Merge branch '3.1' into 3.2

 Conflicts:
	firefox/.footprint
	firefox/Pkgfile

3 files changed, 145 insertions, 1 deletions

diff --git a/rpcbind/.md5sum b/rpcbind/.md5sum
index f67bc246d..21a9db70e 100644
--- a/rpcbind/.md5sum
+++ b/rpcbind/.md5sum
@@ -1,2 +1,3 @@
 06ea92b0f86f29b4c468694918da09c6  rpcbind
+850a62791c4b55a78e2dba8756c7a450  rpcbind-0.2.3.patch
 c8875246b2688a1adfbd6ad43480278d  rpcbind-0.2.3.tar.bz2
diff --git a/rpcbind/Pkgfile b/rpcbind/Pkgfile
index bff1a5b1c..1a0d2563b 100644
--- a/rpcbind/Pkgfile
+++ b/rpcbind/Pkgfile
@@ -7,17 +7,22 @@ name=rpcbind
 version=0.2.3
 release=2
 source=(http://downloads.sourceforge.net/project/$name/$name/$version/$name-$version.tar.bz2 \
-        rpcbind)
+        $name-$version.patch rpcbind)
 
 build() {
     cd $name-$version
+
+    patch -p1 -i $SRC/$name-$version.patch
+
     ./configure --prefix=/usr \
                 --bindir=/sbin \
                 --mandir=/usr/man \
                 --disable-libwrap \
                 --with-rpcuser=root \
                 --without-systemdsystemunitdir
+
     make
     make DESTDIR=$PKG install
+
     install -D -m 755 $SRC/rpcbind $PKG/etc/rc.d/rpcbind
 }
diff --git a/rpcbind/rpcbind-0.2.3.patch b/rpcbind/rpcbind-0.2.3.patch
new file mode 100644
index 000000000..e820a2656
--- /dev/null
+++ b/rpcbind/rpcbind-0.2.3.patch
@@ -0,0 +1,138 @@
+commit de47f6323d8fb20feefee21d0195cf0529151e04
+Author: Steve Dickson <steved@redhat.com>
+Date:   Thu Sep 17 15:57:35 2015 -0400
+
+    security.c: removed warning
+    
+    src/security.c:100:8: warning: implicit declaration of function 'xlog'
+    [-Wimplicit-function-declaration]
+    
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/security.c b/src/security.c
+index 0c9453f..c54ce26 100644
+--- a/src/security.c
++++ b/src/security.c
+@@ -17,6 +17,8 @@
+ #include <syslog.h>
+ #include <netdb.h>
+ 
++#include "xlog.h"
++
+ /*
+  * XXX for special case checks in check_callit.
+  */
+
+commit d5dace219953c45d26ae42db238052b68540649a
+Author: Olaf Kirch <okir@suse.de>
+Date:   Fri Oct 30 10:18:20 2015 -0400
+
+    Fix memory corruption in PMAP_CALLIT code
+    
+     - A PMAP_CALLIT call comes in on IPv4 UDP
+     - rpcbind duplicates the caller's address to a netbuf and stores it in
+       FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+       with a size of 16 bytes
+     - rpcbind forwards the call to the local service, receives a reply
+     - when processing the reply, it does this in xprt_set_caller:
+        xprt->xp_rtaddr = *FINFO[0].caller_addr
+       It sends out the reply, and then frees the netbuf caller_addr and
+       caller_addr.buf.
+       However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+       to memory region A, which is free.
+     - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+       be called, which will set xp_rtaddr to the client's address.
+       It will reuse the buffer inside xp_rtaddr, ie it will write a
+       sockaddr_in to region A
+    
+    Some time down the road, an incoming TCP connection is accepted,
+    allocating a fresh SVCXPRT. The memory region A is inside the
+    new SVCXPRT
+    
+     - While processing the TCP call, another UDP call comes in, again
+       overwriting region A with the client's address
+     - TCP client closes connection. In svc_destroy, we now trip over
+       the garbage left in region A
+    
+    We ran into the case where a commercial scanner was triggering
+    occasional rpcbind segfaults. The core file that was captured showed
+    a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+    
+    Signed-off-by: Olaf Kirch <okir@suse.de>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index ff9ce6b..4ae93f1 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
+ 	return (ncallbacks_found);
+ }
+ 
++/*
++ * This is really a helper function defined in libtirpc, 
++ * but unfortunately, it hasn't been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++	if (nb->len != len) {
++		if (nb->len)
++			mem_free(nb->buf, nb->len);
++		nb->buf = mem_alloc(len);
++		if (nb->buf == NULL)
++			return NULL;
++
++		nb->maxlen = nb->len = len;
++	}
++	memcpy(nb->buf, ptr, len);
++	return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++	const struct netbuf *caller = fi->caller_addr;
+ 	u_int32_t *xidp;
+ 
+-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++	__rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ 	xidp = __rpcb_get_dg_xidp(xprt);
+ 	*xidp = fi->caller_xid;
+ }
+
+commit 9194122389f2a56b1cd1f935e64307e2e963c2da
+Author: Steve Dickson <steved@redhat.com>
+Date:   Mon Nov 2 17:05:18 2015 -0500
+
+    handle_reply: Don't use the xp_auth pointer directly
+    
+    In the latest libtirpc version to access the xp_auth
+    one must use the SVC_XP_AUTH macro. To be backwards
+    compatible a couple ifdefs were added to use the
+    macro when it exists.
+    
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index 4ae93f1..22d6c84 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
+ 	a.rmt_localvers = fi->versnum;
+ 
+ 	xprt_set_caller(xprt, fi);
++#if defined(SVC_XP_AUTH)
++	SVC_XP_AUTH(xprt) = svc_auth_none;
++#else 
+ 	xprt->xp_auth = &svc_auth_none;
++#endif
+ 	svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
++#if !defined(SVC_XP_AUTH)
+ 	SVCAUTH_DESTROY(xprt->xp_auth);
+ 	xprt->xp_auth = NULL;
++#endif
++
+ done:
+ 	if (buffer)
+ 		free(buffer);