From 2a0da6d5f167b59b755cd364469011aee85c3a8ed65bda31e43bc1e27f20cc9a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 2 Dec 2022 08:28:13 +0000 Subject: [PATCH 1/3] - Update to 115 + macros: drop %{_pesign_args} + Fix two bugs from package building + Fix bad free of cms data (DoS only) + Send pesign stdout/err to systemd journal + Add missing Install section + Add default packages for pkg-config + Short delay to ensure /run/pesign/socket exists + Resolve crash when signature that is removed is not the end of the list + Enhance error diagnostics about version mismatch + Upstream all Fedora changes + Add some hardening options to build + Add code of conduct + Fix build on gcc 12 and non-Fedora - Refresh patches + harden_pesign.service.patch + pesign-boo1143063-remove-var-tracking.patch + pesign-boo1185663-set-rpmmacrodir.patch + pesign-fix-authvar-write-loop.patch + pesign-suse-build.patch - Remove upstreamed/unnecessary patches + pesign-boo1158197-fix-pesigncheck-gcc10.patch + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch + pesign-privkey_unneeded.diff + pesign-run.patch + Fix wrong oid offsets (bsc#1205323) OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=66 --- harden_pesign.service.patch | 12 +-- pesign-113.tar.bz2 | 3 - pesign-115.tar.bz2 | 3 + pesign-boo1143063-remove-var-tracking.patch | 12 +-- pesign-boo1158197-fix-pesigncheck-gcc10.patch | 39 -------- pesign-boo1185663-set-rpmmacrodir.patch | 30 +++--- ...fikeygen-Fix-the-build-with-nss-3.44.patch | 45 --------- pesign-fix-authvar-write-loop.patch | 36 ++----- pesign-privkey_unneeded.diff | 81 ---------------- pesign-run.patch | 94 ------------------- pesign-suse-build.patch | 59 +++++------- pesign.changes | 31 ++++++ pesign.spec | 24 ++--- 13 files changed, 98 insertions(+), 371 deletions(-) delete mode 100644 pesign-113.tar.bz2 create mode 100644 pesign-115.tar.bz2 delete mode 100644 pesign-boo1158197-fix-pesigncheck-gcc10.patch delete mode 100644 pesign-efikeygen-Fix-the-build-with-nss-3.44.patch delete mode 100644 pesign-privkey_unneeded.diff delete mode 100644 pesign-run.patch diff --git a/harden_pesign.service.patch b/harden_pesign.service.patch index 835ec42..7203425 100644 --- a/harden_pesign.service.patch +++ b/harden_pesign.service.patch @@ -1,7 +1,7 @@ -Index: pesign-113/src/pesign.service.in +Index: pesign-115/src/pesign.service.in =================================================================== ---- pesign-113.orig/src/pesign.service.in -+++ pesign-113/src/pesign.service.in +--- pesign-115.orig/src/pesign.service.in ++++ pesign-115/src/pesign.service.in @@ -3,6 +3,19 @@ Description=Pesign signing daemon [Service] @@ -19,6 +19,6 @@ Index: pesign-113/src/pesign.service.in +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions - Type=forking - PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize diff --git a/pesign-113.tar.bz2 b/pesign-113.tar.bz2 deleted file mode 100644 index 12f80e5..0000000 --- a/pesign-113.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132 -size 103471 diff --git a/pesign-115.tar.bz2 b/pesign-115.tar.bz2 new file mode 100644 index 0000000..028645f --- /dev/null +++ b/pesign-115.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac1ef561b82de175f2a876944d3a806384b34d3e6c58a037cf7a611f41ccf07e +size 119564 diff --git a/pesign-boo1143063-remove-var-tracking.patch b/pesign-boo1143063-remove-var-tracking.patch index cfb41ff..4b6e0e1 100644 --- a/pesign-boo1143063-remove-var-tracking.patch +++ b/pesign-boo1143063-remove-var-tracking.patch @@ -1,8 +1,8 @@ -diff --git a/Make.defaults b/Make.defaults -index 7892d73..2d18005 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ $(call pkg-config-cflags) clang_ccldflags = gcc_ccldflags = -fno-merge-constants \ @@ -10,4 +10,4 @@ index 7892d73..2d18005 100644 + -fvar-tracking-assignments -fkeep-inline-functions \ -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ - -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed + -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie diff --git a/pesign-boo1158197-fix-pesigncheck-gcc10.patch b/pesign-boo1158197-fix-pesigncheck-gcc10.patch deleted file mode 100644 index 8a31d91..0000000 --- a/pesign-boo1158197-fix-pesigncheck-gcc10.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 4 Dec 2019 10:28:28 +0800 -Subject: [PATCH] pesigcheck: remove superfluous type settings - -When setting the type of reason in check_signature(), the type was -accidentally set as "siBuffer". Since the type is already set as -"SIGNATURE", we only need to remove those two lines of code. - -Fixes: https://github.com/rhboot/pesign/issues/55 - -Signed-off-by: Gary Lin ---- - src/pesigcheck.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 524cce3..d197c30 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; - nreason += 1; - is_invalid = true; - } -@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; - nreason += 1; - has_valid_cert = true; - } --- -2.24.0 - diff --git a/pesign-boo1185663-set-rpmmacrodir.patch b/pesign-boo1185663-set-rpmmacrodir.patch index 602885c..dca7903 100644 --- a/pesign-boo1185663-set-rpmmacrodir.patch +++ b/pesign-boo1185663-set-rpmmacrodir.patch @@ -1,27 +1,27 @@ -diff --git a/Make.defaults b/Make.defaults -index 2d18005..7ecba00 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/ - bindir ?= $(prefix)bin/ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -13,6 +13,7 @@ rundir ?= /run/ + rundir := $(abspath $(rundir))/ pcdir ?= $(libdir)pkgconfig/ docdir ?= $(prefix)share/doc/ +rpmmacrodir ?= /etc/rpm/ DESTDIR ?