From 8383efa4d839d239997e6bf88199d6eab9a003e7 Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Apr 07 2019 01:32:48 +0000 Subject: - Upgrade to 1.6.6 (CVE-2018-12066) - Modernization and cleanup of spec file - Ensure /etc/bird.conf can be only read by BIRD user --- diff --git a/.gitignore b/.gitignore index 7d50738..3376c4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/bird-1.4.5.tar.gz +/bird-*.tar.gz diff --git a/0001-Fixes-a-bug-in-locking-code.patch b/0001-Fixes-a-bug-in-locking-code.patch deleted file mode 100644 index b3c211c..0000000 --- a/0001-Fixes-a-bug-in-locking-code.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ab006391305165c805f75e3a2ce20946748233c9 Mon Sep 17 00:00:00 2001 -From: Ondrej Zajicek -Date: Sat, 21 Feb 2015 12:27:05 +0100 -Subject: [PATCH] Fixes a bug in locking code. - -When multiple protocols have a lock for the same IP address, it crashes -under some circumstances. - -Thanks to Matthias Schiffer for the bugreport. ---- - nest/locks.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nest/locks.c b/nest/locks.c -index c74f2f4..ad2af49 100644 ---- a/nest/locks.c -+++ b/nest/locks.c -@@ -70,7 +70,7 @@ olock_free(resource *r) - DBG("olock: -> %p becomes locked\n", n); - q = SKIP_BACK(struct object_lock, n, n); - rem_node(n); -- add_tail_list(&l->waiters, &q->waiters); -+ add_tail_list(&q->waiters, &l->waiters); - q->state = OLOCK_STATE_EVENT; - add_head(&olock_list, n); - ev_schedule(olock_event); --- -2.4.3 - diff --git a/bird-1.6.6-runstatedir.patch b/bird-1.6.6-runstatedir.patch new file mode 100644 index 0000000..e30e7fc --- /dev/null +++ b/bird-1.6.6-runstatedir.patch @@ -0,0 +1,62 @@ +As per http://trubka.network.cz/pipermail/bird-users/2019-March/013240.html +a workaround suggested by upstream until bird >= 1.6.7 is released. + +--- bird-1.6.6/configure 2019-03-01 00:13:27.000000000 +0100 ++++ bird-1.6.6/configure.runstatedir 2019-03-01 00:13:27.000000000 +0100 +@@ -652,7 +652,6 @@ + CONTROL_SOCKET + CONFIG_FILE + SUFFIX +-runstatedir + srcdir_rel_mf + exedir + objdir +@@ -678,6 +677,7 @@ + docdir + oldincludedir + includedir ++runstatedir + localstatedir + sharedstatedir + sysconfdir +@@ -761,6 +761,7 @@ + sysconfdir='${prefix}/etc' + sharedstatedir='${prefix}/com' + localstatedir='${prefix}/var' ++runstatedir='${localstatedir}/run' + includedir='${prefix}/include' + oldincludedir='/usr/include' + docdir='${datarootdir}/doc/${PACKAGE}' +@@ -1013,6 +1014,15 @@ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + ++ -runstatedir | --runstatedir | --runstatedi | --runstated \ ++ | --runstate | --runstat | --runsta | --runst | --runs \ ++ | --run | --ru | --r) ++ ac_prev=runstatedir ;; ++ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ ++ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ ++ | --run=* | --ru=* | --r=*) ++ runstatedir=$ac_optarg ;; ++ + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +@@ -1150,7 +1160,7 @@ + for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir ++ libdir localedir mandir runstatedir + do + eval ac_val=\$$ac_var + # Remove trailing slashes. +@@ -1303,6 +1313,7 @@ + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] ++ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] diff --git a/bird.init b/bird.init index 0f46567..14300d9 100644 --- a/bird.init +++ b/bird.init @@ -1,27 +1,48 @@ -#!/bin/sh +#!