From ca94db0c704878bf5e027ad849af4995fb849003 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Nov 26 2010 13:23:19 +0000
Subject: rework the Wireshark security:

- remove the console helper
- add new group 'wireshark'
- allow only members of this group to capture the packets
- remove unused/obsolete patches
Resolves: 657490

---

diff --git a/wireshark-0.99.7-path.patch b/wireshark-0.99.7-path.patch
deleted file mode 100644
index 3aa77c7..0000000
--- a/wireshark-0.99.7-path.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Nasty patch for consolehelper. Wireshark run from consolehelper in unprivileged
-mode wrongly detects path as /usr/bin instead of /usr/sbin. Causes few strange 
-crashes in GUI. 
-
-diff -up wireshark-0.99.7/capture_sync.c.old wireshark-0.99.7/capture_sync.c
---- wireshark-0.99.7/capture_sync.c.old	2007-12-18 02:16:14.000000000 +0100
-+++ wireshark-0.99.7/capture_sync.c	2007-12-19 13:50:17.000000000 +0100
-@@ -230,7 +230,7 @@ init_pipe_args(int *argc) {
-     *argv = NULL;
- 
-     /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
--    exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
-+    exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", "/usr/sbin");
- 
-     /* Make that the first argument in the argument list (argv[0]). */
-     argv = sync_pipe_add_arg(argv, argc, exename);
diff --git a/wireshark-1.4.0-python.patch b/wireshark-1.4.0-python.patch
deleted file mode 100644
index 38625b1..0000000
--- a/wireshark-1.4.0-python.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Fix simple syntax error in python scripts
-
-diff -up wireshark-1.4.0/epan/wspython/wspy_libws.py.orig wireshark-1.4.0/epan/wspython/wspy_libws.py
---- wireshark-1.4.0/epan/wspython/wspy_libws.py.orig	2010-08-30 00:17:30.000000000 +0200
-+++ wireshark-1.4.0/epan/wspython/wspy_libws.py	2010-08-31 17:37:54.905966497 +0200
-@@ -27,7 +27,6 @@ import platform
- 
- __libwireshark = None
- 
--/* XXX - We should probably return a full path here, at least on Windows. */
- def get_libws_libname():
-   system = platform.system()
-   if system == "Darwin":
diff --git a/wireshark.spec b/wireshark.spec
index 5d082bf..30e8bd7 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -37,11 +37,10 @@ Source8:	wiresharkdoc-48x48.png
 Source9:	wiresharkdoc-256x256.png
 
 Patch1:		wireshark-nfsv4-opts.patch
-Patch2:		wireshark-0.99.7-path.patch
-Patch3:		wireshark-1.2.4-enable_lua.patch
-Patch4:		wireshark-1.2.8-disable_warning_dialog.patch
-Patch5:		wireshark-libtool-pie.patch
-Patch6:		wireshark-1.4.0-doc-path.patch
+Patch2:		wireshark-1.2.4-enable_lua.patch
+Patch3:		wireshark-libtool-pie.patch
+Patch4:		wireshark-1.4.0-doc-path.patch
+Patch5:		wireshark-1.4.2-group-msg.patch
 
 Url:		http://www.wireshark.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -112,15 +111,14 @@ and plugins.
 %setup -q -n %{name}-%{version}
 %endif
 %patch1 -p1 
-%patch2 -p1
 
 %if %{with_lua}
-%patch3 -p1 -b .enable_lua
+%patch2 -p1 -b .enable_lua
 %endif
 
-%patch4 -p1 -b .dialog
-%patch5 -p1
-%patch6 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1 -b .group-msg
 
 %build
 %ifarch s390 s390x sparcv9 sparc64
@@ -176,10 +174,6 @@ make DESTDIR=$RPM_BUILD_ROOT install
 # install support files for usermode, gnome and kde
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d
 install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/wireshark
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps/wireshark
-mkdir -p $RPM_BUILD_ROOT/%{_bindir}
-ln -s consolehelper $RPM_BUILD_ROOT/%{_bindir}/wireshark
 
 # Install python stuff.
 mkdir -p $RPM_BUILD_ROOT%{python_sitearch}
@@ -245,6 +239,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%pre
+getent group wireshark >/dev/null || groupadd wireshark
+
 %post -p /sbin/ldconfig
 
 %postun -p /sbin/ldconfig
@@ -274,7 +271,7 @@ fi
 %{_sbindir}/dftest
 %{_sbindir}/capinfos
 %{_sbindir}/randpkt
-%{_sbindir}/dumpcap
+%attr(0750, root, wireshark) %caps(cap_net_raw,cap_net_admin=eip) %{_sbindir}/dumpcap
 %{_sbindir}/rawshark
 %{python_sitearch}/*.py*
 %{_libdir}/lib*.so.*
@@ -290,7 +287,6 @@ fi
 %{_mandir}/man1/dftest.*
 %{_mandir}/man1/randpkt.*
 %config(noreplace) %{_sysconfdir}/pam.d/wireshark
-%config(noreplace) %{_sysconfdir}/security/console.apps/wireshark
 %{_datadir}/wireshark
 %if %{with_lua}
 %exclude %{_datadir}/wireshark/init.lua
@@ -306,7 +302,6 @@ fi
 %{_datadir}/icons/gnome/48x48/mimetypes/application-x-pcap.png
 %{_datadir}/icons/gnome/256x256/mimetypes/application-x-pcap.png
 %{_datadir}/mime/packages/wireshark.xml
-%{_bindir}/wireshark
 %{_sbindir}/wireshark
 %{_mandir}/man1/wireshark.*
 
@@ -322,6 +317,10 @@ fi
 %{_sbindir}/idl2wrs
 
 %changelog
+* Fri Nov 26 2010 Jan Safranek <jsafrane@redhat.com> - 1.4.3-1
+- rework the Wireshark security (#657490). Remove the console helper and
+  allow only members of new 'wireshark' group to capture the packets.
+
 * Mon Nov 22 2010 Jan Safranek <jsafrane@redhat.com> - 1.4.2-1
 - upgrade to 1.4.2
 - see http://www.wireshark.org/docs/relnotes/wireshark-1.4.2.html