rpms/vixie-cron/FC-3 vixie-cron-4.1-_33-fix_selinux_segfault.patch, NONE, 1.1 vixie-cron-4.1-_34-pam_fail_close_session.patch, NONE, 1.1 vixie-cron-4.1-_35-crontab-job-control.patch, NONE, 1.1 vixie-cron-4.1-_36-pam_close_fork_fail.patch, NONE, 1.1 vixie-cron-4.1-_37-limits.patch, NONE, 1.1 vixie-cron-4.1-_38-CAN-2005-1038.patch, NONE, 1.1 vixie-cron.spec, 1.42, 1.43

[fedora-cvs-commits at redhat.com]

Update of /cvs/dist/rpms/vixie-cron/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv13779

Modified Files:
	vixie-cron.spec 
Added Files:
	vixie-cron-4.1-_33-fix_selinux_segfault.patch 
	vixie-cron-4.1-_34-pam_fail_close_session.patch 
	vixie-cron-4.1-_35-crontab-job-control.patch 
	vixie-cron-4.1-_36-pam_close_fork_fail.patch 
	vixie-cron-4.1-_37-limits.patch 
	vixie-cron-4.1-_38-CAN-2005-1038.patch 
Log Message:
fix bugs 154575 and 154922(CAN-2005-1038)

vixie-cron-4.1-_33-fix_selinux_segfault.patch:
 do_command.c |    2 +-
 user.c       |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

--- NEW FILE vixie-cron-4.1-_33-fix_selinux_segfault.patch ---
--- vixie-cron-4.1/user.c.fix_selinux_segfault	2005-03-15 08:34:08.143412000 -0500
+++ vixie-cron-4.1/user.c	2005-03-15 08:40:22.616563000 -0500
@@ -40,7 +40,7 @@
 				 int crontab_fd, 
 				 security_context_t *rcontext, 
 				 const char *tabname) {
-	security_context_t scontext;
+	security_context_t scontext=NULL;
 	security_context_t  file_context=NULL;
 	struct av_decision avd;
 	int retval=0;
@@ -51,6 +51,7 @@
 			return -1;
 		} else {
 			log_it(name, getpid(), "No security context but SELinux in permissive mode, continuing",tabname);
+			return 0;
 		}
 	}
 	
--- vixie-cron-4.1/do_command.c.fix_selinux_segfault	2005-03-15 08:34:08.720833000 -0500
+++ vixie-cron-4.1/do_command.c	2005-03-15 08:41:23.167952000 -0500
@@ -330,7 +330,7 @@
 # endif /*DEBUGGING*/
 
 #ifdef WITH_SELINUX
-			if (is_selinux_enabled() >0 ) {
+			if ((is_selinux_enabled() >0) && (u->scontext != 0L)) {
 				if (setexeccon(u->scontext) < 0) {
 					if (security_getenforce() > 0) {
 						fprintf(stderr, 

vixie-cron-4.1-_34-pam_fail_close_session.patch:
 do_command.c |    1 +
 1 files changed, 1 insertion(+)

--- NEW FILE vixie-cron-4.1-_34-pam_fail_close_session.patch ---
--- vixie-cron-4.1/do_command.c.pam_fail_close_session	2005-04-05 10:40:13.138078000 -0400
+++ vixie-cron-4.1/do_command.c	2005-04-05 10:44:42.008938000 -0400
@@ -33,6 +33,7 @@
 #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
 	fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \
 	syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
+	pam_close_session(pamh, PAM_SILENT); \
 	pam_end(pamh, retcode); exit(1); \
    }
 #endif

vixie-cron-4.1-_35-crontab-job-control.patch:
 crontab.c |    4 +---
 1 files changed, 1 insertion(+), 3 deletions(-)

--- NEW FILE vixie-cron-4.1-_35-crontab-job-control.patch ---
--- vixie-cron-4.1/crontab.c.job_control	2005-04-05 11:45:07.000000000 -0400
+++ vixie-cron-4.1/crontab.c	2005-04-07 13:07:42.851421000 -0400
@@ -463,7 +463,7 @@
 