/bin/bash # -# BIRD Internet Routing Daemon +# BIRD_PROGNAME - BIRD Internet Routing Daemon # -# chkconfig: - 20 80 -# description: BIRD is dynamic routing daemon supporting \ -# routing protocols BGP, RIP and OSPF. +# chkconfig: - 80 20 +# description: BIRD is a dynamic IP routing daemon supporting both, IPv4 and IPv6, Border \ +# Gateway Protocol (BGPv4), Routing Information Protocol (RIPv2, RIPng), Open \ +# Shortest Path First protocol (OSPFv2, OSPFv3), Babel Routing Protocol (Babel), \ +# Bidirectional Forwarding Detection (BFD), IPv6 router advertisements, static \ +# routes, inter-table protocol, command-line interface allowing on-line control \ +# and inspection of the status of the daemon, soft reconfiguration as well as a \ +# powerful language for route filtering. +# config: /etc/BIRD_PROGNAME.conf + +### BEGIN INIT INFO +# Provides: BIRD_PROGNAME +# Required-Start: $local_fs $network $remote_fs +# Required-Stop: $local_fs $network $remote_fs +# Default-Start: +# Default-Stop: 0 1 6 +# Short-Description: BIRD Internet Routing Daemon +# Description: BIRD is a dynamic IP routing daemon supporting both, IPv4 and IPv6, Border +# Gateway Protocol (BGPv4), Routing Information Protocol (RIPv2, RIPng), Open +# Shortest Path First protocol (OSPFv2, OSPFv3), Babel Routing Protocol (Babel), +# Bidirectional Forwarding Detection (BFD), IPv6 router advertisements, static +# routes, inter-table protocol, command-line interface allowing on-line control +# and inspection of the status of the daemon, soft reconfiguration as well as a +# powerful language for route filtering. +### END INIT INFO # Source function library. . /etc/rc.d/init.d/functions prog="BIRD_PROGNAME" exec="/usr/sbin/$prog" -config="/etc/$prog.conf" +user="BIRD_PROGNAME" +lockfile="/var/lock/subsys/$prog" [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog -lockfile=/var/lock/subsys/$prog - start() { [ -x $exec ] || exit 5 [ -f $config ] || exit 6 echo -n $"Starting $prog: " - daemon $exec + daemon $exec -u $user -g $user $OPTIONS retval=$? echo [ $retval -eq 0 ] && touch $lockfile @@ -30,40 +51,29 @@ start() { stop() { echo -n $"Stopping $prog: " - killproc $prog + killproc $exec retval=$? echo - [ $retval -eq 0 ] && rm -f $lockfile + [ $retval -eq 0 ] && rm -f $lockfile return $retval } -restart() { - stop - start -} - reload() { echo -n $"Reloading $prog: " - killproc $prog -HUP + killproc $exec -HUP retval=$? echo return $retval } -force_reload() { - restart -} - rh_status() { - # run checks to determine if the service is running or use generic status - status $prog + status $exec } rh_status_q() { - rh_status >/dev/null 2>&1 + rh_status > /dev/null 2>&1 } - case "$1" in start) rh_status_q && exit 0 @@ -74,24 +84,27 @@ case "$1" in $1 ;; restart) - $1 + stop + start ;; reload) rh_status_q || exit 7 $1 ;; force-reload) - force_reload + restart ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 - restart + stop + start ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" exit 2 esac + exit $? diff --git a/bird.spec b/bird.spec index 3775c62..abfed4a 100644 --- a/bird.spec +++ b/bird.spec @@ -1,25 +1,31 @@ %global _hardened_build 1 Name: bird -Version: 1.4.5 -Release: 2%{?dist} +Version: 1.6.6 +Release: 1%{?dist} Summary: BIRD Internet Routing Daemon Group: System Environment/Daemons License: GPLv2+ -URL: http://bird.network.cz +URL: https://bird.network.cz Source0: ftp://bird.network.cz/pub/bird/bird-%{version}.tar.gz Source1: bird.init +Patch0: bird-1.6.6-runstatedir.patch -BuildRequires: flex bison ncurses-devel readline-devel sed -Requires(post): chkconfig -Requires(preun): chkconfig initscripts - -Patch0: 0001-Fixes-a-bug-in-locking-code.patch +BuildRequires: flex bison ncurses-devel readline-devel sed gcc +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/service, /sbin/chkconfig +Requires(postun): /sbin/service +Requires(pre): shadow-utils %description -BIRD is dynamic routing daemon supporting IPv4 and IPv6 versions of routing -protocols BGP, RIP and OSPF. +BIRD is a dynamic IP routing daemon supporting both, IPv4 and IPv6, Border +Gateway Protocol (BGPv4), Routing Information Protocol (RIPv2, RIPng), Open +Shortest Path First protocol (OSPFv2, OSPFv3), Babel Routing Protocol (Babel), +Bidirectional Forwarding Detection (BFD), IPv6 router advertisements, static +routes, inter-table protocol, command-line interface allowing on-line control +and inspection of the status of the daemon, soft reconfiguration as well as a +powerful language for route filtering. This package contains IPv4 version. @@ -27,34 +33,44 @@ This package contains IPv4 version. %package -n bird6 Summary: BIRD Internet Routing Daemon Group: System Environment/Daemons -Requires(post): chkconfig -Requires(preun): chkconfig initscripts +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/service, /sbin/chkconfig +Requires(postun): /sbin/service +Requires(pre): shadow-utils %description -n bird6 -BIRD is dynamic routing daemon supporting IPv4 and IPv6 versions of routing -protocols BGP, RIP and OSPF. +BIRD is a dynamic IP routing daemon supporting both, IPv4 and IPv6, Border +Gateway Protocol (BGPv4), Routing Information Protocol (RIPv2, RIPng), Open +Shortest Path First protocol (OSPFv2, OSPFv3), Babel Routing Protocol (Babel), +Bidirectional Forwarding Detection (BFD), IPv6 router advertisements, static +routes, inter-table protocol, command-line interface allowing on-line control +and inspection of the status of the daemon, soft reconfiguration as well as a +powerful language for route filtering. This package contains IPv6 version. %package doc -Summary: BIRD Internet Routing Daemon -Group: System Environment/Daemons +Summary: Documentation for BIRD Internet Routing Daemon +Group: Documentation +BuildRequires: linuxdoc-tools sgml-common +BuildArch: noarch %description doc -BIRD is dynamic routing daemon supporting IPv4 and IPv6 versions of routing -protocols BGP, RIP and OSPF. +Documentation for users and programmers of the BIRD Internet Routing Daemon. -This package contains documentation. +BIRD is a dynamic IP routing daemon supporting both, IPv4 and IPv6, Border +Gateway Protocol (BGPv4), Routing Information Protocol (RIPv2, RIPng), Open +Shortest Path First protocol (OSPFv2, OSPFv3), Babel Routing Protocol (Babel), +Bidirectional Forwarding Detection (BFD), IPv6 router advertisements, static +routes, inter-table protocol, command-line interface allowing on-line control +and inspection of the status of the daemon, soft reconfiguration as well as a +powerful language for route filtering. %prep %setup -q - -%patch0 -p1 - -#Don't strip executables -sed -i 's/\$(INSTALL_PROGRAM) -s/\$(INSTALL_PROGRAM)/' tools/Makefile.in +%patch0 -p1 -b .runstatedir %build @@ -62,88 +78,104 @@ mkdir ipv6 tar c --exclude ipv6 . | tar x -C ipv6 cd ipv6 -%configure --prefix=%{_prefix} \ - --sysconfdir=%{_sysconfdir} \ - --localstatedir=%{_localstatedir} \ - --enable-ipv6 -make %{?_smp_mflags} +%configure --runstatedir=%{_localstatedir}/run/bird6 --enable-ipv6 +%make_build all cd .. -%configure --prefix=%{_prefix} \ - --sysconfdir=%{_sysconfdir} \ - --localstatedir=%{_localstatedir} -make %{?