ebuild:
+  Bumping for security bug #134194, special thanks to Eugene Ilkov
 
   27 Apr 2006; Alec Warner <antarus@gentoo.org>
   files/digest-vixie-cron-3.0.1-r4, files/digest-vixie-cron-3.0.1-r5,
diff --git a/sys-process/vixie-cron/files/digest-vixie-cron-4.1-r9 b/sys-process/vixie-cron/files/digest-vixie-cron-4.1-r9
new file mode 100644
index 000000000000..4b0d91076cd4
--- /dev/null
+++ b/sys-process/vixie-cron/files/digest-vixie-cron-4.1-r9
@@ -0,0 +1,6 @@
+MD5 c674b03c6e76798b1c74f6070df167cc vixie-cron-4.1-gentoo-r4.patch.bz2 4204
+RMD160 1d439c0bb473e8307a5c33e2449efdd9ca6fc4f5 vixie-cron-4.1-gentoo-r4.patch.bz2 4204
+SHA256 8de14b11da567f7859df3dcf71802f32ac1b3650ae07c6cb6dbc259e1f6da7fc vixie-cron-4.1-gentoo-r4.patch.bz2 4204
+MD5 09dc04f9879684d27c64c910174a9536 vixie-cron-4.1.tar.bz2 54246
+RMD160 a7f6aaa6deb9924d56da8dca3e2e323e0786f97e vixie-cron-4.1.tar.bz2 54246
+SHA256 fd25119b301e0e8306ec27ee912298740c5c8ae879bac02381429cf355d1122d vixie-cron-4.1.tar.bz2 54246
diff --git a/sys-process/vixie-cron/files/vixie-cron-4.1-setuid_check.patch b/sys-process/vixie-cron/files/vixie-cron-4.1-setuid_check.patch
new file mode 100644
index 000000000000..42fd8e13edd9
--- /dev/null
+++ b/sys-process/vixie-cron/files/vixie-cron-4.1-setuid_check.patch
@@ -0,0 +1,29 @@
+--- vixie-cron-4.1/do_command.c	2006-05-25 16:44:26.000000000 +0400
++++ vixie-cron-4.1.lk/do_command.c	2006-05-25 16:42:25.000000000 +0400
+@@ -240,12 +240,23 @@
+ 			}
+ 		}
+ #else
+-		setgid(e->pwd->pw_gid);
++		
+ 		initgroups(usernm, e->pwd->pw_gid);
+ #if (defined(BSD)) && (BSD >= 199103)
+ 		setlogin(usernm);
+ #endif /* BSD */
+-		setuid(e->pwd->pw_uid);	/* we aren't root after this... */
++		// setuid(e->pwd->pw_uid);	/* we aren't root after this... */
++		
++	if ( setgid(e->pwd->pw_gid) == -1 ) {
++		fprintf(stderr,"can't set gid for %s\n", e->pwd->pw_name);
++		_exit(1);
++	}
++		
++	if ( setuid(e->pwd->pw_uid) == -1 ) {
++		fprintf(stderr,"can't set uid for %s\n", e->pwd->pw_name);
++		_exit(1);
++	}
++		
+ 
+ #endif /* LOGIN_CAP */
+ 		chdir(env_get("HOME", e->envp));
+
diff --git a/sys-process/vixie-cron/vixie-cron-4.1-r9.ebuild b/sys-process/vixie-cron/vixie-cron-4.1-r9.ebuild
new file mode 100644
index 000000000000..cfe80cb41cf0
--- /dev/null
+++ b/sys-process/vixie-cron/vixie-cron-4.1-r9.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/vixie-cron-4.1-r9.ebuild,v 1.1 2006/06/01 13:15:11 dercorny Exp $
+
+inherit cron toolchain-funcs debug pam
+
+# no useful homepage, bug #65898
+HOMEPAGE="ftp://ftp.isc.org/isc/cron/"
+DESCRIPTION="Paul Vixie's cron daemon, a fully featured crond implementation"
+
+SELINUX_PATCH="${P}-selinux.diff"
+GENTOO_PATCH_REV="r4"
+
+SRC_URI="mirror://gentoo/${P}.tar.bz2
+	mirror://gentoo/${P}-gentoo-${GENTOO_PATCH_REV}.patch.bz2"
+
+LICENSE="as-is"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="selinux pam debug"
+
+DEPEND=">=sys-apps/portage-2.0.47-r10
+	selinux? ( sys-libs/libselinux )
+	pam? ( virtual/pam )"
+
+RDEPEND="selinux? ( sys-libs/libselinux )
+	 pam? ( virtual/pam )"
+
+pkg_setup() {
+	enewgroup cron 16
+}
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	epatch ${WORKDIR}/${P}-gentoo-${GENTOO_PATCH_REV}.patch
+	epatch ${FILESDIR}/crontab.5.diff
+	epatch ${FILESDIR}/${P}-commandline.patch
+	epatch ${FILESDIR}/${P}-basename.diff
+	epatch ${FILESDIR}/${P}-setuid_check.patch
+
+	use pam && epatch ${FILESDIR}/${P}-pam.patch
+	use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}
+}
+
+src_compile() {
+	# we need to tinker with ldflags since we're installing as setuid. see
+	# "[gentoo-core] Heads up changes in suid handing with portage >=51_pre21"
+	# for details. Note that we do the sed fixes here rather than in unpack so
+	# that our changes to LDFLAGS are picked up.
+
+	append-ldflags $(bindnow-flags)
+	use debug && append-flags -DDEBUGGING
+
+	sed -i -e "s:gcc \(-Wall.*\):$(tc-getCC) \1 ${CFLAGS}:" \
+		-e "s:^\(LDFLAGS[ \t]\+=\).*:\1 ${LDFLAGS}:" Makefile \
+		|| die "sed Makefile failed"
+
+	emake || die "emake failed"
+}
+
+src_install() {
+	docrondir
+	docron
+	docrontab
+
+	# /etc stuff
+	insinto /etc
+	newins  ${FILESDIR}/crontab-3.0.1-r4 crontab
+	newins ${FILESDIR}/${P}-cron.deny cron.deny
+
+	keepdir /etc/cron.d
+	newpamd ${FILESDIR}/pamd.compatible cron
+	newinitd ${FILESDIR}/vixie-cron.rc6 vixie-cron
+
+	# doc stuff
+	doman crontab.1 crontab.5 cron.8
+	dodoc ${FILESDIR}/crontab
+	dodoc CHANGES CONVERSION FEATURES MAIL README THANKS
+}
+
+pkg_postinst() {
+	if [[ -f ${ROOT}/etc/init.d/vcron ]]
+	then
+		ewarn "Please run:"
+		ewarn "rc-update del vcron"
+		ewarn "rc-update add vixie-cron default"
+	fi
+
+	# bug 71326
+	if [[ -u ${ROOT}/etc/pam.d/cron ]] ; then
+		echo
+		ewarn "Warning: previous ebuilds didn't reset permissions prior"
+		ewarn "to installing crontab, resulting in /etc/pam.d/cron being"
+		ewarn "installed with the SUID and executable bits set."
+		ewarn
+		ewarn "Run the following as root to set the proper permissions:"
+		ewarn "   chmod 0644 /etc/pam.d/cron"
+		echo
+	fi
+
+	cron_pkg_postinst
+}