 	/* parent */
 	for (;;) {
-		xpid = waitpid(pid, &waiter, WUNTRACED);
+		xpid = waitpid(pid, &waiter, 0);
 		if (xpid == -1) {
 			if (errno != EINTR)
 				fprintf(stderr, "%s: waitpid() failed waiting for PID %ld from \"%s\": %s\n",
@@ -472,8 +472,6 @@
 			fprintf(stderr, "%s: wrong PID (%ld != %ld) from \"%s\"\n",
 				ProgramName, (long)xpid, (long)pid, editor);
 			goto fatal;
-		} else if (WIFSTOPPED(waiter)) {
-			kill(getpid(), WSTOPSIG(waiter));
 		} else if (WIFEXITED(waiter) && WEXITSTATUS(waiter)) {
 			fprintf(stderr, "%s: \"%s\" exited with status %d\n",
 				ProgramName, editor, WEXITSTATUS(waiter));

vixie-cron-4.1-_36-pam_close_fork_fail.patch:
 do_command.c |    5 +++++
 1 files changed, 5 insertions(+)

--- NEW FILE vixie-cron-4.1-_36-pam_close_fork_fail.patch ---
--- vixie-cron-4.1/do_command.c.pam_close_fork_fail	2005-04-07 13:19:38.000000000 -0400
+++ vixie-cron-4.1/do_command.c	2005-04-08 12:13:45.354702000 -0400
@@ -196,6 +196,11 @@
 	switch (fork()) {
 	case -1:
 		log_it("CRON", getpid(), "error", "can't fork");
+#ifdef WITH_PAM
+                pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+                pam_close_session(pamh, PAM_SILENT);
+                pam_end(pamh, PAM_ABORT);
+#endif
 		exit(ERROR_EXIT);
 		/*NOTREACHED*/
 	case 0:

vixie-cron-4.1-_37-limits.patch:
 macros.h |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

--- NEW FILE vixie-cron-4.1-_37-limits.patch ---
--- vixie-cron-4.1/macros.h.limits	2004-07-21 09:31:55.000000000 -0400
+++ vixie-cron-4.1/macros.h	2005-04-14 18:11:35.475147000 -0400
@@ -44,11 +44,11 @@
 #define STDERR		2	/*   stderr's? */
 #define ERROR_EXIT	1	/* exit() with this will scare the shell */
 #define	OK_EXIT		0	/* exit() with this is considered 'normal' */
-#define	MAX_FNAME	100	/* max length of internally generated fn */
-#define	MAX_COMMAND	1000	/* max length of internally generated cmd */
-#define	MAX_ENVSTR	1000	/* max length of envvar=value\0 strings */
-#define	MAX_TEMPSTR	100	/* obvious */
-#define	MAX_UNAME	33	/* max length of username, should be overkill */
+#define	MAX_FNAME	PATH_MAX/* max length of internally generated fn */
+#define	MAX_COMMAND	131072	/* max length of internally generated cmd (max sh cmd line length) */
+#define	MAX_ENVSTR	131072	/* max length of envvar=value\0 strings */
+#define	MAX_TEMPSTR	131072	/* obvious */
+#define	MAX_UNAME	256	/* max length of username  */
 #define	ROOT_UID	0	/* don't change this, it really must be root */
 #define	ROOT_USER	"root"	/* ditto */
 

vixie-cron-4.1-_38-CAN-2005-1038.patch:
 crontab.c |   17 ++++++++++++++++-
 1 files changed, 16 insertions(+), 1 deletion(-)

--- NEW FILE vixie-cron-4.1-_38-CAN-2005-1038.patch ---
--- vixie-cron-4.1/crontab.c.CAN-2005-1038	2005-04-14 18:39:04.356618000 -0400
+++ vixie-cron-4.1/crontab.c	2005-04-14 18:43:50.262425000 -0400
@@ -488,7 +488,7 @@
 	(void)signal(SIGHUP, SIG_DFL);
 	(void)signal(SIGINT, SIG_DFL);
 	(void)signal(SIGQUIT, SIG_DFL);      
-	if (stat(Filename, &statbuf) < 0) {
+	if (lstat(Filename, &statbuf) < 0) {
 		perror("fstat");
 		goto fatal;
 	}
@@ -497,6 +497,21 @@
 			ProgramName);
 		goto remove;
 	}
+
+	if (  (!S_ISREG(statbuf.st_mode))
+	    ||(S_ISLNK(statbuf.st_mode))
+	    ||(S_ISDIR(statbuf.st_mode))
+            ||(S_ISCHR(statbuf.st_mode))
+	    ||(S_ISBLK(statbuf.st_mode))
+            ||(S_ISFIFO(statbuf.st_mode))
+	    ||(S_ISSOCK(statbuf.st_mode))
+	    )
+	{
+	    fprintf(stderr, "%s: illegal crontab\n",
+			ProgramName);
+		goto remove;	    
+	}
+
 	fprintf(stderr, "%s: installing new crontab\n", ProgramName);
         fclose(NewCrontab);
 	NewCrontab=fopen(Filename,"r+");


