Sync from SUSE:ALP:Source:Standard:1.0 mlocate revision b9396f763b4d1d6aefc74ab850d19ff7

2024-03-07 09:58:11 +01:00 · 2024-03-07 09:58:11 +01:00 · b6cba01f80
commit b6cba01f80
parent f22c3d2d2a
3 changed files with 34 additions and 1 deletions
--- a/mlocate.changes
+++ b/mlocate.changes
@ -1,8 +1,31 @@
+-------------------------------------------------------------------
+Thu Feb 29 12:12:02 UTC 2024 - Jiri Srain <jsrain@suse.com>
+
+- add bcond for building without AppArmor support (for ALP code
+  base)
+
+-------------------------------------------------------------------
+Thu Jan 25 07:40:47 UTC 2024 - Peter Simons <psimons@suse.com>
+
+- Remove the post-install scriptlet introduced earlier. It turns
+  out that "chmod" call opened a security vulnerability that
+  allowed users with write access to /var/lib/mlocate to obtain
+  read/write access to arbitrary files on the system, possibly
+  facilitating privilege escalation to root. [bsc#1218896,
+  CVE-2023-32190]
+
 -------------------------------------------------------------------
 Mon Jan  8 11:10:30 UTC 2024 - Frederic Crozat <fcrozat@suse.com>

 - Drop url from source, fedorahosted.org is no longer running.

+-------------------------------------------------------------------
+Wed Dec 13 17:16:03 UTC 2023 - Jean Delvare <jdelvare@suse.com>
+
+- Add a post-install scriptlet to fix incorrect database
+  permissions (bsc#1188933). Modified:
+  * mlocate.spec
+
 -------------------------------------------------------------------
 Fri Mar 17 11:14:00 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>

--- a/mlocate.service
+++ b/mlocate.service
@ -20,7 +20,9 @@ ExecStart=/bin/sh -c \
          "chown -R ${RUN_UPDATEDB_AS}:root /var/lib/mlocate && \
          su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c 'umask 0022; /usr/bin/updatedb'"

-# Ensure we have proper umask bnc#941296
+# Unfortunately, the umask we set here is lost because we invoke updatedb
+# through 'su' to change to the user ${RUN_UPDATEDB_AS}. See bnc#941296 and
+# bnc#1209409 for further details.
 UMask=0022

 # Alter the priority of the updatedb process
--- a/mlocate.spec
+++ b/mlocate.spec
@ -16,6 +16,8 @@
 #


+%bcond_without  apparmor
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
@ -40,7 +42,9 @@ BuildRequires:  grep
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
+%if %{with apparmor}
 Requires:       apparmor-abstractions
+%endif
 Requires(post): %fillup_prereq
 Recommends:     %{name}-lang = %{version}
 Provides:       findutils:%{_bindir}/locate
@ -95,8 +99,10 @@ install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/mlocate.service
 mkdir -p %{buildroot}%{_sbindir}
 ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rcmlocate
 # apparmor
+%if %{with apparmor}
 install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.locate
 install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.updatedb
+%endif

 %check
 make check %{?_smp_mflags}
@ -126,8 +132,10 @@ make check %{?_smp_mflags}
 %dir %{_localstatedir}/lib/mlocate
 %ghost %{_localstatedir}/lib/mlocate/mlocate.db
 %{_fillupdir}/*
+%if %{with apparmor}
 %dir %{_sysconfdir}/apparmor.d/
 %{_sysconfdir}/apparmor.d/*
+%endif
 %{_sbindir}/rcmlocate

 %files lang -f %{name}.lang