[Pkg-electronics-commits] [openocd] 01/02: Bind to localhost by default

Thu Jan 18 09:50:58 UTC 2018

This is an automated email from the git hooks/post-receive script.

noodles pushed a commit to branch master
in repository openocd.

commit 5586146c620aff5c3d52edd599cc2ce0977ec04b
Author: Jonathan McDowell <noodles at earth.li>
Date:   Thu Jan 18 09:28:06 2018 +0000

    Bind to localhost by default
    
    OpenOCD was defaulting to listening on an IP for a command connection,
    which requires no username or password. This is not a sane default even
    on a development machine, so default to only binding to localhost. This
    can be changed using the existing "bindto" command.
---
 debian/changelog                         |  6 +++++
 debian/patches/bind-localhost-only.patch | 45 ++++++++++++++++++++++++++++++++
 debian/patches/series                    |  1 +
 3 files changed, 52 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6c5958f..2d45901 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openocd (0.10.0-4) UNRELEASED; urgency=medium
+
+  * Bind to localhost by default
+
+ -- Jonathan McDowell <noodles at earth.li>  Thu, 18 Jan 2018 09:27:37 +0000
+
 openocd (0.10.0-3) unstable; urgency=medium
 
   * Fix udev rule installation (Closes: #880092)
diff --git a/debian/patches/bind-localhost-only.patch b/debian/patches/bind-localhost-only.patch
new file mode 100644
index 0000000..d78f7c8
--- /dev/null
+++ b/debian/patches/bind-localhost-only.patch
@@ -0,0 +1,45 @@
+Subject: Bind to IPv4 localhost by default
+Origin: other, http://openocd.zylin.com/#/c/4331/2
+Last-Update: 2018-01-18
+
+From f8630b0b15e30dc6c51270006a4e075c79cf466a Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav at gmail.com>
+Date: Sat, 13 Jan 2018 16:22:10 +0300
+Subject: [PATCH] server: bind to IPv4 localhost by default
+
+Since OpenOCD basically allows to perform arbitrary actions on behalf of
+the running user, it makes sense to restrict the exposure by default.
+
+If you need network connectivity and your environment is safe enough,
+use "bindto 0.0.0.0" to switch to the old behaviour.
+
+Change-Id: I4a4044b90d0ecb30118cea96fc92a7bcff0924e0
+Signed-off-by: Paul Fertser <fercerpav at gmail.com>
+---
+
+diff --git a/doc/openocd.texi b/doc/openocd.texi
+index 7f5b72e..5c7f465 100644
+--- a/doc/openocd.texi
++++ b/doc/openocd.texi
+@@ -7017,7 +7017,7 @@
+ 
+ @deffn Command bindto [name]
+ Specify address by name on which to listen for incoming TCP/IP connections.
+-By default, OpenOCD will listen on all available interfaces.
++By default, OpenOCD will listen on the loopback interface only.
+ @end deffn
+ 
+ @anchor{targetstatehandling}
+diff --git a/src/server/server.c b/src/server/server.c
+index 1e52e97..ea1e898 100644
+--- a/src/server/server.c
++++ b/src/server/server.c
+@@ -259,7 +259,7 @@
+ 		c->sin.sin_family = AF_INET;
+ 
+ 		if (bindto_name == NULL)
+-			c->sin.sin_addr.s_addr = INADDR_ANY;
++			c->sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ 		else {
+ 			hp = gethostbyname(bindto_name);
+ 			if (hp == NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index f50d9ce..16a13e8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ buspirate-swd.patch
 no-duplicate-udev.patch
 fix-sheeva.patch
 fix-openrd.patch
+bind-localhost-only.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-electronics/openocd.git