= INSTALLROOT = $(DESTDIR) -diff --git a/src/Makefile b/src/Makefile -index 5fb2841..ca546a3 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -90,8 +90,8 @@ install : - $(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/ +Index: pesign-115/src/Makefile +=================================================================== +--- pesign-115.orig/src/Makefile ++++ pesign-115/src/Makefile +@@ -88,8 +88,8 @@ install : + $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/ + $(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ diff --git a/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch b/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch deleted file mode 100644 index f26374a..0000000 --- a/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 May 2019 11:28:38 -0400 -Subject: [PATCH] efikeygen: Fix the build with nss 3.44 - -NSS 3.44 adds some certificate types, which changes a type and makes -some encoding stuff weird. As a result, we get: - -gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o -In file included from /usr/local/include/nss/nss/cert.h:22, - from efikeygen.c:39: -efikeygen.c: In function 'add_cert_type': -/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] - (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ - ^ -efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' - unsigned char type = NS_CERT_TYPE_APP; - ^~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -This is fixed by just making it an int. - -Fixes github issue #48. - -Signed-off-by: Peter Jones ---- - src/efikeygen.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/efikeygen.c b/src/efikeygen.c -index ede76ef..2cd953e 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -208,7 +208,7 @@ static int - add_cert_type(cms_context *cms, void *extHandle, int is_ca) - { - SECItem bitStringValue; -- unsigned char type = NS_CERT_TYPE_APP; -+ int type = NS_CERT_TYPE_APP; - - if (is_ca) - type |= NS_CERT_TYPE_SSL_CA | --- -2.22.0 - diff --git a/pesign-fix-authvar-write-loop.patch b/pesign-fix-authvar-write-loop.patch index 085ad74..2004cf0 100644 --- a/pesign-fix-authvar-write-loop.patch +++ b/pesign-fix-authvar-write-loop.patch @@ -12,32 +12,11 @@ Signed-off-by: Gary Ching-Pang Lin src/authvar_context.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) -diff --git a/src/authvar_context.c b/src/authvar_context.c -index 7a753fc..c51c666 100644 ---- a/src/authvar_context.c -+++ b/src/authvar_context.c -@@ -20,6 +20,7 @@ - #include "fix_coverity.h" - - #include -+#include - #include - - #include -@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx) - if (rc < 0) - cmsreterr(-1, ctx->cms_ctx, "could not create signed data"); - --#if __WORDSIZE == 64 -- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data; --#else -- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data; --#endif -+ offset = offsetof(win_cert_uefi_guid_t, data); - authinfo = calloc(offset + sd_der.len, 1); - if (!authinfo) - cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo"); -@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx) +Index: pesign-115/src/authvar_context.c +=================================================================== +--- pesign-115.orig/src/authvar_context.c ++++ pesign-115/src/authvar_context.c +@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx) void *buffer, *ptr; size_t buf_len, des_len, remain; ssize_t wlen; @@ -45,7 +24,7 @@ index 7a753fc..c51c666 100644 if (!ctx->authinfo) cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); -@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx) +@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx) if (ctx->value_size > 0) memcpy(ptr, ctx->value, ctx->value_size); @@ -69,6 +48,3 @@ index 7a753fc..c51c666 100644 } while (remain > 0); free(buffer); --- -2.21.0 - diff --git a/pesign-privkey_unneeded.diff b/pesign-privkey_unneeded.diff deleted file mode 100644 index 26ee8c3..0000000 --- a/pesign-privkey_unneeded.diff +++ /dev/null @@ -1,81 +0,0 @@ ---- - src/cms_common.c | 12 ++++++++++-- - src/cms_common.h | 1 + - src/pesign.c | 1 + - 3 files changed, 12 insertions(+), 2 deletions(-) - -Index: pesign-113/src/cms_common.c -=================================================================== ---- pesign-113.orig/src/cms_common.c -+++ pesign-113/src/cms_common.c -@@ -282,6 +282,7 @@ struct cbdata { - CERTCertificate *cert; - PK11SlotListElement *psle; - secuPWData *pwdata; -+ int privkey_unneeded; - }; - - static SECStatus -@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi - void *pwdata = cbdata->pwdata; - - SECKEYPrivateKey *privkey = NULL; -+ -+ if (cbdata->privkey_unneeded) { -+ cbdata->cert = cert; -+ return SECSuccess; -+ } -+ - privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); - if (privkey != NULL) { - cbdata->cert = cert; -@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n - } - - SECStatus status; -- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { -+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { - status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); - if (status != SECSuccess) { - PK11_DestroySlotListElement(slots, &psle); -@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n - .cert = NULL, - .psle = psle, - .pwdata = pwdata, -+ .privkey_unneeded = cms->privkey_unneeded, - }; - - if (needs_private_key) { -@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms, - } - - SECStatus status; -- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { -+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { - status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); - if (status != SECSuccess) { - PK11_DestroySlotListElement(slots, &psle); -Index: pesign-113/src/cms_common.h -=================================================================== ---- pesign-113.orig/src/cms_common.h -+++ pesign-113/src/cms_common.h -@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct - typedef struct cms_context { - PRArenaPool *arena; - void *privkey; -+ int privkey_unneeded; - - char *tokenname; - char *certname; -Index: pesign-113/src/file_pe.c -=================================================================== ---- pesign-113.orig/src/file_pe.c -+++ pesign-113/src/file_pe.c -@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i - */ - case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: - check_inputs(ctxp); -+ ctxp->cms_ctx->privkey_unneeded = 1; - rc = find_certificate(ctxp->cms_ctx, 0); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " diff --git a/pesign-run.patch b/pesign-run.patch deleted file mode 100644 index f16457c..0000000 --- a/pesign-run.patch +++ /dev/null @@ -1,94 +0,0 @@ ---- - src/Makefile | 2 +- - src/daemon.h | 4 ++-- - src/macros.pesign | 2 +- - src/pesign.sysvinit | 14 +++++++------- - src/tmpfiles.conf | 2 +- - 5 files changed, 12 insertions(+), 12 deletions(-) - -Index: pesign-113/src/Makefile -=================================================================== ---- pesign-113.orig/src/Makefile -+++ pesign-113/src/Makefile -@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) -Index: pesign-113/src/daemon.h -=================================================================== ---- pesign-113.orig/src/daemon.h -+++ pesign-113/src/daemon.h -@@ -49,8 +49,8 @@ typedef enum { - } pesignd_cmd; - - #define PESIGND_VERSION 0x2a9edaf0 --#define SOCKPATH "/var/run/pesign/socket" --#define PIDFILE "/var/run/pesign.pid" -+#define SOCKPATH "/run/pesign/socket" -+#define PIDFILE "/run/pesign.pid" - - static inline uint32_t UNUSED - pesignd_string_size(char *buffer) -Index: pesign-113/src/macros.pesign -=================================================================== ---- pesign-113.orig/src/macros.pesign -+++ pesign-113/src/macros.pesign -@@ -52,7 +52,7 @@ - getfacl /var/run/pesign 1>&2 \ - getfacl /var/run/pesign/socket 1>&2 \ - exit 1 \ -- elif [ -S /var/run/pesign/socket ]; then \ -+ elif [ -S /run/pesign/socket ]; then \ - %{_pesign_client} -t %{__pesign_client_token} \\\ - -c %{__pesign_client_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ -Index: pesign-113/src/tmpfiles.conf -=================================================================== ---- pesign-113.orig/src/tmpfiles.conf -+++ pesign-113/src/tmpfiles.conf -@@ -1 +1 @@ --D /var/run/pesign 0770 pesign pesign - -+D /run/pesign 0770 pesign pesign - -Index: pesign-113/src/pesign.sysvinit.in -=================================================================== ---- pesign-113.orig/src/pesign.sysvinit.in -+++ pesign-113/src/pesign.sysvinit.in -@@ -4,7 +4,7 @@ - # - # chkconfig: - 50 50 - # processname: /usr/bin/pesign --# pidfile: /var/run/pesign.pid -+# pidfile: /run/pesign.pid - ### BEGIN INIT INFO - # Provides: pesign - # Should-Start: $remote_fs -Index: pesign-113/src/pesign.service.in -=================================================================== ---- pesign-113.orig/src/pesign.service.in -+++ pesign-113/src/pesign.service.in -@@ -4,6 +4,6 @@ Description=Pesign signing daemon - [Service] - PrivateTmp=true - Type=forking --PIDFile=/var/run/pesign.pid -+PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize -Index: pesign-113/src/pesign-authorize -=================================================================== ---- pesign-113.orig/src/pesign-authorize -+++ pesign-113/src/pesign-authorize -@@ -47,7 +47,7 @@ update_subdir() { - done - } - --for x in /var/run/pesign/ /etc/pki/pesign*/ ; do -+for x in /run/pesign/ /etc/pki/pesign*/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else diff --git a/pesign-suse-build.patch b/pesign-suse-build.patch index 2a29ccc..88f10e1 100644 --- a/pesign-suse-build.patch +++ b/pesign-suse-build.patch @@ -1,7 +1,7 @@ -Index: pesign-113/util/Makefile +Index: pesign-115/util/Makefile =================================================================== ---- pesign-113.orig/util/Makefile -+++ pesign-113/util/Makefile +--- pesign-115.orig/util/Makefile ++++ pesign-115/util/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules include $(TOPDIR)/Make.defaults @@ -17,18 +17,18 @@ Index: pesign-113/util/Makefile install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ -+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/ ++ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/ install_systemd: -Index: pesign-113/src/pesign.sysvinit.in +Index: pesign-115/src/pesign.sysvinit.in =================================================================== ---- pesign-113.orig/src/pesign.sysvinit.in -+++ pesign-113/src/pesign.sysvinit.in +--- pesign-115.orig/src/pesign.sysvinit.in ++++ pesign-115/src/pesign.sysvinit.in @@ -6,16 +6,19 @@ # processname: /usr/bin/pesign - # pidfile: /var/run/pesign.pid + # pidfile: @@RUNDIR@@pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: @@ -46,50 +46,41 @@ Index: pesign-113/src/pesign.sysvinit.in -. /etc/init.d/functions [ -f /usr/bin/pesign ] || exit 1 -+PESIGN_PIDFILE=/var/run/pesign.pid ++PESIGN_PIDFILE=@@RUNDIR@@pesign.pid RETVAL=0 start(){ @@ -23,7 +26,7 @@ start(){ - mkdir /var/run/pesign 2>/dev/null && - chown pesign:pesign /var/run/pesign && - chmod 0770 /var/run/pesign + mkdir @@RUNDIR@@pesign 2>/dev/null && + chown pesign:pesign @@RUNDIR@@pesign && + chmod 0770 @@RUNDIR@@pesign - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign -@@ -32,7 +35,7 @@ start(){ - - stop(){ - echo -n "Stopping pesign: " -- killproc -p /var/run/pesign.pid pesignd -+ killproc -p /run/pesign.pid pesignd - RETVAL=$? - echo - rm -f /var/lock/subsys/pesign -Index: pesign-113/Make.defaults +Index: pesign-115/Make.defaults =================================================================== ---- pesign-113.orig/Make.defaults -+++ pesign-113/Make.defaults -@@ -61,7 +61,7 @@ CPPFLAGS ?= - RANLIBFLAGS := $(if $(filter $(CC),gcc),-D) - ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -83,7 +83,7 @@ CPPFLAGS ?