Index: vixie-cron.spec
===================================================================
RCS file: /cvs/dist/rpms/vixie-cron/FC-3/vixie-cron.spec,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- vixie-cron.spec	25 Feb 2005 18:49:14 -0000	1.42
+++ vixie-cron.spec	14 Apr 2005 23:38:54 -0000	1.43
@@ -7,7 +7,7 @@
 Summary: The Vixie cron daemon for executing specified programs at set times.
 Name: vixie-cron
 Version: 4.1
-Release: 24_FC3
+Release: 33_FC3
 Epoch:   1
 License: distributable
 Group:   System Environment/Base
@@ -47,6 +47,12 @@
 Patch30: vixie-cron-4.1-_30-uninitialized.patch
 Patch31: vixie-cron-4.1-_31-allow_pam_access.patch
 Patch32: vixie-cron-4.1-_32-no_mail_rcpt_safe_p.patch
+Patch33: vixie-cron-4.1-_33-fix_selinux_segfault.patch
+Patch34: vixie-cron-4.1-_34-pam_fail_close_session.patch
+Patch35: vixie-cron-4.1-_35-crontab-job-control.patch
+Patch36: vixie-cron-4.1-_36-pam_close_fork_fail.patch
+Patch37: vixie-cron-4.1-_37-limits.patch
+Patch38: vixie-cron-4.1-_38-CAN-2005-1038.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-root
 Requires: sysklogd >= 1.3.33-6, bash >= 2.0
@@ -110,6 +116,12 @@
 %patch30 -p1 -b .uninitialized
 %patch31 -p1 -b .allow_pam_access
 %patch32 -p1 -b .no_mail_rcpt_safe_p.patch
+%patch33 -p1 -b .fix_selinux_segfault
+%patch34 -p1 -b .pam_fail_close_session
+%patch35 -p1 -b .job_control
+%patch36 -p1 -b .pam_close_fork_fail
+%patch37 -p1 -b .limits
+%patch38 -p1 -b .CAN-2005-1038
 
 %build
 make RPM_OPT_FLAGS="$RPM_OPT_FLAGS"
@@ -167,6 +179,32 @@
 %config(noreplace) /etc/sysconfig/crond
 
 %changelog
+* Thu Apr 14 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-33_FC3
+- fix bug 154922 / CAN-2005-1038: check that new crontab is 
+      regular file after editor session ends.
+- fix bug 154575: use PATH_MAX (4096) as max filename length; also make 
+      limits on command line and env.var. lengths sensible (131072).
+
+* Fri Apr 08 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-33_FC3
+- do pam_close_session and pam_setcred(pamh, PAM_DELETE_CRED)
+- if fork fails
+
+* Thu Apr 07 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-33_FC3
+- fix bug 154065: crontab's job control broken: by 
+-     xpid = waitpid(pid,&waiter,WUNTRACED);... 
+-     if( WIFSTOPPED(waiter) )... kill(getpid(),WSTOPSIG(waiter));
+- crontab should not kill itself with SIGSTOP if its child
+- gets SIGSTOP; hence it does not need the waitpid WUNTRACED flag.
+ 
+* Tue Apr 05 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-33_FC3
+- Required for EAL Audit certification: 
+- If pam_setcred should fail, the pam_session could fail to be
+- closed, leaving autofs user directories still mounted.
+
+* Tue Mar 15 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-33_FC3
+- fix bug 151145: segfault if cronjob runs without any SELinux user 
+- security context (eg. in a broken chroot environment)
+
 * Fri Feb 25 2005 Jason Vas Dias <jvdias at redhat.com> - 4.1-24_FC3
 - Add an /etc/sysconfig/crond file for containing CRONDARGS and
 - settings like CRON_VALIDATE_MAILRCPTS .