_smp_mflags} +%configure --runstatedir=%{_localstatedir}/run/bird +%make_build all docs %install -rm -rf %{buildroot} - -make install DESTDIR=%{buildroot} +%make_install cd ipv6 -make install DESTDIR=%{buildroot} +%make_install cd .. -install -d $RPM_BUILD_ROOT%{_initddir} -sed 's/BIRD_PROGNAME/bird/' %SOURCE1 > $RPM_BUILD_ROOT%{_initddir}/bird -sed 's/BIRD_PROGNAME/bird6/' %SOURCE1 > $RPM_BUILD_ROOT%{_initddir}/bird6 +install -d %{buildroot}{%{_initddir},%{_localstatedir}/{lib,run}/bird{,6}} +sed 's/BIRD_PROGNAME/bird/' %{SOURCE1} > $RPM_BUILD_ROOT%{_initddir}/bird +sed 's/BIRD_PROGNAME/bird6/' %{SOURCE1} > $RPM_BUILD_ROOT%{_initddir}/bird6 + -%clean -rm -rf %{buildroot} +%pre +getent group bird >/dev/null || groupadd -r bird +getent passwd bird >/dev/null || \ + useradd -r -g bird -d %{_localstatedir}/lib/bird -s /sbin/nologin \ + -c "BIRD daemon user" bird +exit 0 %post -/sbin/chkconfig --add %{name} +/sbin/chkconfig --add bird %preun if [ $1 -eq 0 ]; then - /sbin/service %{name} stop >/dev/null 2>&1 - /sbin/chkconfig --del %{name} + /sbin/service bird stop > /dev/null 2>&1 || : + /sbin/chkconfig --del bird fi %postun -if [ $1 -eq 1 ]; then - /sbin/service %{name} condrestart >/dev/null 2>&1 || : +if [ $1 -ne 0 ]; then + /sbin/service bird condrestart > /dev/null 2>&1 || : fi +%pre -n bird6 +getent group bird6 >/dev/null || groupadd -r bird6 +getent passwd bird6 >/dev/null || \ + useradd -r -g bird6 -d %{_localstatedir}/lib/bird6 -s /sbin/nologin \ + -c "BIRD6 daemon user" bird6 +exit 0 + %post -n bird6 /sbin/chkconfig --add bird6 %preun -n bird6 if [ $1 -eq 0 ]; then - /sbin/service bird6 stop >/dev/null 2>&1 - /sbin/chkconfig --del bird6 + /sbin/service bird6 stop > /dev/null 2>&1 || : + /sbin/chkconfig --del bird6 fi %postun -n bird6 -if [ $1 -eq 1 ]; then - /sbin/service bird6 condrestart >/dev/null 2>&1 || : +if [ $1 -ne 0 ]; then + /sbin/service bird6 condrestart > /dev/null 2>&1 || : fi + %files -%defattr(-,root,root,-) -%doc NEWS README TODO -%config(noreplace) %{_sysconfdir}/bird.conf -%attr(755,root,root) %{_initddir}/bird +%doc NEWS README +%attr(0640,root,bird) %config(noreplace) %{_sysconfdir}/bird.conf +%attr(0755,root,root) %{_initddir}/bird %{_sbindir}/bird %{_sbindir}/birdc %{_sbindir}/birdcl +%dir %attr(0750,bird,bird) %{_localstatedir}/lib/bird +%dir %attr(0750,bird,bird) %{_localstatedir}/run/bird %files -n bird6 -%defattr(-,root,root,-) -%doc NEWS README TODO -%config(noreplace) %{_sysconfdir}/bird6.conf -%attr(755,root,root) %{_initddir}/bird6 +%doc NEWS README +%attr(0640,root,bird6) %config(noreplace) %{_sysconfdir}/bird6.conf +%attr(0755,root,root) %{_initddir}/bird6 %{_sbindir}/bird6 %{_sbindir}/birdc6 %{_sbindir}/birdcl6 +%dir %attr(0750,bird6,bird6) %{_localstatedir}/lib/bird6 +%dir %attr(0750,bird6,bird6) %{_localstatedir}/run/bird6 %files doc -%defattr(-,root,root,-) -%doc NEWS README TODO +%doc NEWS README +%doc doc/bird.conf.* %doc doc/bird*.html +%doc doc/bird.pdf +%doc doc/prog*.html +%doc doc/prog.pdf %changelog +* Sat Apr 06 2019 Robert Scheck - 1.6.6-1 +- Upgrade to 1.6.6 (CVE-2018-12066) +- Modernization and cleanup of spec file +- Ensure /etc/bird.conf can be only read by BIRD user + * Mon Jun 29 2015 Michal Sekletar - 1.4.5-2 - fix bug in the locking code (#1235219) diff --git a/sources b/sources index 6ac9bc4..bb92095 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a8e5e0a9129ce30fe6102c593bafb763 bird-1.4.5.tar.gz +SHA512 (bird-1.6.6.tar.gz) = 2419e487af2c8e75f613892ee1b1ada00085945bcafe17de972d3196f50a32321a6d18c9a3b58c0c58a5273f348a6d6de8b861505ad559269510a0ba69041fd9