- Add changes requested by Security - new file "security_fixes.patch"

File UserManual.pdf is resent to clear error in build. OBS-URL: https://build.opensuse.org/package/show/Virtualization/virtualbox?expand=0&rev=468
2019-01-31 19:33:38 +00:00 · 2019-01-31 19:33:38 +00:00 · 7b5bd27064
commit 7b5bd27064
parent 22387963da
4 changed files with 46 additions and 2 deletions
--- a/UserManual.pdf
+++ b/UserManual.pdf
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:073648489e87aeda24143a64b13e46f7d6231ff215d75715d16aec558890da0c
-size 4326191
+oid sha256:3bc1ef7d3f3a88260f9adc789d908749d8e0f41ef0a4150b71e3b84261717a19
+size 4326192
--- a/security_fixes.patch
+++ b/security_fixes.patch
@ -0,0 +1,35 @@
+# This patch file is to warn future maintainers of VirtualBox on openSUSE
+# platforms that the distributed versions of vboxadd.sh and vboxdrv.sh
+# contain security holes. If you need to use these scripts in the future,
+# please consult the Security Group at openSUSE.
+#
+# January 31, 2019 - Larry Finger
+#
+Index: VirtualBox-6.0.4/src/VBox/Additions/linux/installer/vboxadd.sh
+===================================================================
+--- VirtualBox-6.0.4.orig/src/VBox/Additions/linux/installer/vboxadd.sh
+++ VirtualBox-6.0.4/src/VBox/Additions/linux/installer/vboxadd.sh
+@@ -560,6 +560,9 @@ dmnstatus()
+     fi
+ }
+ 
+echo "This script has insecurities. It must never be used in openSUSE without consultine Security."
+exit 1
+
+ case "$2" in quiet)
+     QUIET=yes;;
+ esac
+Index: VirtualBox-6.0.4/src/VBox/Installer/linux/vboxdrv.sh
+===================================================================
+--- VirtualBox-6.0.4.orig/src/VBox/Installer/linux/vboxdrv.sh
+++ VirtualBox-6.0.4/src/VBox/Installer/linux/vboxdrv.sh
+@@ -37,6 +37,9 @@ DEVICE=/dev/vboxdrv
+ MODPROBE=/sbin/modprobe
+ SCRIPTNAME=vboxdrv.sh
+ 
+echo "This script has insecurities. It must never be used in openSUSE without consultine Security."
+exit 1
+
+ # The below is GNU-specific.  See VBox.sh for the longer Solaris/OS X version.
+ TARGET=`readlink -e -- "${0}"` || exit 1
+ SCRIPT_DIR="${TARGET%/[!/]*}"
--- a/virtualbox.changes
+++ b/virtualbox.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jan 31 19:31:20 UTC 2019 - Larry Finger <Larry.Finger@gmail.com>
+
+- Add changes requested by Security - new file "security_fixes.patch"
+  File UserManual.pdf is resent to clear error in build.
+
 -------------------------------------------------------------------
 Tue Jan 29 15:15:53 UTC 2019 - Larry Finger <Larry.Finger@gmail.com>

--- a/virtualbox.spec
+++ b/virtualbox.spec
@ -92,6 +92,8 @@ Patch99:        vbox-permissions_warning.diff
 #PATCH-FIX-OPENSUSE Do not include build dates on binaries, makes build-compare happier
 Patch100:       vbox-no-build-dates.diff
 Patch101:       vbox-default-os-type.diff
+# Disable the distributed versions of vboxdrv.sh and vboxadd.sh for security reasons.
+Patch102:       security_fixes.patch
 #disable update in vbox gui
 Patch103:       vbox-disable-updates.diff
 #use pie/fPIE for setuid binaries (bnc#743143)
@ -413,6 +415,7 @@ as an "extpack" for VirtualBox. The implementation is licensed under GPL.
 %patch99 -p1
 %patch100 -p1
 %patch101 -p1
+%patch102 -p1
 %patch103 -p1
 %patch104 -p1
 %patch105 -p1