diff --git a/dhcp-4.1.0p1-capability.patch b/dhcp-4.1.0p1-capability.patch new file mode 100644 index 0000000..afc885f --- /dev/null +++ b/dhcp-4.1.0p1-capability.patch @@ -0,0 +1,54 @@ +diff -urp dhcp-4.1.0p1.orig/client/dhclient.c dhcp-4.1.0p1/client/dhclient.c +--- dhcp-4.1.0p1.orig/client/dhclient.c 2009-08-15 11:44:33.000000000 -0400 ++++ dhcp-4.1.0p1/client/dhclient.c 2009-08-15 12:32:52.000000000 -0400 +@@ -37,6 +37,9 @@ + #include + #include + #include ++#ifdef HAVE_LIBCAP_NG ++#include ++#endif + + /* + * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define +@@ -422,6 +425,15 @@ main(int argc, char **argv) { + path_dhclient_script = s; + } + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop capabilities */ ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_updatev(CAPNG_ADD, ++ CAPNG_EFFECTIVE|CAPNG_PERMITTED|CAPNG_BOUNDING_SET, ++ CAP_NET_ADMIN, CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); ++ capng_apply(CAPNG_SELECT_BOTH); ++#endif ++ + /* Set up the initial dhcp option universe. */ + initialize_common_option_spaces(); + +diff -urp dhcp-4.1.0p1.orig/client/Makefile.am dhcp-4.1.0p1/client/Makefile.am +--- dhcp-4.1.0p1.orig/client/Makefile.am 2009-08-15 11:44:33.000000000 -0400 ++++ dhcp-4.1.0p1/client/Makefile.am 2009-08-15 12:32:34.000000000 -0400 +@@ -5,7 +5,7 @@ dhclient_SOURCES = clparse.c dhclient.c + scripts/netbsd scripts/nextstep scripts/openbsd \ + scripts/solaris scripts/openwrt + dhclient_LDADD = ../common/libdhcp.a ../minires/libres.a \ +- ../omapip/libomapi.a ../dst/libdst.a ++ ../omapip/libomapi.a ../dst/libdst.a $(CAPNG_LDADD) + man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 + EXTRA_DIST = $(man_MANS) + +diff -urp dhcp-4.1.0p1.orig/configure.ac dhcp-4.1.0p1/configure.ac +--- dhcp-4.1.0p1.orig/configure.ac 2009-08-15 11:44:33.000000000 -0400 ++++ dhcp-4.1.0p1/configure.ac 2009-08-15 12:32:34.000000000 -0400 +@@ -388,6 +388,9 @@ AC_TRY_LINK( + # Look for optional headers. + AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) + ++# look for capabilities library ++LIBCAP_NG_PATH ++ + # find an MD5 library + AC_SEARCH_LIBS(MD5_Init, [crypto]) + AC_SEARCH_LIBS(MD5Init, [crypto]) diff --git a/dhcp.spec b/dhcp.spec index 47d4817..78da593 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -13,7 +13,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: %{basever}p1 -Release: 4%{?dist} +Release: 5%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -54,6 +54,7 @@ Patch19: %{name}-4.1.0-IFNAMSIZ.patch Patch20: %{name}-4.1.0-add_timeout_when_NULL.patch Patch21: %{name}-4.1.0-64_bit_lease_parse.patch Patch22: %{name}-4.1.0-CVE-2009-1892.patch +Patch23: %{name}-4.1.0p1-capability.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf @@ -212,6 +213,9 @@ libdhcpctl and libomapi static libraries are also included in this package. # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 %patch22 -p1 +# Drop unnecessary capabilities in dhclient (#517649) +%patch23 -p1 + # Copy in documentation and example scripts for LDAP patch to dhcpd %{__install} -p -m 0755 ldap-for-dhcp-%{ldappatchver}/dhcpd-conf-to-ldap contrib/ @@ -471,6 +475,9 @@ fi %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz %changelog +* Tue Aug 18 2009 David Cantrell - 12:4.1.0p1-5 +- Drop unnecessary capabilities in dhclient (#517649) + * Fri Aug 14 2009 David Cantrell - 12:4.1.0p1-4 - Upgrade to latest ldap-for-dhcp patch which makes sure that only dhcpd links with OpenLDAP (#517474)