Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

2026-04-12 12:15:52 +02:00 · 2018-11-02 15:16:22 +00:00
parent 5edc6b10e0 898b355abd
commit 1e2e78e6ff
27 changed files with 853 additions and 284 deletions
--- a/src/initscripts/packages/frr
+++ b/src/initscripts/packages/frr
@@ -0,0 +1,63 @@
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/frr
+#
+# Description : FRRouting Suite
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+DAEMONS="zebra bgpd ospfd staticd"
+
+case "${1}" in
+	start)
+		# Fix permissions of configuration directory
+		if [ -d "/etc/frr" ]; then
+			chown root.frr /etc/frr
+			chmod 775 /etc/frr
+		fi
+
+		for daemon in ${DAEMONS}; do
+			if [ -f "/etc/frr/${daemon}.conf" ]; then
+				# Set permissions
+				chown frr.frr "/etc/frr/${daemon}.conf"
+
+				boot_mesg "Starting FRRouting ${daemon}..."
+				loadproc "/usr/sbin/${daemon}" --daemon
+			fi
+		done
+		;;
+
+	stop)
+		for daemon in ${DAEMONS}; do
+			boot_mesg "Stopping FRRouting ${daemon}..."
+			killproc "/usr/sbin/${daemon}"
+		done
+		;;
+
+	reload)
+		boot_mesg "Reloading FRRouting..."
+		reloadproc /usr/sbin/frr-reload
+		;;
+
+	restart)
+		${0} stop
+		sleep 1
+		${0} start
+		;;
+
+	status)
+		for daemon in ${DAEMONS}; do
+			statusproc "/usr/sbin/${daemon}"
+		done
+		;;
+
+	*)
+		echo "Usage: ${0} {start|stop|reload|restart|status}"
+		exit 1
+		;;
+esac
+
+# End $rc_base/init.d/frr
--- a/src/paks/frr/install.sh
+++ b/src/paks/frr/install.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+
+if ! getent group frr &>/dev/null; then
+	groupadd -r frr
+fi
+
+if ! getent group frrvty &>/dev/null; then
+	groupadd -r frrvty
+fi
+
+if ! getent passwd frr &>/dev/null; then
+	useradd -r frr -g frr -s /bin/false -b /var/empty -G frrvty
+fi
+
+# Extract files
+extract_files
+
+# Restore any backups
+restore_backup "${NAME}"
+
+# Start services
+start_service "${NAME}"
+
+# Enable autostart
+ln -svf ../init.d/frr /etc/rc.d/rc0.d/K40frr
+ln -svf ../init.d/frr /etc/rc.d/rc3.d/S50frr
+ln -svf ../init.d/frr /etc/rc.d/rc6.d/K40frr
+
+exit 0
--- a/src/paks/frr/uninstall.sh
+++ b/src/paks/frr/uninstall.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+
+# Stop services
+stop_service "${NAME}"
+
+# Create backup
+extract_backup_includes
+make_backup "${NAME}"
+
+# Remove all files
+rm -rfv /etc/rc.d/rc*.d/*frr
+remove_files
--- a/src/paks/frr/update.sh
+++ b/src/paks/frr/update.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+./uninstall.sh
+./install.sh
--- a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
+++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
@@ -0,0 +1,72 @@
+commit f1657a9decc820f748fa3aff68168d3145258031
+Author: Christos Tsantilas <christos@chtsanti.net>
+Date:   2018-10-17 15:14:07 +0000
+
+    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
+    
+    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
+    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
+    
+    Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
+    
+    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
+    
+    TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
+    
+    This is a Measurement Factory project.
+
+diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
+index b5030e3..314e998 100644
+--- a/src/ssl/ErrorDetail.cc
+++ b/src/ssl/ErrorDetail.cc
+@@ -8,6 +8,8 @@
+ 
+ #include "squid.h"
+ #include "errorpage.h"
+#include "fatal.h"
+#include "html_quote.h"
+ #include "ssl/ErrorDetail.h"
+ 
+ #include <climits>
+@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
+        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+            // quote to avoid possible html code injection through
+            // certificate subject
+            return html_quote(tmpBuffer);
+        }
+     }
+     return "[Not available]";
+ }
+@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
+         static String tmpStr;  ///< A temporary string buffer
+         tmpStr.clean();
+         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
+-        if (tmpStr.size())
+-            return tmpStr.termedBuf();
+        if (tmpStr.size()) {
+            // quote to avoid possible html code injection through
+            // certificate subject
+            return html_quote(tmpStr.termedBuf());
+        }
+     }
+     return "[Not available]";
+ }
+@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
+        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+            // quote to avoid possible html code injection through
+            // certificate issuer subject
+            return html_quote(tmpBuffer);
+        }
+     }
+     return "[Not available]";
+ }
--- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
+++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
@@ -0,0 +1,22 @@
+commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
+Author: flozilla <fishyflow@gmail.com>
+Date:   2018-10-24 14:12:01 +0200
+
+    Fix memory leak when parsing SNMP packet (#313)
+    
+    SNMP queries denied by snmp_access rules and queries with certain
+    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
+    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
+
+diff --git a/src/snmp_core.cc b/src/snmp_core.cc
+index c4d21c1..16c2993 100644
+--- a/src/snmp_core.cc
+++ b/src/snmp_core.cc
+@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
+             snmpConstructReponse(rq);
+         } else {
+             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
+            snmp_free_pdu(PDU);
+         }
+         xfree(Community);
+