Disable remote DNS lookup on 'lshw -version'

Users are unlikely to expect that a 'lshw -version' does a DNS lookup, and this may cause alarm in environments where you want to view any external DNS lookup as something alarming that you should immediately investigate the cause of. Additionally, in a Linux distro context, this doesn't necessarily help the user, as the updated version may not have been packaged yet. Signed-off-by: Stewart Smith <trawets@amazon.com>
2022-06-19 16:48:08 +00:00 · 2022-06-19 16:48:08 +00:00 · 19c3e43a64
commit 19c3e43a64
parent 7ea0dacd0d
2 changed files with 74 additions and 0 deletions
--- a/1000-disable-remote-dns-lookup.patch
+++ b/1000-disable-remote-dns-lookup.patch
@ -0,0 +1,70 @@
+From 91a0c77522e928150b2d5af0cb46822d62359675 Mon Sep 17 00:00:00 2001
+From: Stewart Smith <trawets@amazon.com>
+Date: Sun, 19 Jun 2022 05:57:08 +0000
+Subject: [PATCH] Disable remote DNS lookup
+
+Rather than using an LSM such as SELinux to limit network access, or
+having to add exceptions into network monitoring, allow lshw to be built
+so that it doesn't do the DNS lookup to check for upstream version
+updates.
+
+[stewart: Edited from upstream patch removing Makefile bits as SPEC converts to CMake]
+
+Signed-off-by: Stewart Smith <trawets@amazon.com>
+---
+ src/Makefile        | 11 +++++++++--
+ src/core/Makefile   |  6 +++++-
+ src/core/version.cc |  9 ++++++++-
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/version.cc b/src/core/version.cc
+index 1f64b3a..ea8dd4a 100644
+--- a/src/core/version.cc
+++ b/src/core/version.cc
+@@ -13,6 +13,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
+#ifdef REMOTE_VERSION_CHECK
+ #include <netinet/in.h>
+ #include <arpa/nameser.h>
+ #include <resolv.h>
+@@ -21,7 +22,7 @@
+ #ifndef PACKETSZ
+ #define PACKETSZ 512
+ #endif
+-
+#endif
+ 
+ const char *getpackageversion()
+ {
+@@ -31,6 +32,7 @@ const char *getpackageversion()
+   return "unknown";
+ }
+ 
+#ifdef REMOTE_VERSION_CHECK
+ static char *txtquery(const char *name, const char *domain, unsigned int *ttl)
+ {
+   unsigned char answer[PACKETSZ], *pt;
+@@ -84,13 +86,18 @@ static char *txtquery(const char *name, const char *domain, unsigned int *ttl)
+ 
+   return txt;
+ }
+#endif
+ 
+ const char * checkupdates()
+ {
+#ifdef REMOTE_VERSION_CHECK
+   static char *latest = NULL;
+ 
+   if(!latest)
+     latest = txtquery(PACKAGE, "ezix.org", NULL);
+ 
+   return latest;
+#else
+  return NULL;
+#endif
+ }
+-- 
+2.32.0
+
--- a/lshw.spec
+++ b/lshw.spec
@ -15,6 +15,7 @@ Patch3:        lshw-B.02.18-revert-json.patch
 Patch4:        lshw-B.02.19.2-cmake.patch
 Patch5:        https://build.opensuse.org/package/view_file/hardware/lshw/lshw-fix-mmc.patch
 Patch6:        https://build.opensuse.org/package/view_file/hardware/lshw/lshw-fix-segfault-in-apfs-volume-code.patch
+Patch7:        1000-disable-remote-dns-lookup.patch
 BuildRequires: cmake
 BuildRequires: desktop-file-utils
 BuildRequires: gcc
@ -54,6 +55,8 @@ format.
 %patch04 -p1
 %patch05 -p1
 %patch06 -p1
+# This patch #ifdefs out the remote DNS lookup that `lshw -version` does.
+%patch07 -p1

 %build
 %if %{with gui}
@ -113,6 +116,7 @@ appstream-util validate-relax --nonet %{buildroot}/%{_datadir}/appdata/*.appdata
 %changelog
 * Sun Jun 19 2022 Stewart Smith <trawets@amazon.com> - B.02.19.2-7
 - Make GUI an optional bcond
+- Disable remote DNS lookup on 'lshw -version'

 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - B.02.19.2-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild