ALP-pool/cockpit
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 cockpit revision fe218a0a1027209df695343f8070da18

Browse Source
This commit is contained in:
Adrian Schröter 2024-10-15 10:59:18 +02:00
parent 4b95db9a69
commit 9067482d70
7 changed files with 186 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CVE-2024-6126.patch
View File

@ -1,4 +1,4 @@
From 2274359df6feffc990831c7d7a32a56d9244d38a Mon Sep 17 00:00:00 2001
From ae17e10a9a6335c4f3c40eefae08bc22ebfc0a6d Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Mon, 10 Jun 2024 10:49:56 +0200
Subject: [PATCH] pam-ssh-add: Fix insecure killing of session ssh-agent
@ -32,11 +32,11 @@ CVE-2024-6126
https://bugzilla.redhat.com/show_bug.cgi?id=2290859
---
src/pam-ssh-add/pam-ssh-add.c | 46 ++++++++++++++++++++++++++++-------
test/verify/check-session | 30 +++++++++++++++++++++++
2 files changed, 67 insertions(+), 9 deletions(-)
test/verify/check-session | 33 +++++++++++++++++++++++++
2 files changed, 70 insertions(+), 9 deletions(-)
diff --git a/src/pam-ssh-add/pam-ssh-add.c b/src/pam-ssh-add/pam-ssh-add.c
index a9159d710..839b797d2 100644
index a9159d71004..839b797d215 100644
--- a/src/pam-ssh-add/pam-ssh-add.c
+++ b/src/pam-ssh-add/pam-ssh-add.c
@@ -54,6 +54,9 @@ const char *pam_ssh_agent_arg = NULL;
@ -111,19 +111,22 @@ index a9159d710..839b797d2 100644
return PAM_SUCCESS;
}
diff --git a/test/verify/check-session b/test/verify/check-session
index f771b5f69..939d29428 100755
index 56a0fc08c04..21812f32507 100755
--- a/test/verify/check-session
+++ b/test/verify/check-session
@@ -76,6 +76,36 @@ class TestSession(testlib.MachineCase):
@@ -86,6 +86,39 @@ class TestSession(testlib.MachineCase):
b.logout()
wait_session(should_exist=False)
+ # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1
+ # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1 (CVE-2024-6126)
+
+ if m.image in ["fedora-39", "fedora-40"]:
+ # pam_env user_readenv crashes in Fedora, skip the test
+ if m.image in ["fedora-39", "fedora-40", "centos-10", "rhel-10-0"]:
+ # pam_env user_readenv crashes in Fedora/RHEL 10, skip the test
+ # https://bugzilla.redhat.com/show_bug.cgi?id=2293045
+ return
+ if m.ostree_image:
+ # not using cockpit's PAM config
+ return
+
+ # this is enabled by default in tools/cockpit.debian.pam, as well as
+ # Debian/Ubuntu's /etc/pam.d/sshd; but not in Fedora/RHEL
@ -151,6 +154,3 @@ index f771b5f69..939d29428 100755
if __name__ == '__main__':
testlib.test_main()
--
2.45.2

13
cockpit.changes
View File

@ -1,7 +1,18 @@
-------------------------------------------------------------------
Thu Jul 4 09:15:08 UTC 2024 - Adam Majer <adam.majer@suse.de>
- suse_docs.patch: update documentation to point at new links (bsc#1226050)
- remove_rh_links.patch: remove additional hardcoded RH refs (bsc#1221336)
- disable cockpit-pcp support since it's not supported here
- hide-pcp.patch: don't display info about cockpit-pcp - uninstallable
- suse-microos-branding.patch: use suse ID as branding instead of sle-micro
(bsc#1227441)
-------------------------------------------------------------------
Wed Jul 3 06:04:40 UTC 2024 - Luna D Dragon <luna.dragon@suse.com>
- add CVE-2024-6126.patch to resolve CVE-2024-6126
- CVE-2024-6126.patch: Fix insecure killing of session ssh-agent
(CVE-2024-6126, bsc#1226040)
-------------------------------------------------------------------
Wed Jun 5 05:11:19 UTC 2024 - Luna D Dragon <luna.dragon@suse.com>

21
cockpit.spec
View File

@ -72,9 +72,11 @@ Patch7: CVE-2024-6126.patch
Patch101: hide-pcp.patch
Patch102: 0002-selinux-temporary-remove-setroubleshoot-section.patch
# For anything based on SLES 15 codebase (including Leap, SLE Micro)
#Patch103: 0004-leap-gnu18-removal.patch
Patch103: 0004-leap-gnu18-removal.patch
Patch104: selinux_libdir.patch
Patch201: remove_rh_links.patch
%if 0%{?fedora} >= 38 || 0%{?rhel} >= 9
%define cockpit_enable_python 1
%endif
@ -116,13 +118,8 @@ Patch104: selinux_libdir.patch
%define disallow_root 1
%endif
# pcp stopped building on ix86
%define build_pcp 1
%if 0%{?fedora} >= 40 || 0%{?rhel} >= 10 || 0%{?suse_version} > 1500
%ifarch %ix86
# No PCP on SLE Micro
%define build_pcp 0
%endif
%endif
# Ship custom SELinux policy (but not for cockpit-appstream)
%if 0%{?rhel} >= 9 || 0%{?fedora} || 0%{?suse_version} >= 1600 || 0%{?is_smo}
@ -253,19 +250,19 @@ BuildRequires: python3-tox-current-env
%patch7 -p1
# SLE Micro specific patches
%if 0%{?is_smo}
%patch101 -p1
# Patches for versions lower then SLE Micro 5.5
%if 0%{?sle_version} < 150500
%patch102 -p1
%endif
%endif
# For anything based on SLES 15 codebase (including Leap, SLEM)
%if 0%{?suse_version} == 1500
%patch103 -p1
%patch104 -p0
%endif
%patch201 -p1
cp %SOURCE1 tools/cockpit.pam
#
rm -rf node_modules package-lock.json
@ -454,13 +451,13 @@ sed -i "s|%{buildroot}||" *.list
# remove brandings with stale symlinks. Means they don't match
# the distro.
pushd %{buildroot}/%{_datadir}/cockpit/branding
ls --hide={default,kubernetes,opensuse,registry,sle-micro,suse} | xargs rm -rv
ls --hide={default,kubernetes,opensuse,registry,suse} | xargs rm -rv
popd
# need this in SUSE as post build checks dislike stale symlinks
install -m 644 -D /dev/null %{buildroot}/run/cockpit/motd
test -e %{buildroot}/usr/share/cockpit/branding/opensuse/default-1920x1200.jpg || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/opensuse/default-1920x1200.jpg
test -e %{buildroot}/usr/share/cockpit/branding/sle-micro/apple-touch-icon.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/sle-micro/apple-touch-icon.png
test -e %{buildroot}/usr/share/cockpit/branding/sle-micro/default-1920x1200.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/sle-micro/default-1920x1200.png
test -e %{buildroot}/usr/share/cockpit/branding/suse/apple-touch-icon.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/suse/apple-touch-icon.png
test -e %{buildroot}/usr/share/cockpit/branding/suse/default-1920x1200.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/suse/default-1920x1200.png
# remove files of not installable packages
rm -r %{buildroot}%{_datadir}/cockpit/sosreport
rm -f %{buildroot}/%{_prefix}/share/metainfo/org.cockpit-project.cockpit-sosreport.metainfo.xml

22
hide-pcp.patch
View File

@ -10,3 +10,25 @@ Index: cockpit/pkg/metrics/metrics.jsx
isDisabled={ invalidService(s_pmlogger) || invalidService(s_pmproxy) || invalidService(s_redis) || invalidService(s_redis_server) }
onClick={show_dialog}>
{ _("Metrics settings") }
Index: cockpit-309/pkg/metrics/metrics.jsx
===================================================================
--- cockpit-309.orig/pkg/metrics/metrics.jsx
+++ cockpit-309/pkg/metrics/metrics.jsx
@@ -1809,7 +1809,8 @@ class MetricsHistory extends React.Compo
// on a single machine, cockpit-pcp depends on pcp; but this may not be the case in the beiboot scenario,
// so additionally check if pcp is available on the logged in target machine
if ((cockpit.manifests && !cockpit.manifests.pcp) || this.pmlogger_service.exists === false)
- return <EmptyStatePanel
+ return <EmptyStatePanel />
+/* return <EmptyStatePanel
icon={ExclamationCircleIcon}
title={_("Package cockpit-pcp is missing for metrics history")}
action={this.state.isBeibootBridge === true
@@ -1817,6 +1818,7 @@ class MetricsHistory extends React.Compo
? <Text>{ _("Installation not supported without installed cockpit package") }</Text>
: this.state.packagekitExists && <Button onClick={this.handleInstall}>{_("Install cockpit-pcp")}</Button>}
/>;
+*/
if (!this.state.metricsAvailable) {
let action;

