Accepting request 968252 from home:cboltz

- add profile for zgrep and xzgrep to prevent CVE-2022-1271
  (zgrep-profile-mr870.diff)

OBS-URL: https://build.opensuse.org/request/show/968252
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=322

apparmor.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Apr 10 13:08:56 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- add profile for zgrep and xzgrep to prevent CVE-2022-1271
+  (zgrep-profile-mr870.diff)
+
 -------------------------------------------------------------------
 Tue Mar 29 20:04:22 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -86,6 +86,9 @@ Patch7:         update-samba-bgqd.diff
 # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
 Patch8:         update-usr-sbin-smbd.diff
 
+# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870)
+Patch9:         zgrep-profile-mr870.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@@ -350,6 +353,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch5
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 %define _lto_cflags %{nil}
@@ -580,6 +584,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
 %config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
+%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
 %if %{with precompiled_cache}

zgrep-profile-mr870.diff

@@ -0,0 +1,77 @@
+From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Sun, 10 Apr 2022 15:03:08 +0200
+Subject: [PATCH] Add zgrep and xzgrep profile
+
+This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
+(code execution via "funny" filenames)
+---
+ profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 59 insertions(+)
+ create mode 100644 profiles/apparmor.d/zgrep
+
+diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep
+new file mode 100644
+index 000000000..0bf0765d1
+--- /dev/null
++++ b/profiles/apparmor.d/zgrep
+@@ -0,0 +1,59 @@
++# ------------------------------------------------------------------
++#
++#    Copyright (C) 2021 Christian Boltz
++#
++#    This program is free software; you can redistribute it and/or
++#    modify it under the terms of version 2 of the GNU General Public
++#    License published by the Free Software Foundation.
++#
++# ------------------------------------------------------------------
++
++abi <abi/3.0>,
++
++include <tunables/global>
++
++profile zgrep /usr/bin/{x,}zgrep {
++  include <abstractions/base>
++  include <abstractions/bash>
++
++  /dev/tty rw,
++  /usr/bin/bash ix,
++  /usr/bin/bzip2 Cx -> helper,
++  /usr/bin/cat ix,
++  /usr/bin/grep Cx -> helper,
++  /usr/bin/gzip Cx -> helper,
++  /usr/bin/mktemp ix,
++  /usr/bin/rm ix,
++  /usr/bin/sed Cx -> sed,
++  /usr/bin/xz Cx -> helper,
++  /usr/bin/xzgrep r,
++  /usr/bin/zgrep Cx -> helper,
++  owner /tmp/zgrep* rw,
++  /usr/bin/zgrep r,
++
++  include if exists <local/zgrep>
++
++  profile helper {
++    include <abstractions/base>
++
++    capability dac_override,
++    capability dac_read_search,
++
++    /usr/bin/bash ix,
++    /usr/bin/bzip2 mr,
++    /usr/bin/grep mr,
++    /usr/bin/gzip mr,
++    /usr/bin/xz mr,
++    /{,**} r,
++
++  }
++
++  profile sed {
++    include <abstractions/base>
++
++    /dev/tty rw,
++    /usr/bin/bash ix,
++    /usr/bin/sed mr,
++
++  }
++}