= -D_FORTIFY_SOURCE=2 + RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D) + ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) -LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) +LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) ifeq ($(ARCH),ia64) efi_cflags += -mfixed-range=f32-f127 -Index: pesign-113/Makefile +Index: pesign-115/Makefile =================================================================== ---- pesign-113.orig/Makefile -+++ pesign-113/Makefile +--- pesign-115.orig/Makefile ++++ pesign-115/Makefile @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src install : $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - @set -e ; for x in $(SUBDIRS) ; do \ - $(MAKE) -C $$x $@ ; \ - done + @$(call descend) + + install_systemd install_sysvinit : install diff --git a/pesign.changes b/pesign.changes index dfdbee4..e2bb2dc 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Fri Dec 2 08:20:44 UTC 2022 - Gary Ching-Pang Lin + +- Update to 115 + + macros: drop %{_pesign_args} + + Fix two bugs from package building + + Fix bad free of cms data (DoS only) + + Send pesign stdout/err to systemd journal + + Add missing Install section + + Add default packages for pkg-config + + Short delay to ensure /run/pesign/socket exists + + Resolve crash when signature that is removed is not the end of + the list + + Enhance error diagnostics about version mismatch + + Upstream all Fedora changes + + Add some hardening options to build + + Add code of conduct + + Fix build on gcc 12 and non-Fedora +- Refresh patches + + harden_pesign.service.patch + + pesign-boo1143063-remove-var-tracking.patch + + pesign-boo1185663-set-rpmmacrodir.patch + + pesign-fix-authvar-write-loop.patch + + pesign-suse-build.patch +- Remove upstreamed/unnecessary patches + + pesign-boo1158197-fix-pesigncheck-gcc10.patch + + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch + + pesign-privkey_unneeded.diff + + pesign-run.patch + ------------------------------------------------------------------- Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab @@ -77,6 +107,7 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin + Various documentation improvements. + Improve /etc/pki/pesign authorization scripts + Various pesigcheck improvements + + Fix wrong oid offsets (bsc#1205323) - Refresh patches + pesign-suse-build.patch + pesign-privkey_unneeded.diff diff --git a/pesign.spec b/pesign.spec index c0b342d..78d7eb6 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ # # spec file for package pesign # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: pesign -Version: 113 +Version: 115 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-3.0-or-later @@ -27,21 +27,13 @@ Source: https://github.com/rhinstaller/pesign/releases/download/%{versio Source1: pesign.sysusers # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch -# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature -Patch2: pesign-privkey_unneeded.diff -# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run -Patch3: pesign-run.patch # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar -Patch4: pesign-fix-authvar-write-loop.patch -# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error -Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch +Patch2: pesign-fix-authvar-write-loop.patch # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS -Patch6: pesign-boo1143063-remove-var-tracking.patch -# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors -Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch +Patch3: pesign-boo1143063-remove-var-tracking.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time -Patch8: pesign-boo1185663-set-rpmmacrodir.patch -Patch9: harden_pesign.service.patch +Patch4: pesign-boo1185663-set-rpmmacrodir.patch +Patch5: harden_pesign.service.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -64,10 +56,6 @@ with the PE and Authenticode specifications. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf From 9d2a16ba0ded52c605a9ca92af769b27b118e26023cf8fc5498a4d1a56c4980d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 2 Dec 2022 08:34:18 +0000 Subject: [PATCH 2/3] Revert the testing 115 change OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=67 --- harden_pesign.service.patch | 12 +-- pesign-113.tar.bz2 | 3 + pesign-115.tar.bz2 | 3 - pesign-boo1143063-remove-var-tracking.patch | 12 +-- pesign-boo1158197-fix-pesigncheck-gcc10.patch | 39 ++++++++ pesign-boo1185663-set-rpmmacrodir.patch | 30 +++--- ...fikeygen-Fix-the-build-with-nss-3.44.patch | 45 +++++++++ pesign-fix-authvar-write-loop.patch | 36 +++++-- pesign-privkey_unneeded.diff | 81 ++++++++++++++++ pesign-run.patch | 94 +++++++++++++++++++ pesign-suse-build.patch | 59 +++++++----- pesign.changes | 31 ------ pesign.spec | 22 ++++- 13 files changed, 370 insertions(+), 97 deletions(-) create mode 100644 pesign-113.tar.bz2 delete mode 100644 pesign-115.tar.bz2 create mode 100644 pesign-boo1158197-fix-pesigncheck-gcc10.patch create mode 100644 pesign-efikeygen-Fix-the-build-with-nss-3.44.patch create mode 100644 pesign-privkey_unneeded.diff create mode 100644 pesign-run.patch diff --git a/harden_pesign.service.patch b/harden_pesign.service.patch index 7203425..835ec42 100644 --- a/harden_pesign.service.patch +++ b/harden_pesign.service.patch @@ -1,7 +1,7 @@ -Index: pesign-115/src/pesign.service.in +Index: pesign-113/src/pesign.service.in =================================================================== ---- pesign-115.orig/src/pesign.service.in -+++ pesign-115/src/pesign.service.in +--- pesign-113.orig/src/pesign.service.in ++++ pesign-113/src/pesign.service.in @@ -3,6 +3,19 @@ Description=Pesign signing daemon [Service] @@ -19,6 +19,6 @@ Index: pesign-115/src/pesign.service.in +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions - PIDFile=@@RUNDIR@@/pesign.pid - ExecStart=/usr/bin/pesign --daemonize --nofork - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize + Type=forking + PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize diff --git a/pesign-113.tar.bz2 b/pesign-113.tar.bz2 new file mode 100644 index 0000000..12f80e5 --- /dev/null +++ b/pesign-113.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132 +size 103471 diff --git a/pesign-115.tar.bz2 b/pesign-115.tar.bz2 deleted file mode 100644 index 028645f..0000000 --- a/pesign-115.