From 319e21900043840cae4c00ebd82830edf940ec178701c6a314b99f55de2889b2 Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Mon, 8 Jul 2019 19:19:19 +0000
Subject: [PATCH] - bsc#1140749 - VUL-1: CVE-2019-13313: libosinfo:
 osinfo-install-   script option leaks password via command line argument  
 CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch  
 CVE-2019-13313-pass-username-password-via-config-file.patch

OBS-URL: https://build.opensuse.org/package/show/hardware/libosinfo?expand=0&rev=75
---
 ...on-so-users-can-set-config-from-file.patch | 156 ++++++++++++++++++
 ...ss-username-password-via-config-file.patch |  38 +++++
 libosinfo.changes                             |   8 +
 libosinfo.spec                                |   4 +
 4 files changed, 206 insertions(+)
 create mode 100644 CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
 create mode 100644 CVE-2019-13313-pass-username-password-via-config-file.patch

diff --git a/CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch b/CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
new file mode 100644
index 0000000..ddcba92
--- /dev/null
+++ b/CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
@@ -0,0 +1,156 @@
+Let's add a new option so users can set their config from a file,
+instead of directly passing the values via command-line.
+
+Signed-off-by: Fabiano Fidêncio <fidencio redhat com>
+---
+ tools/osinfo-install-script.c | 100 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 97 insertions(+), 3 deletions(-)
+
+diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
+index 15af48d..efa96ee 100644
+--- a/tools/osinfo-install-script.c
++++ b/tools/osinfo-install-script.c
+@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE;
+ static gboolean list_inj_method = FALSE;
+ static gboolean quiet = FALSE;
+ 
++static const gchar *configs[] = {
++    OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH,
++    OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE,
++    OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE,
++    OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD,
++    OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD,
++    OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD,
++    OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN,
++    OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME,
++    OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN,
++    OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN,
++    OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN,
++    OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD,
++    OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY,
++    OSINFO_INSTALL_CONFIG_PROP_HOSTNAME,
++    OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK,
++    OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK,
++    OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION,
++    OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK,
++    OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK,
++    OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION,
++    OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK,
++    OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION,
++    OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
++    OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL,
++    NULL
++};
++
+ static OsinfoInstallConfig *config;
+ 
+ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
+@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
+ }
+ 
+ 
++static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED,
++                                   const gchar *value,
++                                   gpointer data G_GNUC_UNUSED,
++                                   GError **error)
++{
++    GKeyFile *key_file = NULL;
++    gchar *val = NULL;
++    gsize i;
++    gboolean ret = FALSE;
++
++    key_file = g_key_file_new();
++    if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error))
++        goto error;
++
++    for (i = 0; configs[i] != NULL; i++) {
++        val = g_key_file_get_string(key_file, "install-script", configs[i], error);
++        if (val == NULL) {
++            if (g_error_matches(*error, G_KEY_FILE_ERROR,
++                                G_KEY_FILE_ERROR_KEY_NOT_FOUND)) {
++                g_clear_error(error);
++                continue;
++            }
++
++            goto error;
++        }
++
++        osinfo_entity_set_param(OSINFO_ENTITY(config),
++                                configs[i],
++                                val);
++        g_free(val);
++    }
++
++    ret = TRUE;
++
++error:
++    g_key_file_unref(key_file);
++
++    return ret;
++}
++
++
+ static GOptionEntry entries[] =
+ {
+     { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile,
+@@ -78,6 +147,9 @@ static GOptionEntry entries[] =