108
remove_rh_links.patch Normal file
View File

@ -0,0 +1,108 @@
Index: cockpit-309/pkg/systemd/overview-cards/cryptoPolicies.jsx
===================================================================
--- cockpit-309.orig/pkg/systemd/overview-cards/cryptoPolicies.jsx
+++ cockpit-309/pkg/systemd/overview-cards/cryptoPolicies.jsx
@@ -115,7 +115,7 @@ const CryptoPolicyDialog = ({
variant='link'
isInline
icon={<ExternalLinkSquareAltIcon />} iconPosition="right"
- href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening">
+ href="https://documentation.suse.com/sle-micro/6.0/html/Micro-selinux/selinux-article.html">
{_("Learn more")}
</Button>
</Flex>),
@@ -154,16 +154,6 @@ const CryptoPolicyDialog = ({
{_("Cryptographic Policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPSec, SSH, DNSSec, and Kerberos protocols.")}
</div>
}
- footerContent={
- <Button component='a'
- rel="noopener noreferrer" target="_blank"
- variant='link'
- isInline
- icon={<ExternalLinkSquareAltIcon />} iconPosition="right"
- href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening">
- {_("Learn more")}
- </Button>
- }
>
<Button variant="plain" aria-label={_("Help")}>
<HelpIcon />
Index: cockpit-309/pkg/systemd/overview-cards/tuned-dialog.jsx
===================================================================
--- cockpit-309.orig/pkg/systemd/overview-cards/tuned-dialog.jsx
+++ cockpit-309/pkg/systemd/overview-cards/tuned-dialog.jsx
@@ -273,36 +273,10 @@ const TunedDialog = ({
.finally(() => setLoading(false));
}, [updateButton, poll, tunedService, tunedDbus]);
- const help = (
- <Popover
- id="tuned-help"
- bodyContent={
- <div>
- {_("Tuned is a service that monitors your system and optimizes the performance under certain workloads. The core of Tuned are profiles, which tune your system for different use cases.")}
- </div>
- }
- footerContent={
- <Button component='a'
- rel="noopener noreferrer" target="_blank"
- variant='link'
- isInline
- icon={<ExternalLinkSquareAltIcon />} iconPosition="right"
- href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_systems_using_the_rhel_8_web_console/index#optimizing-the-system-performance-using-the-web-console_system-management-using-the-RHEL-8-web-console">
- {_("Learn more")}
- </Button>
- }
- >
- <Button variant="plain" aria-label={_("Help")}>
- <HelpIcon />
- </Button>
- </Popover>
- );
-
return (
<Modal position="top" variant="medium"
className="ct-m-stretch-body"
isOpen
- help={help}
onClose={Dialogs.close}
title={_("Change performance profile")}
footer={
Index: cockpit-309/pkg/systemd/hwinfo.jsx
===================================================================
--- cockpit-309.orig/pkg/systemd/hwinfo.jsx
+++ cockpit-309/pkg/systemd/hwinfo.jsx
@@ -201,11 +201,6 @@ const CPUSecurityMitigationsDialog = ()
<DataListCell key="primary content">
<span>
<div className='nosmt-heading'>{ _("Disable simultaneous multithreading") } (nosmt)</div>
- <small className='nosmt-read-more-link'>
- <a href="https://access.redhat.com/security/vulnerabilities/L1TF" target="_blank" rel="noopener noreferrer">
- <ExternalLinkAltIcon /> { _("Read more...") }
- </a>
- </small>
</span>
</DataListCell>,
]}
Index: cockpit-309/pkg/networkmanager/bond.jsx
===================================================================
--- cockpit-309.orig/pkg/networkmanager/bond.jsx
+++ cockpit-309/pkg/networkmanager/bond.jsx
@@ -142,16 +142,6 @@ export const BondDialog = ({ connection,
{_("A network bond combines multiple network interfaces into one logical interface with higher throughput or redundancy.")}
</div>
}
- footerContent={
- <Button component='a'
- rel="noopener noreferrer" target="_blank"
- variant='link'
- isInline
- icon={<ExternalLinkSquareAltIcon />} iconPosition="right"
- href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/configuring-network-bonds-using-the-web-console_system-management-using-the-rhel-8-web-console">
- {_("Learn more")}
- </Button>
- }
>
<Button id="bond-help-popup-button" variant="plain" aria-label="Help">
<HelpIcon />

22
suse-microos-branding.patch
View File

@ -8,11 +8,11 @@ to be available during build and installed on the target system to work
properly.
---
Makefile.am | 1 +
src/branding/sle-micro/Makefile.am | 11 ++++
src/branding/sle-micro/branding.css | 87 ++++++++++++++++++++++++++
src/branding/suse/Makefile.am | 11 ++++
src/branding/suse/branding.css | 87 ++++++++++++++++++++++++++
3 files changed, 99 insertions(+)
create mode 100644 src/branding/sle-micro/Makefile.am
create mode 100644 src/branding/sle-micro/branding.css
create mode 100644 src/branding/suse/Makefile.am
create mode 100644 src/branding/suse/branding.css
Index: cockpit-309/Makefile.am
===================================================================
@ -22,19 +22,19 @@ Index: cockpit-309/Makefile.am
include src/branding/fedora/Makefile.am
include src/branding/kubernetes/Makefile.am
include src/branding/opensuse/Makefile.am
+include src/branding/sle-micro/Makefile.am
+include src/branding/suse/Makefile.am
include src/branding/registry/Makefile.am
include src/branding/rhel/Makefile.am
include src/branding/scientific/Makefile.am
Index: cockpit-309/src/branding/sle-micro/Makefile.am
Index: cockpit-309/src/branding/suse/Makefile.am
===================================================================
--- /dev/null
+++ cockpit-309/src/branding/sle-micro/Makefile.am
+++ cockpit-309/src/branding/suse/Makefile.am
@@ -0,0 +1,11 @@
+slemicrobrandingdir = $(datadir)/cockpit/branding/sle-micro
+slemicrobrandingdir = $(datadir)/cockpit/branding/suse
+
+dist_slemicrobranding_DATA = \
+ src/branding/sle-micro/branding.css \
+ src/branding/suse/branding.css \
+ $(NULL)
+
+install-data-hook::
@ -42,10 +42,10 @@ Index: cockpit-309/src/branding/sle-micro/Makefile.am
+ ln -sf /usr/share/pixmaps/distribution-logos/square-hicolor.svg $(DESTDIR)$(slemicrobrandingdir)/square-hicolor.svg
+ ln -sf /usr/share/pixmaps/distribution-logos/favicon.ico $(DESTDIR)$(slemicrobrandingdir)/favicon.ico
+ ln -sf /usr/share/pixmaps/distribution-logos/apple-touch-icon.png $(DESTDIR)$(slemicrobrandingdir)/apple-touch-icon.png
Index: cockpit-309/src/branding/sle-micro/branding.css
Index: cockpit-309/src/branding/suse/branding.css
===================================================================
--- /dev/null
+++ cockpit-309/src/branding/sle-micro/branding.css
+++ cockpit-309/src/branding/suse/branding.css
@@ -0,0 +1,87 @@
+/* Extra overrides */
+:root {

24
suse_docs.patch
View File

@ -38,22 +38,22 @@ Index: cockpit/pkg/networkmanager/manifest.json
- {
- "label": "Managing networking teams",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/configuring-network-teams-using-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#cockpit-managing-bonds"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#cockpit-managing-bonds"
},
{
"label": "Managing networking bridges",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/configuring-network-bridges-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#task-managing-bridges"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#task-managing-bridges"
},
{
"label": "Managing VLANs",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/configuring-vlans-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#task-managing-vlans"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#task-managing-vlans"
},
{
"label": "Managing firewall",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing_firewall_using_the_web_console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#task-managing-firewall-cockpit"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#task-managing-firewall-cockpit"
+ }
+ ],
+ "docs-rh": [
@ -85,23 +85,23 @@ Index: cockpit/pkg/storaged/manifest.json
{
"label": "Managing partitions",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing-partitions-using-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#glue-cockpit-managing-filesystems"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#glue-cockpit-managing-filesystems"
},
{
"label": "Managing NFS mounts",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing-nfs-mounts-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#task-managing-NFS-mounts"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#task-managing-NFS-mounts"
},
{
"label": "Managing RAIDs",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing-redundant-arrays-of-independent-disks-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#id-1.7.6"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#id-1.7.6"
},
{
"label": "Managing LVMs",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/using-the-web-console-for-configuring-lvm-logical-volumes_system-management-using-the-rhel-8-web-console"
- },
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#id-1.7.7"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#id-1.7.7"
+ }
+ ],
+ "docs-rh": [
@ -117,7 +117,7 @@ Index: cockpit/pkg/systemd/manifest.json
{
"label": "Configuring system settings",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/getting-started-with-the-rhel-8-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#cockpit-configuring-servers"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#cockpit-configuring-servers"
}
],
"keywords": [
@ -126,7 +126,7 @@ Index: cockpit/pkg/systemd/manifest.json
{
"label": "Managing services",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing-services-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#glue-services-management"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#glue-services-management"
}
],
"keywords": [
@ -135,7 +135,7 @@ Index: cockpit/pkg/systemd/manifest.json
{
"label": "Reviewing logs",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/reviewing-logs_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#cockpit-filtering-logs"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#cockpit-filtering-logs"
}
],
"keywords": [
@ -148,7 +148,7 @@ Index: cockpit/pkg/users/manifest.json
{
"label": "Managing user accounts",
- "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/managing-user-accounts-in-the-web-console_system-management-using-the-rhel-8-web-console"
+ "url": "https://documentation.suse.com/smart/systems-management/html/cockpit-slemicro/index.html#glue-managing-users"
+ "url": "https://documentation.suse.com/sle-micro/6.0/html/Micro-6.0-cockpit/index.html#glue-managing-users"
}
],
"keywords": [