diff --git a/0001-build-use-configfile-mode-in-init-script.patch b/0001-build-use-configfile-mode-in-init-script.patch new file mode 100644 index 0000000..665256c --- /dev/null +++ b/0001-build-use-configfile-mode-in-init-script.patch @@ -0,0 +1,71 @@ +From 5c9063771195bb51a8cc1c64f9924e53a0602817 Mon Sep 17 00:00:00 2001 +From: David Lamparter +Date: Mon, 11 May 2020 21:37:08 +0200 +Subject: [PATCH] build: use configfile mode in init script + +This only applies for split-config; the init script would create an +empty config file with default permissions. + +Reported-by: Robert Scheck +Signed-off-by: David Lamparter +--- + configure.ac | 1 + + tools/frr.in | 2 ++ + tools/frrcommon.sh.in | 2 ++ + 3 files changed, 5 insertions(+) + +diff --git a/configure.ac b/configure.ac +index faaf1dd23..d4c652c6e 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -813,6 +813,7 @@ AC_SUBST([enable_vty_group]) + + enable_configfile_mask=${enable_configfile_mask:-0600} + AC_DEFINE_UNQUOTED([CONFIGFILE_MASK], [${enable_configfile_mask}], [Mask for config files]) ++AC_SUBST([enable_configfile_mask]) + + enable_logfile_mask=${enable_logfile_mask:-0600} + AC_DEFINE_UNQUOTED([LOGFILE_MASK], [${enable_logfile_mask}], [Mask for log files]) +diff --git a/tools/frr.in b/tools/frr.in +index d9816c256..40862aa4c 100755 +--- a/tools/frr.in ++++ b/tools/frr.in +@@ -21,6 +21,7 @@ VTYSH="@vtysh_bin@" # /usr/bin/vtysh + FRR_USER="@enable_user@" # frr + FRR_GROUP="@enable_group@" # frr + FRR_VTY_GROUP="@enable_vty_group@" # frrvty ++FRR_CONFIG_MODE="@enable_configfile_mask@" # 0600 + FRR_DEFAULT_PROFILE="@DFLT_NAME@" # traditional / datacenter + + # Local Daemon selection may be done by using /etc/frr/daemons. +@@ -56,6 +57,7 @@ chownfrr() + { + test -n "$FRR_USER" && chown "$FRR_USER" "$1" + test -n "$FRR_GROUP" && chgrp "$FRR_GROUP" "$1" ++ test -n "$FRR_CONFIG_MODE" && chmod "$FRR_CONFIG_MODE" "$1" + } + + # Check if daemon is started by using the pidfile. +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 0dfdfd0ef..9dc8cea60 100644 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -24,6 +24,7 @@ VTYSH="@vtysh_bin@" # /usr/bin/vtysh + FRR_USER="@enable_user@" # frr + FRR_GROUP="@enable_group@" # frr + FRR_VTY_GROUP="@enable_vty_group@" # frrvty ++FRR_CONFIG_MODE="@enable_configfile_mask@" # 0600 + FRR_DEFAULT_PROFILE="@DFLT_NAME@" # traditional / datacenter + + # ORDER MATTERS FOR $DAEMONS! +@@ -53,6 +54,7 @@ debug() { + chownfrr() { + [ -n "$FRR_USER" ] && chown "$FRR_USER" "$1" + [ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1" ++ [ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1" + } + + vtysh_b () { +-- +2.21.1 (Apple Git-122.3) + diff --git a/frr.changes b/frr.changes index fb079c7..175ce78 100644 --- a/frr.changes +++ b/frr.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun May 31 22:40:46 UTC 2020 - Erico Mendonca + +- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658). + ------------------------------------------------------------------- Wed May 6 16:07:32 UTC 2020 - Martin Hauke diff --git a/frr.spec b/frr.spec index 1266701..4d1f74d 100644 --- a/frr.spec +++ b/frr.spec @@ -37,6 +37,8 @@ License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/System URL: https://www.frrouting.org #Git-Clone: https://github.com/FRRouting/frr.git +# PATCH-FIX-UPSTREAM: build-use-configfile-mode-in-init-script +Patch1: 0001-build-use-configfile-mode-in-init-script.patch Source: https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.d BuildRequires: %{python_module Sphinx} @@ -170,6 +172,7 @@ developing OSPF-API and frr applications. %prep %setup -q -n %{name}-%{name}-%{version} +%patch1 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors