diff --git a/mlocate.changes b/mlocate.changes index 93e3da2..9c7d2a9 100644 --- a/mlocate.changes +++ b/mlocate.changes @@ -1,8 +1,31 @@ +------------------------------------------------------------------- +Thu Feb 29 12:12:02 UTC 2024 - Jiri Srain + +- add bcond for building without AppArmor support (for ALP code + base) + +------------------------------------------------------------------- +Thu Jan 25 07:40:47 UTC 2024 - Peter Simons + +- Remove the post-install scriptlet introduced earlier. It turns + out that "chmod" call opened a security vulnerability that + allowed users with write access to /var/lib/mlocate to obtain + read/write access to arbitrary files on the system, possibly + facilitating privilege escalation to root. [bsc#1218896, + CVE-2023-32190] + ------------------------------------------------------------------- Mon Jan 8 11:10:30 UTC 2024 - Frederic Crozat - Drop url from source, fedorahosted.org is no longer running. +------------------------------------------------------------------- +Wed Dec 13 17:16:03 UTC 2023 - Jean Delvare + +- Add a post-install scriptlet to fix incorrect database + permissions (bsc#1188933). Modified: + * mlocate.spec + ------------------------------------------------------------------- Fri Mar 17 11:14:00 UTC 2023 - Arjen de Korte diff --git a/mlocate.service b/mlocate.service index 05a218d..f704a53 100644 --- a/mlocate.service +++ b/mlocate.service @@ -20,7 +20,9 @@ ExecStart=/bin/sh -c \ "chown -R ${RUN_UPDATEDB_AS}:root /var/lib/mlocate && \ su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c 'umask 0022; /usr/bin/updatedb'" -# Ensure we have proper umask bnc#941296 +# Unfortunately, the umask we set here is lost because we invoke updatedb +# through 'su' to change to the user ${RUN_UPDATEDB_AS}. See bnc#941296 and +# bnc#1209409 for further details. UMask=0022 # Alter the priority of the updatedb process diff --git a/mlocate.spec b/mlocate.spec index e6116cd..69df7b8 100644 --- a/mlocate.spec +++ b/mlocate.spec @@ -16,6 +16,8 @@ # +%bcond_without apparmor + #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates @@ -40,7 +42,9 @@ BuildRequires: grep BuildRequires: sed BuildRequires: systemd-rpm-macros BuildRequires: xz +%if %{with apparmor} Requires: apparmor-abstractions +%endif Requires(post): %fillup_prereq Recommends: %{name}-lang = %{version} Provides: findutils:%{_bindir}/locate @@ -95,8 +99,10 @@ install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/mlocate.service mkdir -p %{buildroot}%{_sbindir} ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rcmlocate # apparmor +%if %{with apparmor} install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.locate install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.updatedb +%endif %check make check %{?_smp_mflags} @@ -126,8 +132,10 @@ make check %{?_smp_mflags} %dir %{_localstatedir}/lib/mlocate %ghost %{_localstatedir}/lib/mlocate/mlocate.db %{_fillupdir}/* +%if %{with apparmor} %dir %{_sysconfdir}/apparmor.d/ %{_sysconfdir}/apparmor.d/* +%endif %{_sbindir}/rcmlocate %files lang -f %{name}.lang