+     { "config", 'c', 0, G_OPTION_ARG_CALLBACK,
+       handle_config,
+       N_("Set configuration parameter"), "key=value" },
++    { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK,
++      handle_config_file,
++      N_("Set configuration parameters"), "file:///path/to/config/file" },
+     { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config,
+       N_("List configuration parameters"), NULL },
+     { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile,
+@@ -448,6 +520,10 @@ script. Defaults to C<media>, but can also be C<network>.
+ 
+ Set the configuration parameter C<key> to C<value>.
+ 
++=item B<--config-file=config-file>
++
++Set the configurations parameters according to the config-file passed.
++
+ =back
+ 
+ =head1 CONFIGURATION KEYS
+@@ -510,18 +586,36 @@ The software registration user password
+ 
+ =back
+ 
++=head1 CONFIGURATION FILE FORMAT
++
++The configuration file must consist in a file which contains a
++`install-script` group and, under this group, C<key>=C<value>
++pairs, as shown below:
++
++[install-script]
++l10n-timezone=GMT
++l10n-keyboard=uk
++l10n-language=en_GB
++admin-password=123456
++user-login=berrange
++user-password=123456
++user-realname="Daniel P Berrange"
++
+ =head1 EXAMPLE USAGE
+ 
+-The following usage generates a Fedora 16 kickstart script
++The following usages generates a Fedora 16 kickstart script
++
++  # osinfo-install-script \
++         --profile jeos \
++         --config-file /path/to/the/config/file \
++         fedora16
+ 
+   # osinfo-install-script \
+          --profile jeos \
+          --config l10n-timezone=GMT \
+          --config l10n-keyboard=uk \
+          --config l10n-language=en_GB \
+-         --config admin-password=123456 \
+          --config user-login=berrange \
+-         --config user-password=123456 \
+          --config user-realname="Daniel P Berrange" \
+          fedora16
+
diff --git a/CVE-2019-13313-pass-username-password-via-config-file.patch b/CVE-2019-13313-pass-username-password-via-config-file.patch
new file mode 100644
index 0000000..20cf8e1
--- /dev/null
+++ b/CVE-2019-13313-pass-username-password-via-config-file.patch
@@ -0,0 +1,38 @@
+As passing user & admin password via command line is a low impact CVE,
+let's error out when it's done and advertise the users to use
+--config-file instead.
+
+Signed-off-by: Fabiano Fidêncio <fidencio redhat com>
+---
+ tools/osinfo-install-script.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
+index efa96ee..3da4a69 100644
+--- a/tools/osinfo-install-script.c
++++ b/tools/osinfo-install-script.c
+@@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
+     val++;
+     key = g_strndup(value, len);
+ 
++    if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
++        g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
++        g_set_error(error, OSINFO_ERROR, 0,
++                    _("When setting user or admin password, use "
++                      "--config-file instead.\n"));
++        g_free(key);
++        return FALSE;
++    }
++
+     osinfo_entity_set_param(OSINFO_ENTITY(config),
+                             key,
+                             val);
+@@ -520,6 +529,8 @@ script. Defaults to C<media>, but can also be C<network>.
+ 
+ Set the configuration parameter C<key> to C<value>.
+ 
++Note: this option has been deprecated, use B<--config-file=> instead.
++
+ =item B<--config-file=config-file>
+ 
+ Set the configurations parameters according to the config-file passed.
diff --git a/libosinfo.changes b/libosinfo.changes
index c24da28..491e2f8 100644
--- a/libosinfo.changes
+++ b/libosinfo.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul  8 13:12:39 MDT 2019 - carnold@suse.com
+
+- bsc#1140749 - VUL-1: CVE-2019-13313: libosinfo: osinfo-install-
+  script option leaks password via command line argument 
+  CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
+  CVE-2019-13313-pass-username-password-via-config-file.patch
+
 -------------------------------------------------------------------
 Thu May  9 09:44:12 MDT 2019 - carnold@suse.com
 
diff --git a/libosinfo.spec b/libosinfo.spec
index e553f50..1dc13e1 100644
--- a/libosinfo.spec
+++ b/libosinfo.spec
@@ -28,6 +28,8 @@ Group:          Development/Libraries/C and C++
 Url:            https://releases.pagure.org/libosinfo/
 Source0:        https://releases.pagure.org/libosinfo/%{name}-%{version}.tar.gz
 Source1:        ids.tar.bz2
+Patch1:         CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch
+Patch2:         CVE-2019-13313-pass-username-password-via-config-file.patch
 BuildRequires:  libcurl-devel
 BuildRequires:  vala
 BuildRequires:  pkgconfig(check)
@@ -85,6 +87,8 @@ as well as Vala bindings for the libosinfo library.
 %endif
 %prep
 %setup -q -a 1
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure \