pool/libosinfo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#1140749 - VUL-1: CVE-2019-13313: libosinfo: osinfo-install-

Browse Source 
script option leaks password via command line argument 
  CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
  CVE-2019-13313-pass-username-password-via-config-file.patch

OBS-URL: https://build.opensuse.org/package/show/hardware/libosinfo?expand=0&rev=75
This commit is contained in:
Charles Arnold 2019-07-08 19:19:19 +00:00 committed by Git OBS Bridge
parent 663cb1f7dd
commit 319e219000
4 changed files with 206 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch Normal file
View File

@ -0,0 +1,156 @@
Let's add a new option so users can set their config from a file,
instead of directly passing the values via command-line.
Signed-off-by: Fabiano Fidêncio <fidencio redhat com>
---
tools/osinfo-install-script.c | 100 +++++++++++++++++++++++++++++++++-
1 file changed, 97 insertions(+), 3 deletions(-)
diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
index 15af48d..efa96ee 100644
--- a/tools/osinfo-install-script.c
+++ b/tools/osinfo-install-script.c
@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE;
static gboolean list_inj_method = FALSE;
static gboolean quiet = FALSE;
+static const gchar *configs[] = {
+ OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH,
+ OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE,
+ OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE,
+ OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD,
+ OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD,
+ OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD,
+ OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN,
+ OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME,
+ OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN,
+ OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN,
+ OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN,
+ OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD,
+ OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY,
+ OSINFO_INSTALL_CONFIG_PROP_HOSTNAME,
+ OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK,
+ OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK,
+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION,
+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK,
+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK,
+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION,
+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK,
+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION,
+ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
+ OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL,
+ NULL
+};
+
static OsinfoInstallConfig *config;
static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
}
+static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED,
+ const gchar *value,
+ gpointer data G_GNUC_UNUSED,
+ GError **error)
+{
+ GKeyFile *key_file = NULL;
+ gchar *val = NULL;
+ gsize i;
+ gboolean ret = FALSE;
+
+ key_file = g_key_file_new();
+ if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error))
+ goto error;
+
+ for (i = 0; configs[i] != NULL; i++) {
+ val = g_key_file_get_string(key_file, "install-script", configs[i], error);
+ if (val == NULL) {
+ if (g_error_matches(*error, G_KEY_FILE_ERROR,
+ G_KEY_FILE_ERROR_KEY_NOT_FOUND)) {
+ g_clear_error(error);
+ continue;
+ }
+
+ goto error;
+ }
+
+ osinfo_entity_set_param(OSINFO_ENTITY(config),
+ configs[i],
+ val);
+ g_free(val);
+ }
+
+ ret = TRUE;
+
+error:
+ g_key_file_unref(key_file);
+
+ return ret;
+}
+
+
static GOptionEntry entries[] =
{
{ "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile,
@@ -78,6 +147,9 @@ static GOptionEntry entries[] =
{ "config", 'c', 0, G_OPTION_ARG_CALLBACK,
handle_config,
N_("Set configuration parameter"), "key=value" },
+ { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK,
+ handle_config_file,
+ N_("Set configuration parameters"), "file:///path/to/config/file" },
{ "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config,
N_("List configuration parameters"), NULL },
{ "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile,
@@ -448,6 +520,10 @@ script. Defaults to C<media>, but can also be C<network>.
Set the configuration parameter C<key> to C<value>.
+=item B<--config-file=config-file>
+
+Set the configurations parameters according to the config-file passed.
+
=back
=head1 CONFIGURATION KEYS
@@ -510,18 +586,36 @@ The software registration user password
=back
+=head1 CONFIGURATION FILE FORMAT
+
+The configuration file must consist in a file which contains a
+`install-script` group and, under this group, C<key>=C<value>
+pairs, as shown below:
+
+[install-script]
+l10n-timezone=GMT
+l10n-keyboard=uk
+l10n-language=en_GB
+admin-password=123456
+user-login=berrange
+user-password=123456
+user-realname="Daniel P Berrange"
+
=head1 EXAMPLE USAGE
-The following usage generates a Fedora 16 kickstart script
+The following usages generates a Fedora 16 kickstart script
+
+ # osinfo-install-script \
+ --profile jeos \
+ --config-file /path/to/the/config/file \
+ fedora16
# osinfo-install-script \
--profile jeos \
--config l10n-timezone=GMT \
--config l10n-keyboard=uk \
--config l10n-language=en_GB \
- --config admin-password=123456 \
--config user-login=berrange \
- --config user-password=123456 \
--config user-realname="Daniel P Berrange" \
fedora16

38
CVE-2019-13313-pass-username-password-via-config-file.patch Normal file
View File

@ -0,0 +1,38 @@
As passing user & admin password via command line is a low impact CVE,
let's error out when it's done and advertise the users to use
--config-file instead.
Signed-off-by: Fabiano Fidêncio <fidencio redhat com>
---
tools/osinfo-install-script.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
index efa96ee..3da4a69 100644
--- a/tools/osinfo-install-script.c
+++ b/tools/osinfo-install-script.c
@@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
val++;
key = g_strndup(value, len);
+ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
+ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
+ g_set_error(error, OSINFO_ERROR, 0,
+ _("When setting user or admin password, use "
+ "--config-file instead.\n"));
+ g_free(key);
+ return FALSE;
+ }
+
osinfo_entity_set_param(OSINFO_ENTITY(config),
key,
val);
@@ -520,6 +529,8 @@ script. Defaults to C<media>, but can also be C<network>.
Set the configuration parameter C<key> to C<value>.
+Note: this option has been deprecated, use B<--config-file=> instead.
+
=item B<--config-file=config-file>
Set the configurations parameters according to the config-file passed.

8
libosinfo.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Jul 8 13:12:39 MDT 2019 - carnold@suse.com
- bsc#1140749 - VUL-1: CVE-2019-13313: libosinfo: osinfo-install-
script option leaks password via command line argument
CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
CVE-2019-13313-pass-username-password-via-config-file.patch
-------------------------------------------------------------------
Thu May 9 09:44:12 MDT 2019 - carnold@suse.com

4
libosinfo.spec
View File

@ -28,6 +28,8 @@ Group: Development/Libraries/C and C++
Url: https://releases.pagure.org/libosinfo/
Source0: https://releases.pagure.org/libosinfo/%{name}-%{version}.tar.gz
Source1: ids.tar.bz2
Patch1: CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
Patch2: CVE-2019-13313-pass-username-password-via-config-file.patch
BuildRequires: libcurl-devel
BuildRequires: vala
BuildRequires: pkgconfig(check)
@ -85,6 +87,8 @@ as well as Vala bindings for the libosinfo library.
%endif
%prep
%setup -q -a 1
%patch1 -p1
%patch2 -p1
%build
%configure \