diff --git a/gnu/local.mk b/gnu/local.mk index 269af5fe12..ead1f2f93f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -956,6 +956,8 @@ dist_patch_DATA = \ %D%/packages/patches/xfce4-panel-plugins.patch \ %D%/packages/patches/xfce4-session-fix-xflock4.patch \ %D%/packages/patches/xfce4-settings-defaults.patch \ + %D%/packages/patches/xinetd-fix-fd-leak.patch \ + %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ %D%/packages/patches/zathura-plugindir-environment-variable.patch diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch b/gnu/packages/patches/xinetd-CVE-2013-4342.patch new file mode 100644 index 0000000000..ad57bc7b0e --- /dev/null +++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch @@ -0,0 +1,36 @@ +Fix CVE-2013-4342: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678 + +Patch copied from upstream source repository: + +https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864 + +From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001 +From: Thomas Swan +Date: Wed, 2 Oct 2013 23:17:17 -0500 +Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for + TCPMUX services + +Originally reported to Debian in 2005 and rediscovered , xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root). +--- + xinetd/builtins.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xinetd/builtins.c b/xinetd/builtins.c +index 3b85579..34a5bac 100644 +--- a/xinetd/builtins.c ++++ b/xinetd/builtins.c +@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp ) + if( SC_IS_INTERNAL( scp ) ) { + SC_INTERNAL(scp, nserp); + } else { +- exec_server(nserp); ++ child_process(nserp); + } + } + +-- +2.7.4 + diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch b/gnu/packages/patches/xinetd-fix-fd-leak.patch new file mode 100644 index 0000000000..77e4600185 --- /dev/null +++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch @@ -0,0 +1,26 @@ +Fix a file descriptor leak: + +https://github.com/xinetd-org/xinetd/issues/23 + +Patch copied from Debian: + +https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches/000012-fix_fd_leak + +Patch sent upstream at https://github.com/xinetd-org/xinetd/pull/26. + +diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c +index 5a26214..fe0f872 100644 +--- a/xinetd/xgetloadavg.c ++++ b/xinetd/xgetloadavg.c +@@ -34,7 +34,7 @@ double xgetloadavg(void) + + if( fscanf(fd, "%lf", &ret) != 1 ) { + perror("fscanf"); +- return -1; ++ ret = -1; + } + + fclose(fd); +-- +2.7.4 + diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 67b9797bbb..cea5b2d27a 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -3995,3 +3995,28 @@ (define-public stunnel scalability (including load-balancing), making it suitable for large deployments.") (license l:gpl2+))) + +(define-public xinetd + (package + (name "xinetd") + (version "2.3.15") + (source + (origin + (method url-fetch) + (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz") + (patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch")) + (sha256 + (base32 + "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2")))) + (build-system gnu-build-system) + (arguments + `(#:configure-flags '("--with-loadavg") + #:tests? #f )) ; no tests + (home-page "https://github.com/xinetd-org/xinetd") + (synopsis "Internet services daemon") + (description "@code{xinetd}, a more secure replacement for @code{inetd}, +listens for incoming requests over a network and launches the appropriate +service for that request. Requests are made using port numbers as identifiers +and xinetd usually launches another daemon to handle the request. It can be +used to start services with both privileged and non-privileged port numbers.") + (license (l:fsf-free "file://COPYRIGHT"))))