From c1ac5290fe43e050e202bcb47ef14d37553312d10178c834eece75044da99ae2 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Mon, 27 May 2019 12:33:30 +0000 Subject: [PATCH] - CVE-2019-10143.patch: fix potential privilege escalation due to insecure logrotation permissions (bsc#1136195, CVE-2019-10143) OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=119 --- CVE-2019-10143.patch | 94 +++++++++++++++++++++++++++++++++++++++ freeradius-server.changes | 6 +++ freeradius-server.spec | 2 + 3 files changed, 102 insertions(+) create mode 100644 CVE-2019-10143.patch diff --git a/CVE-2019-10143.patch b/CVE-2019-10143.patch new file mode 100644 index 0000000..0a547ef --- /dev/null +++ b/CVE-2019-10143.patch @@ -0,0 +1,94 @@ +From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 7 May 2019 16:04:29 -0400 +Subject: [PATCH] su to radiusd user/group when rotating logs + +The su directive to logrotate ensures that log rotation happens under the +owner of the logs. Otherwise, logrotate runs as root:root, potentially +enabling privilege escalation if a RCE is discovered against the +FreeRADIUS daemon. + +Signed-off-by: Alexander Scheel +--- + debian/freeradius.logrotate | 3 +++ + redhat/freeradius-logrotate | 1 + + scripts/logrotate/freeradius | 3 +++ + suse/radiusd-logrotate | 1 + + 4 files changed, 8 insertions(+) + +diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate +index 7d837d53bd..a8d29b7adf 100644 +--- a/debian/freeradius.logrotate ++++ b/debian/freeradius.logrotate +@@ -9,6 +9,7 @@ + notifempty + + copytruncate ++ su freerad freerad + } + + # (in order) +@@ -26,6 +27,7 @@ + notifempty + + nocreate ++ su freerad freerad + } + + # There are different detail-rotating strategies you can use. One is +@@ -45,4 +47,5 @@ + notifempty + + nocreate ++ su freerad freerad + } +diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate +index 360765ddc4..bb97ca5547 100644 +--- a/redhat/freeradius-logrotate ++++ b/redhat/freeradius-logrotate +@@ -9,6 +9,7 @@ rotate 4 + missingok + compress + delaycompress ++su radiusd radiusd + + # + # The main server log +diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius +index 3de435e76e..eecf63175a 100644 +--- a/scripts/logrotate/freeradius ++++ b/scripts/logrotate/freeradius +@@ -17,6 +17,7 @@ + notifempty + + copytruncate ++ su radiusd radiusd + } + + # (in order) +@@ -34,6 +35,7 @@ + notifempty + + nocreate ++ su radiusd radiusd + } + + # There are different detail-rotating strategies you can use. One is +@@ -53,4 +55,5 @@ + notifempty + + nocreate ++ su radiusd radiusd + } +diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate +index 24d56be1a9..be5a797684 100644 +--- a/suse/radiusd-logrotate ++++ b/suse/radiusd-logrotate +@@ -11,6 +11,7 @@ missingok + compress + delaycompress + notifempty ++su radiusd radiusd + + # + # The main server log diff --git a/freeradius-server.changes b/freeradius-server.changes index a304abd..96a9179 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon May 27 11:12:27 UTC 2019 - Adam Majer + +- CVE-2019-10143.patch: fix potential privilege escalation due to + insecure logrotation permissions (bsc#1136195, CVE-2019-10143) + ------------------------------------------------------------------- Wed Apr 10 17:01:55 UTC 2019 - Michael Ströder diff --git a/freeradius-server.spec b/freeradius-server.spec index c61801a..2e610eb 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -62,6 +62,7 @@ Patch3: freeradius-server-rcradiusd.patch Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch Patch6: freeradius-server-radclient-init-error-buffer.patch Patch7: freeradius-server-opensslversion.patch +Patch8: CVE-2019-10143.patch BuildRequires: apache2-devel BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -239,6 +240,7 @@ FreeRADIUS plugin providing SQLite support. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"