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ac1ef561b82de175f2a876944d3a806384b34d3e6c58a037cf7a611f41ccf07e -size 119564 diff --git a/pesign-boo1143063-remove-var-tracking.patch b/pesign-boo1143063-remove-var-tracking.patch index 4b6e0e1..cfb41ff 100644 --- a/pesign-boo1143063-remove-var-tracking.patch +++ b/pesign-boo1143063-remove-var-tracking.patch @@ -1,8 +1,8 @@ -Index: pesign-115/Make.defaults -=================================================================== ---- pesign-115.orig/Make.defaults -+++ pesign-115/Make.defaults -@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ +diff --git a/Make.defaults b/Make.defaults +index 7892d73..2d18005 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ $(call pkg-config-cflags) clang_ccldflags = gcc_ccldflags = -fno-merge-constants \ @@ -10,4 +10,4 @@ Index: pesign-115/Make.defaults + -fvar-tracking-assignments -fkeep-inline-functions \ -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ - -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie + -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed diff --git a/pesign-boo1158197-fix-pesigncheck-gcc10.patch b/pesign-boo1158197-fix-pesigncheck-gcc10.patch new file mode 100644 index 0000000..8a31d91 --- /dev/null +++ b/pesign-boo1158197-fix-pesigncheck-gcc10.patch @@ -0,0 +1,39 @@ +From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 4 Dec 2019 10:28:28 +0800 +Subject: [PATCH] pesigcheck: remove superfluous type settings + +When setting the type of reason in check_signature(), the type was +accidentally set as "siBuffer". Since the type is already set as +"SIGNATURE", we only need to remove those two lines of code. + +Fixes: https://github.com/rhboot/pesign/issues/55 + +Signed-off-by: Gary Lin +--- + src/pesigcheck.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index 524cce3..d197c30 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; + nreason += 1; + is_invalid = true; + } +@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; + nreason += 1; + has_valid_cert = true; + } +-- +2.24.0 + diff --git a/pesign-boo1185663-set-rpmmacrodir.patch b/pesign-boo1185663-set-rpmmacrodir.patch index dca7903..602885c 100644 --- a/pesign-boo1185663-set-rpmmacrodir.patch +++ b/pesign-boo1185663-set-rpmmacrodir.patch @@ -1,27 +1,27 @@ -Index: pesign-115/Make.defaults -=================================================================== ---- pesign-115.orig/Make.defaults -+++ pesign-115/Make.defaults -@@ -13,6 +13,7 @@ rundir ?= /run/ - rundir := $(abspath $(rundir))/ +diff --git a/Make.defaults b/Make.defaults +index 2d18005..7ecba00 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/ + bindir ?= $(prefix)bin/ pcdir ?= $(libdir)pkgconfig/ docdir ?= $(prefix)share/doc/ +rpmmacrodir ?= /etc/rpm/ DESTDIR ?= INSTALLROOT = $(DESTDIR) -Index: pesign-115/src/Makefile -=================================================================== ---- pesign-115.orig/src/Makefile -+++ pesign-115/src/Makefile -@@ -88,8 +88,8 @@ install : - $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/ +diff --git a/src/Makefile b/src/Makefile +index 5fb2841..ca546a3 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -90,8 +90,8 @@ install : + $(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/ + $(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/ + $(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign diff --git a/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch b/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch new file mode 100644 index 0000000..f26374a --- /dev/null +++ b/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch @@ -0,0 +1,45 @@ +From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 May 2019 11:28:38 -0400 +Subject: [PATCH] efikeygen: Fix the build with nss 3.44 + +NSS 3.44 adds some certificate types, which changes a type and makes +some encoding stuff weird. As a result, we get: + +gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o +In file included from /usr/local/include/nss/nss/cert.h:22, + from efikeygen.c:39: +efikeygen.c: In function 'add_cert_type': +/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] + (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ + ^ +efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' + unsigned char type = NS_CERT_TYPE_APP; + ^~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +This is fixed by just making it an int. + +Fixes github issue #48. + +Signed-off-by: Peter Jones +--- + src/efikeygen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/efikeygen.c b/src/efikeygen.c +index ede76ef..2cd953e 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -208,7 +208,7 @@ static int + add_cert_type(cms_context *cms, void *extHandle, int is_ca) + { + SECItem bitStringValue; +- unsigned char type = NS_CERT_TYPE_APP; ++ int type = NS_CERT_TYPE_APP; + + if (is_ca) + type |= NS_CERT_TYPE_SSL_CA | +-- +2.22.0 + diff --git a/pesign-fix-authvar-write-loop.patch b/pesign-fix-authvar-write-loop.patch index 2004cf0..085ad74 100644 --- a/pesign-fix-authvar-write-loop.patch +++ b/pesign-fix-authvar-write-loop.patch @@ -12,11 +12,32 @@ Signed-off-by: Gary Ching-Pang Lin src/authvar_context.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) -Index: pesign-115/src/authvar_context.c -=================================================================== ---- pesign-115.orig/src/authvar_context.c -+++ pesign-115/src/authvar_context.c -@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx) +diff --git a/src/authvar_context.c b/src/authvar_context.c +index 7a753fc..c51c666 100644 +--- a/src/authvar_context.c ++++ b/src/authvar_context.c +@@ -20,6 +20,7 @@ + #include "fix_coverity.h" + + #include ++#include + #include + + #include +@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx) + if (rc < 0) + cmsreterr(-1, ctx->cms_ctx, "could not create signed data"); + +-#if __WORDSIZE == 64 +- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data; +-#else +- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data; +-#endif ++ offset = offsetof(win_cert_uefi_guid_t, data); + authinfo = calloc(offset + sd_der.len, 1); + if (!authinfo) + cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo"); +@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx) void *buffer, *ptr; size_t buf_len, des_len, remain; ssize_t wlen; @@ -24,7 +45,7 @@ Index: pesign-115/src/authvar_context.c if (!ctx->authinfo) cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); -@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx) +@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx) if (ctx->value_size > 0) memcpy(ptr, ctx->value, ctx->value_size); @@ -48,3 +69,6 @@ Index: pesign-115/src/authvar_context.c } while (remain > 0); free(buffer); +-- +2.21.0 + diff --git a/pesign-privkey_unneeded.diff b/pesign-privkey_unneeded.diff new file mode 100644 index 0000000..26ee8c3 --- /dev/null +++ b/pesign-privkey_unneeded.diff @@ -0,0 +1,81 @@ +--- + src/cms_common.c | 12 ++++++++++-- + src/cms_common.h | 1 + + src/pesign.c | 1 + + 3 files changed, 12 insertions(+), 2 deletions(-) + +Index: pesign-113/src/cms_common.c +=================================================================== +--- pesign-113.orig/src/cms_common.c ++++ pesign-113/src/cms_common.c +@@ -282,6 +282,7 @@ struct cbdata { + CERTCertificate *cert; + PK11SlotListElement *psle; + secuPWData *pwdata; ++ int privkey_unneeded; + }; + + static SECStatus +@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi + void *pwdata = cbdata->pwdata; + + SECKEYPrivateKey *privkey = NULL; ++ ++ if (cbdata->privkey_unneeded) { ++ cbdata->cert = cert; ++ return SECSuccess; ++ } ++ + privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); + if (privkey != NULL) { + cbdata->cert = cert; +@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n + } + + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { ++ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); + if (status != SECSuccess) { + PK11_DestroySlotListElement(slots, &psle); +@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n + .cert = NULL, + .psle = psle, + .pwdata = pwdata, ++ .privkey_unneeded = cms->privkey_unneeded, + }; + + if (needs_private_key) { +@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms, + } + + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { ++ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); + if (status != SECSuccess) { + PK11_DestroySlotListElement(slots, &psle); +Index: pesign-113/src/cms_common.h +=================================================================== +--- pesign-113.orig/src/cms_common.h ++++ pesign-113/src/cms_common.h +@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct + typedef struct cms_context { + PRArenaPool *arena; + void *privkey; ++ int privkey_unneeded; + + char *tokenname; + char *certname; +Index: pesign-113/src/file_pe.c +=================================================================== +--- pesign-113.orig/src/file_pe.c ++++ pesign-113/src/file_pe.c +@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i + */ + case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: + check_inputs(ctxp); ++ ctxp->cms_ctx->privkey_unneeded = 1; + rc = find_certificate(ctxp->cms_ctx, 0); + if (rc < 0) { + fprintf(stderr, "pesign: Could not find " diff --git a/pesign-run.patch b/pesign-run.patch new file mode 100644 index 0000000..f16457c --- /dev/null +++ b/pesign-run.patch @@ -0,0 +1,94 @@ +--- + src/Makefile | 2 +- + src/daemon.h | 4 ++-- + src/macros.pesign | 2 +- + src/pesign.sysvinit | 14 +++++++------- + src/tmpfiles.conf | 2 +- + 5 files changed, 12 insertions(+), 12 deletions(-) + +Index: pesign-113/src/Makefile +=================================================================== +--- pesign-113.orig/src/Makefile ++++ pesign-113/src/Makefile +@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ ++ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) +Index: pesign-113/src/daemon.h +=================================================================== +--- pesign-113.orig/src/daemon.h ++++ pesign-113/src/daemon.h +@@ -49,8 +49,8 @@ typedef enum { + } pesignd_cmd; + + #define PESIGND_VERSION 0x2a9edaf0 +-#define SOCKPATH "/var/run/pesign/socket" +-#define PIDFILE "/var/run/pesign.pid" ++#define SOCKPATH "/run/pesign/socket" ++#define PIDFILE "/run/pesign.pid" + + static inline uint32_t UNUSED + pesignd_string_size(char *buffer) +Index: pesign-113/src/macros.pesign +=================================================================== +--- pesign-113.orig/src/macros.pesign ++++ pesign-113/src/macros.pesign +@@ -52,7 +52,7 @@ + getfacl /var/run/pesign 1>&2 \ + getfacl /var/run/pesign/socket 1>&2 \ + exit 1 \ +- elif [ -S /var/run/pesign/socket ]; then \ ++ elif [ -S /run/pesign/socket ]; then \ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ +Index: pesign-113/src/tmpfiles.conf +=================================================================== +--- pesign-113.orig/src/tmpfiles.conf ++++ pesign-113/src/tmpfiles.conf +@@ -1 +1 @@ +-D /var/run/pesign 0770 pesign pesign - ++D /run/pesign 0770 pesign pesign - +Index: pesign-113/src/pesign.sysvinit.in +=================================================================== +--- pesign-113.orig/src/pesign.sysvinit.in ++++ pesign-113/src/pesign.sysvinit.in +@@ -4,7 +4,7 @@ + # + # chkconfig: - 50 50 + # processname: /usr/bin/pesign +-# pidfile: /var/run/pesign.pid ++# pidfile: /run/pesign.pid + ### BEGIN INIT INFO + # Provides: pesign + # Should-Start: $remote_fs +Index: pesign-113/src/pesign.service.in +=================================================================== +--- pesign-113.orig/src/pesign.service.in ++++ pesign-113/src/pesign.service.in +@@ -4,6 +4,6 @@ Description=Pesign signing daemon + [Service] + PrivateTmp=true + Type=forking +-PIDFile=/var/run/pesign.pid ++PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +Index: pesign-113/src/pesign-authorize +=================================================================== +--- pesign-113.orig/src/pesign-authorize ++++ pesign-113/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } + +-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++for x in /run/pesign/ /etc/pki/pesign*/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else diff --git a/pesign-suse-build.patch b/pesign-suse-build.patch index 88f10e1..2a29ccc 100644 --- a/pesign-suse-build.patch +++ b/pesign-suse-build.patch @@ -1,7 +1,7 @@ -Index: pesign-115/util/Makefile +Index: pesign-113/util/Makefile =================================================================== ---- pesign-115.orig/util/Makefile -+++ pesign-115/util/Makefile +--- pesign-113.orig/util/Makefile ++++ pesign-113/util/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules include $(TOPDIR)/Make.defaults @@ -17,18 +17,18 @@ Index: pesign-115/util/Makefile install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/ -+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ ++ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ install_systemd: -Index: pesign-115/src/pesign.sysvinit.in +Index: pesign-113/src/pesign.sysvinit.in =================================================================== ---- pesign-115.orig/src/pesign.sysvinit.in -+++ pesign-115/src/pesign.sysvinit.in +--- pesign-113.orig/src/pesign.sysvinit.in ++++ pesign-113/src/pesign.sysvinit.in @@ -6,16 +6,19 @@ # processname: /usr/bin/pesign - # pidfile: @@RUNDIR@@pesign.pid + # pidfile: /var/run/pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: @@ -46,41 +46,50 @@ Index: pesign-115/src/pesign.sysvinit.in -. /etc/init.d/functions [ -f /usr/bin/pesign ] || exit 1 -+PESIGN_PIDFILE=@@RUNDIR@@pesign.pid ++PESIGN_PIDFILE=/var/run/pesign.pid RETVAL=0 start(){ @@ -23,7 +26,7 @@ start(){ - mkdir @@RUNDIR@@pesign 2>/dev/null && - chown pesign:pesign @@RUNDIR@@pesign && - chmod 0770 @@RUNDIR@@pesign + mkdir /var/run/pesign 2>/dev/null && + chown pesign:pesign /var/run/pesign && + chmod 0770 /var/run/pesign - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign -Index: pesign-115/Make.defaults +@@ -32,7 +35,7 @@ start(){ + + stop(){ + echo -n "Stopping pesign: " +- killproc -p /var/run/pesign.pid pesignd ++ killproc -p /run/pesign.pid pesignd + RETVAL=$? + echo + rm -f /var/lock/subsys/pesign +Index: pesign-113/Make.defaults =================================================================== ---- pesign-115.orig/Make.defaults -+++ pesign-115/Make.defaults -@@ -83,7 +83,7 @@ CPPFLAGS ?= -D_FORTIFY_SOURCE=2 - RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D) - ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) +--- pesign-113.orig/Make.defaults ++++ pesign-113/Make.defaults +@@ -61,7 +61,7 @@ CPPFLAGS ?= + RANLIBFLAGS := $(if $(filter $(CC),gcc),-D) + ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) -LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) +LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) ifeq ($(ARCH),ia64) efi_cflags += -mfixed-range=f32-f127 -Index: pesign-115/Makefile +Index: pesign-113/Makefile =================================================================== ---- pesign-115.orig/Makefile -+++ pesign-115/Makefile +--- pesign-113.orig/Makefile ++++ pesign-113/Makefile @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src install : $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - @$(call descend) - - install_systemd install_sysvinit : install + @set -e ; for x in $(SUBDIRS) ; do \ + $(MAKE) -C $$x $@ ; \ + done diff --git a/pesign.changes b/pesign.changes index e2bb2dc..dfdbee4 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,33 +1,3 @@ -------------------------------------------------------------------- -Fri Dec 2 08:20:44 UTC 2022 - Gary Ching-Pang Lin - -- Update to 115 - + macros: drop %{_pesign_args} - + Fix two bugs from package building - + Fix bad free of cms data (DoS only) - + Send pesign stdout/err to systemd journal - + Add missing Install section - + Add default packages for pkg-config - + Short delay to ensure /run/pesign/socket exists - + Resolve crash when signature that is removed is not the end of - the list - + Enhance error diagnostics about version mismatch - + Upstream all Fedora changes - + Add some hardening options to build - + Add code of conduct - + Fix build on gcc 12 and non-Fedora -- Refresh patches - + harden_pesign.service.patch - + pesign-boo1143063-remove-var-tracking.patch - + pesign-boo1185663-set-rpmmacrodir.patch - + pesign-fix-authvar-write-loop.patch - + pesign-suse-build.patch -- Remove upstreamed/unnecessary patches - + pesign-boo1158197-fix-pesigncheck-gcc10.patch - + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch - + pesign-privkey_unneeded.diff - + pesign-run.patch - ------------------------------------------------------------------- Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab @@ -107,7 +77,6 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin + Various documentation improvements. + Improve /etc/pki/pesign authorization scripts + Various pesigcheck improvements - + Fix wrong oid offsets (bsc#1205323) - Refresh patches + pesign-suse-build.patch + pesign-privkey_unneeded.diff diff --git a/pesign.spec b/pesign.spec index 78d7eb6..9b44f66 100644 --- a/pesign.spec +++ b/pesign.spec @@ -17,7 +17,7 @@ Name: pesign -Version: 115 +Version: 113 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-3.0-or-later @@ -27,13 +27,21 @@ Source: https://github.com/rhinstaller/pesign/releases/download/%{versio Source1: pesign.sysusers # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch +# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature +Patch2: pesign-privkey_unneeded.diff +# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run +Patch3: pesign-run.patch # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar -Patch2: pesign-fix-authvar-write-loop.patch +Patch4: pesign-fix-authvar-write-loop.patch +# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error +Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS -Patch3: pesign-boo1143063-remove-var-tracking.patch +Patch6: pesign-boo1143063-remove-var-tracking.patch +# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors +Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time -Patch4: pesign-boo1185663-set-rpmmacrodir.patch -Patch5: harden_pesign.service.patch +Patch8: pesign-boo1185663-set-rpmmacrodir.patch +Patch9: harden_pesign.service.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -56,6 +64,10 @@ with the PE and Authenticode specifications. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf From 88fb4f57d38920ed9f7d516f90e5b79326705bd80dd227dbfe7acac622550863 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 8 Feb 2023 05:33:34 +0000 Subject: [PATCH 3/3] Accepting request 1063580 from home:gary_lin:bsc1202933 - Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch to use the normal file permissions in pesign-authorize to avoid the potential security issue (bsc#1202933, CVE-2022-3560) - Set the libexecdir path for "make" to fix the path to pesign-authorize in pesign.service (bsc#1202933) - Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make the default NSS datebase writeable (bsc#1202933) OBS-URL: https://build.opensuse.org/request/show/1063580 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=68 --- ...202933-Make-etc-pki-pesign-writeable.patch | 25 ++++++ ...mal-file-permissions-instead-of-ACLs.patch | 81 +++++++++++++++++++ pesign.changes | 12 +++ pesign.spec | 8 +- 4 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch create mode 100644 pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch diff --git a/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch new file mode 100644 index 0000000..c9db7b7 --- /dev/null +++ b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch @@ -0,0 +1,25 @@ +From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 7 Feb 2023 15:34:09 +0800 +Subject: [PATCH] Make /etc/pki/pesign/ writeable + +The default NSS database for the pesign daemon is stored in /etc/pki/pesign/. +Make it writeable after hardening the service. + +Signed-off-by: Gary Lin +--- + src/pesign.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pesign.service.in b/src/pesign.service.in +index 87accee..8542c63 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -20,3 +20,4 @@ Type=forking + PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize ++ReadWritePaths=/etc/pki/pesign/ +-- +2.35.3 + diff --git a/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch new file mode 100644 index 0000000..f5f441f --- /dev/null +++ b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch @@ -0,0 +1,81 @@ +From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 18 Jan 2023 14:00:22 -0500 +Subject: [PATCH] Use normal file permissions instead of ACLs + +Fixes a symlink attack that can't be mitigated using getfacl/setfacl. + +pesign-authorize is now deprecated and will be removed in a future +release. + +Resolves: CVE-2022-3560 +Signed-off-by: Robbie Harwood +--- + src/pesign-authorize | 53 +++++--------------------------------------- + 1 file changed, 5 insertions(+), 48 deletions(-) + +Index: pesign-113/src/pesign-authorize +=================================================================== +--- pesign-113.orig/src/pesign-authorize ++++ pesign-113/src/pesign-authorize +@@ -2,55 +2,12 @@ + set -e + set -u + +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific users is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- + # License: GPLv2 +-declare -a fileusers=() +-declare -a dirusers=() +-for user in $(cat /etc/pesign/users); do +- dirusers[${#dirusers[@]}]=-m +- dirusers[${#dirusers[@]}]="u:$user:rwx" +- fileusers[${#fileusers[@]}]=-m +- fileusers[${#fileusers[@]}]="u:$user:rw" +-done +- +-declare -a filegroups=() +-declare -a dirgroups=() +-for group in $(cat /etc/pesign/groups); do +- dirgroups[${#dirgroups[@]}]=-m +- dirgroups[${#dirgroups[@]}]="g:$group:rwx" +- filegroups[${#filegroups[@]}]=-m +- filegroups[${#filegroups[@]}]="g:$group:rw" +-done +- +-update_subdir() { +- subdir=$1 && shift + +- setfacl -bk "${subdir}" +- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" +- for x in "${subdir}"* ; do +- if [ -d "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} +- update_subdir "${x}/" +- elif [ -e "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} +- else +- :; +- fi +- done +-} ++# This script is deprecated and will be removed in a future release. + +-for x in /run/pesign/ /etc/pki/pesign*/ ; do +- if [ -d "${x}" ]; then +- update_subdir "${x}" +- else +- :; +- fi ++sleep 3 ++for x in /run/pesign/ /etc/pki/pesign/ ; do ++ chown -R pesign:pesign "${x}" || true ++ chmod -R ug+rwX "${x}" || true + done diff --git a/pesign.changes b/pesign.changes index dfdbee4..e766c99 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin + +- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + to use the normal file permissions in pesign-authorize to avoid + the potential security issue (bsc#1202933, CVE-2022-3560) +- Set the libexecdir path for "make" to fix the path to + pesign-authorize in pesign.service (bsc#1202933) +- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make + the default NSS datebase writeable (bsc#1202933) + ------------------------------------------------------------------- Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab @@ -77,6 +88,7 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin + Various documentation improvements. + Improve /etc/pki/pesign authorization scripts + Various pesigcheck improvements + + Fix wrong oid offsets (bsc#1205323) - Refresh patches + pesign-suse-build.patch + pesign-privkey_unneeded.diff diff --git a/pesign.spec b/pesign.spec index 9b44f66..5284cc1 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ # # spec file for package pesign # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,8 @@ Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time Patch8: pesign-boo1185663-set-rpmmacrodir.patch Patch9: harden_pesign.service.patch +Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch +Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -68,10 +70,12 @@ with the PE and Authenticode specifications. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf -make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" +make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} %install mkdir -p %{buildroot}%{_localstatedir}/lib/pesign