[Pkg-electronics-commits] [openocd] 03/04: Bind to localhost by default
Jonathan McDowell
noodles at moszumanska.debian.org
Thu Jan 18 19:30:05 UTC 2018
This is an automated email from the git hooks/post-receive script.
noodles pushed a commit to branch debian/stretch
in repository openocd.
commit 7196dc8c48a8ebbc286af325e8f69d04625656f3
Author: Jonathan McDowell <noodles at earth.li>
Date: Thu Jan 18 09:28:06 2018 +0000
Bind to localhost by default
OpenOCD was defaulting to listening on an IP for a command connection,
which requires no username or password. This is not a sane default even
on a development machine, so default to only binding to localhost. This
can be changed using the existing "bindto" command.
---
debian/changelog | 1 +
debian/patches/bind-localhost-only.patch | 45 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 47 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e91c032..7c902e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ openocd (0.9.0-1+deb8u1) stretch-security; urgency=high
* Update debian/gbp.conf to deal with stretch
* Pull "bindto" command from upstream
+ * Bind to localhost by default
-- Jonathan McDowell <noodles at earth.li> Thu, 18 Jan 2018 14:05:10 +0000
diff --git a/debian/patches/bind-localhost-only.patch b/debian/patches/bind-localhost-only.patch
new file mode 100644
index 0000000..d78f7c8
--- /dev/null
+++ b/debian/patches/bind-localhost-only.patch
@@ -0,0 +1,45 @@
+Subject: Bind to IPv4 localhost by default
+Origin: other, http://openocd.zylin.com/#/c/4331/2
+Last-Update: 2018-01-18
+
+From f8630b0b15e30dc6c51270006a4e075c79cf466a Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav at gmail.com>
+Date: Sat, 13 Jan 2018 16:22:10 +0300
+Subject: [PATCH] server: bind to IPv4 localhost by default
+
+Since OpenOCD basically allows to perform arbitrary actions on behalf of
+the running user, it makes sense to restrict the exposure by default.
+
+If you need network connectivity and your environment is safe enough,
+use "bindto 0.0.0.0" to switch to the old behaviour.
+
+Change-Id: I4a4044b90d0ecb30118cea96fc92a7bcff0924e0
+Signed-off-by: Paul Fertser <fercerpav at gmail.com>
+---
+
+diff --git a/doc/openocd.texi b/doc/openocd.texi
+index 7f5b72e..5c7f465 100644
+--- a/doc/openocd.texi
++++ b/doc/openocd.texi
+@@ -7017,7 +7017,7 @@
+
+ @deffn Command bindto [name]
+ Specify address by name on which to listen for incoming TCP/IP connections.
+-By default, OpenOCD will listen on all available interfaces.
++By default, OpenOCD will listen on the loopback interface only.
+ @end deffn
+
+ @anchor{targetstatehandling}
+diff --git a/src/server/server.c b/src/server/server.c
+index 1e52e97..ea1e898 100644
+--- a/src/server/server.c
++++ b/src/server/server.c
+@@ -259,7 +259,7 @@
+ c->sin.sin_family = AF_INET;
+
+ if (bindto_name == NULL)
+- c->sin.sin_addr.s_addr = INADDR_ANY;
++ c->sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ else {
+ hp = gethostbyname(bindto_name);
+ if (hp == NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index 0927f54..2478bf5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
#Patch-file list
add-bindto.patch
+bind-localhost-only.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-electronics/openocd.git
More information about the Pkg-electronics-commits
mailing list