diff --git a/CVE-2024-6126.patch b/CVE-2024-6126.patch index 566f37a..53fc8d7 100644 --- a/CVE-2024-6126.patch +++ b/CVE-2024-6126.patch @@ -1,4 +1,4 @@ -From 2274359df6feffc990831c7d7a32a56d9244d38a Mon Sep 17 00:00:00 2001 +From ae17e10a9a6335c4f3c40eefae08bc22ebfc0a6d Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Mon, 10 Jun 2024 10:49:56 +0200 Subject: [PATCH] pam-ssh-add: Fix insecure killing of session ssh-agent @@ -32,11 +32,11 @@ CVE-2024-6126 https://bugzilla.redhat.com/show_bug.cgi?id=2290859 --- src/pam-ssh-add/pam-ssh-add.c | 46 ++++++++++++++++++++++++++++------- - test/verify/check-session | 30 +++++++++++++++++++++++ - 2 files changed, 67 insertions(+), 9 deletions(-) + test/verify/check-session | 33 +++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 9 deletions(-) diff --git a/src/pam-ssh-add/pam-ssh-add.c b/src/pam-ssh-add/pam-ssh-add.c -index a9159d710..839b797d2 100644 +index a9159d71004..839b797d215 100644 --- a/src/pam-ssh-add/pam-ssh-add.c +++ b/src/pam-ssh-add/pam-ssh-add.c @@ -54,6 +54,9 @@ const char *pam_ssh_agent_arg = NULL; @@ -111,19 +111,22 @@ index a9159d710..839b797d2 100644 return PAM_SUCCESS; } diff --git a/test/verify/check-session b/test/verify/check-session -index f771b5f69..939d29428 100755 +index 56a0fc08c04..21812f32507 100755 --- a/test/verify/check-session +++ b/test/verify/check-session -@@ -76,6 +76,36 @@ class TestSession(testlib.MachineCase): +@@ -86,6 +86,39 @@ class TestSession(testlib.MachineCase): b.logout() wait_session(should_exist=False) -+ # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1 ++ # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1 (CVE-2024-6126) + -+ if m.image in ["fedora-39", "fedora-40"]: -+ # pam_env user_readenv crashes in Fedora, skip the test ++ if m.image in ["fedora-39", "fedora-40", "centos-10", "rhel-10-0"]: ++ # pam_env user_readenv crashes in Fedora/RHEL 10, skip the test + # https://bugzilla.redhat.com/show_bug.cgi?id=2293045 + return ++ if m.ostree_image: ++ # not using cockpit's PAM config ++ return + + # this is enabled by default in tools/cockpit.debian.pam, as well as + # Debian/Ubuntu's /etc/pam.d/sshd; but not in Fedora/RHEL @@ -151,6 +154,3 @@ index f771b5f69..939d29428 100755 if __name__ == '__main__': testlib.test_main() --- -2.45.2 - diff --git a/cockpit.changes b/cockpit.changes index a2971f8..891efe5 100644 --- a/cockpit.changes +++ b/cockpit.changes @@ -1,7 +1,18 @@ +------------------------------------------------------------------- +Thu Jul 4 09:15:08 UTC 2024 - Adam Majer + +- suse_docs.patch: update documentation to point at new links (bsc#1226050) +- remove_rh_links.patch: remove additional hardcoded RH refs (bsc#1221336) +- disable cockpit-pcp support since it's not supported here +- hide-pcp.patch: don't display info about cockpit-pcp - uninstallable +- suse-microos-branding.patch: use suse ID as branding instead of sle-micro + (bsc#1227441) + ------------------------------------------------------------------- Wed Jul 3 06:04:40 UTC 2024 - Luna D Dragon -- add CVE-2024-6126.patch to resolve CVE-2024-6126 +- CVE-2024-6126.patch: Fix insecure killing of session ssh-agent + (CVE-2024-6126, bsc#1226040) ------------------------------------------------------------------- Wed Jun 5 05:11:19 UTC 2024 - Luna D Dragon diff --git a/cockpit.spec b/cockpit.spec index 2cba874..d8ffa96 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -72,9 +72,11 @@ Patch7: CVE-2024-6126.patch Patch101: hide-pcp.patch Patch102: 0002-selinux-temporary-remove-setroubleshoot-section.patch # For anything based on SLES 15 codebase (including Leap, SLE Micro) -#Patch103: 0004-leap-gnu18-removal.patch +Patch103: 0004-leap-gnu18-removal.patch Patch104: selinux_libdir.patch +Patch201: remove_rh_links.patch + %if 0%{?fedora} >= 38 || 0%{?rhel} >= 9 %define cockpit_enable_python 1 %endif @@ -116,13 +118,8 @@ Patch104: selinux_libdir.patch %define disallow_root 1 %endif -# pcp stopped building on ix86 -%define build_pcp 1 -%if 0%{?fedora} >= 40 || 0%{?rhel} >= 10 || 0%{?suse_version} > 1500 -%ifarch %ix86 +# No PCP on SLE Micro %define build_pcp 0 -%endif -%endif # Ship custom SELinux policy (but not for cockpit-appstream) %if 0%{?rhel} >= 9 || 0%{?fedora} || 0%{?suse_version} >= 1600 || 0%{?is_smo} @@ -253,19 +250,19 @@ BuildRequires: python3-tox-current-env %patch7 -p1 # SLE Micro specific patches -%if 0%{?is_smo} %patch101 -p1 # Patches for versions lower then SLE Micro 5.5 %if 0%{?sle_version} < 150500 %patch102 -p1 %endif -%endif # For anything based on SLES 15 codebase (including Leap, SLEM) %if 0%{?suse_version} == 1500 %patch103 -p1 %patch104 -p0 %endif +%patch201 -p1 + cp %SOURCE1 tools/cockpit.pam # rm -rf node_modules package-lock.json @@ -454,13 +451,13 @@ sed -i "s|%{buildroot}||" *.list # remove brandings with stale symlinks. Means they don't match # the distro. pushd %{buildroot}/%{_datadir}/cockpit/branding -ls --hide={default,kubernetes,opensuse,registry,sle-micro,suse} | xargs rm -rv +ls --hide={default,kubernetes,opensuse,registry,suse} | xargs rm -rv popd # need this in SUSE as post build checks dislike stale symlinks install -m 644 -D /dev/null %{buildroot}/run/cockpit/motd test -e %{buildroot}/usr/share/cockpit/branding/opensuse/default-1920x1200.jpg || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/opensuse/default-1920x1200.jpg -test -e %{buildroot}/usr/share/cockpit/branding/sle-micro/apple-touch-icon.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/sle-micro/apple-touch-icon.png -test -e %{buildroot}/usr/share/cockpit/branding/sle-micro/default-1920x1200.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/sle-micro/default-1920x1200.png +test -e %{buildroot}/usr/share/cockpit/branding/suse/apple-touch-icon.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/suse/apple-touch-icon.png +test -e %{buildroot}/usr/share/cockpit/branding/suse/default-1920x1200.png || install -m 644 -D /dev/null %{buildroot}/usr/share/cockpit/branding/suse/default-1920x1200.png # remove files of not installable packages rm -r %{buildroot}%{_datadir}/cockpit/sosreport rm -f %{buildroot}/%{_prefix}/share/metainfo/org.cockpit-project.cockpit-sosreport.metainfo.xml diff --git a/hide-pcp.patch b/hide-pcp.patch index 3d1e31a..217793c 100644 --- a/hide-pcp.patch +++ b/hide-pcp.patch @@ -10,3 +10,25 @@ Index: cockpit/pkg/metrics/metrics.jsx isDisabled={ invalidService(s_pmlogger) || invalidService(s_pmproxy) || invalidService(s_redis) || invalidService(s_redis_server) } onClick={show_dialog}> { _("Metrics settings") } +Index: cockpit-309/pkg/metrics/metrics.jsx +=================================================================== +--- cockpit-309.orig/pkg/metrics/metrics.jsx ++++ cockpit-309/pkg/metrics/metrics.jsx +@@ -1809,7 +1809,8 @@ class MetricsHistory extends React.Compo + // on a single machine, cockpit-pcp depends on pcp; but this may not be the case in the beiboot scenario, + // so additionally check if pcp is available on the logged in target machine + if ((cockpit.manifests && !cockpit.manifests.pcp) || this.pmlogger_service.exists === false) +- return ++/* return { _("Installation not supported without installed cockpit package") } + : this.state.packagekitExists && } + />; ++*/ + + if (!this.state.metricsAvailable) { + let action; diff --git a/remove_rh_links.patch b/remove_rh_links.patch new file mode 100644 index 0000000..589257b --- /dev/null +++ b/remove_rh_links.patch @@ -0,0 +1,108 @@ +Index: cockpit-309/pkg/systemd/overview-cards/cryptoPolicies.jsx +=================================================================== +--- cockpit-309.orig/pkg/systemd/overview-cards/cryptoPolicies.jsx ++++ cockpit-309/pkg/systemd/overview-cards/cryptoPolicies.jsx +@@ -115,7 +115,7 @@ const CryptoPolicyDialog = ({ + variant='link' + isInline + icon={} iconPosition="right" +- href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening"> ++ href="https://documentation.suse.com/sle-micro/6.0/html/Micro-selinux/selinux-article.html"> + {_("Learn more")} + + ), +@@ -154,16 +154,6 @@ const CryptoPolicyDialog = ({ + {_("Cryptographic Policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPSec, SSH, DNSSec, and Kerberos protocols.")} + + } +- footerContent={ +- +- } + > + +- } +- > +- +- +- ); +- + return ( + + +
{ _("Disable simultaneous multithreading") } (nosmt)
+- +- +- { _("Read more...") } +- +- +
+ , + ]} +Index: cockpit-309/pkg/networkmanager/bond.jsx +=================================================================== +--- cockpit-309.orig/pkg/networkmanager/bond.jsx ++++ cockpit-309/pkg/networkmanager/bond.jsx +@@ -142,16 +142,6 @@ export const BondDialog = ({ connection, + {_("A network bond combines multiple network interfaces into one logical interface with higher throughput or redundancy.")} + + } +- footerContent={ +- +- } + > +