From 317af7f80534b6c0ccec2d1287c498c4cba28e81bec55fbac69a4a37b5f8e917 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Schr=C3=B6der?= Date: Mon, 11 Jun 2018 09:30:49 +0000 Subject: [PATCH 1/4] Accepting request 613118 from home:michals - openSUSE releases also preserve kabi (boo#1095148). OBS-URL: https://build.opensuse.org/request/show/613118 OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=467 --- fileattrs.diff | 2 +- findksyms.diff | 12 ++++++------ rpm.changes | 5 +++++ 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/fileattrs.diff b/fileattrs.diff index 850669c..dcf6e99 100644 --- a/fileattrs.diff +++ b/fileattrs.diff @@ -38,7 +38,7 @@ +++ ./fileattrs/kmp.attr 2017-12-01 15:46:28.172720497 +0000 @@ -0,0 +1,4 @@ +%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse} -+%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --opensuse 0%{?is_opensuse} ++%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --suse-release 0%{?sle_version} +%__kmp_supplements %{_rpmconfigdir}/find-supplements.ksyms +%__kmp_path ^/lib/modules/[^/]*/(updates|extra)/.*\.ko(\.gz)? --- ./fileattrs/perl.attr.orig 2017-08-10 08:08:07.113108701 +0000 diff --git a/findksyms.diff b/findksyms.diff index 2472f7d..cd66a6d 100644 --- a/findksyms.diff +++ b/findksyms.diff @@ -107,16 +107,16 @@ + +IFS=$'\n' + -+is_opensuse=false ++is_tumbleweed=false + -+if test "$1" = "--opensuse"; then -+ if test "$2" -gt 0; then -+ is_opensuse=true ++if test "$1" = "--suse-release"; then ++ if test "$2" -eq 0; then ++ is_tumbleweed=true + fi + shift 2 +fi + -+if ! $is_opensuse && ! test -e /sbin/modprobe; then ++if ! $is_tumbleweed && ! test -e /sbin/modprobe; then + cat > /dev/null + exit 0 +fi @@ -124,7 +124,7 @@ +for f in $(grep -E '/lib/modules/.+\.ko$' | grep -v '/lib/modules/[^/]*/kernel/'); do + flavor=${f#*/lib/modules/} + flavor=${flavor%%/*} -+ if $is_opensuse; then ++ if $is_tumbleweed; then + echo "kernel-uname-r = $flavor" + continue + fi diff --git a/rpm.changes b/rpm.changes index 04e6145..fd477c5 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 30 10:48:49 UTC 2018 - msuchanek@suse.com + +- openSUSE releases also preserve kabi (boo#1095148). + ------------------------------------------------------------------- Mon May 7 16:36:45 CEST 2018 - mls@suse.de From 083961a188aa12dcdfa9b0dee8ce5d7b61ec927e6ff0d78ac14da443bda76115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Schr=C3=B6der?= Date: Mon, 11 Jun 2018 09:48:07 +0000 Subject: [PATCH 2/4] - Define sle_version in leap [bnc#1094735] OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=468 --- rpm-suse_macros | 1 + rpm.changes | 5 +++++ rpm.spec | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/rpm-suse_macros b/rpm-suse_macros index 4c8a0c3..7a23936 100644 --- a/rpm-suse_macros +++ b/rpm-suse_macros @@ -243,6 +243,7 @@ %sles_version @sles_version@ %ul_version @ul_version@ %is_opensuse @is_opensuse@ +%sle_version @sle_version@ %leap_version @leap_version@ %do_profiling 1 diff --git a/rpm.changes b/rpm.changes index fd477c5..b42e52c 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 11 11:43:36 CEST 2018 - mls@suse.de + +- Define sle_version in leap [bnc#1094735] + ------------------------------------------------------------------- Wed May 30 10:48:49 UTC 2018 - msuchanek@suse.com diff --git a/rpm.spec b/rpm.spec index 4d6a1ae..4198df3 100644 --- a/rpm.spec +++ b/rpm.spec @@ -252,6 +252,12 @@ sed -e 's/@suse_version@/%{?suse_version}%{!?suse_version:0}/' \ -e 's/@is_opensuse@/%{?is_opensuse}%{!?is_opensuse:0}/' \ -e '/@leap_version@%{?leap_version:nomatch}/d' \ -e 's/@leap_version@/%{?leap_version}%{!?leap_version:0}/' \ +%if 0%{?is_opensuse} + -e '/@sle_version@%{?sle_version:nomatch}/d' \ + -e 's/@sle_version@/%{?sle_version}%{!?sle_version:0}/' \ +%else + -e '/@sle_version@/d' \ +%endif < %{SOURCE4} > suse_macros rm -f m4/libtool.m4 rm -f m4/lt*.m4 From 04894f015330e78ca5abca8c8cc2ee574fb115ba64733fe0af7c18cb15c2645a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Schr=C3=B6der?= Date: Fri, 15 Jun 2018 11:35:35 +0000 Subject: [PATCH 3/4] - really fix symlink attacks on rpm install [bnc#943457] OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=469 --- rpm.changes | 9 ++++++ rpm.spec | 4 ++- safesymlinks.diff | 44 +++++++++++++++++++++++++++++ verifynodup.diff | 72 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 safesymlinks.diff create mode 100644 verifynodup.diff diff --git a/rpm.changes b/rpm.changes index b42e52c..22f5b6e 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jun 15 13:25:18 CEST 2018 - mls@suse.de + +- really fix symlink attacks on rpm install [bnc#943457] + [CVE-2017-7500] + new patch: safesymlinks.diff +- backport removal of user/group duplicate detection in verify + new patch: verifynodup.diff + ------------------------------------------------------------------- Mon Jun 11 11:43:36 CEST 2018 - mls@suse.de diff --git a/rpm.spec b/rpm.spec index 4198df3..6a4981a 100644 --- a/rpm.spec +++ b/rpm.spec @@ -132,6 +132,8 @@ Patch111: debugedit-bnc1076819.diff Patch112: hardlinks.diff Patch113: debugedit-riscv.patch Patch114: source_date_epoch_buildtime.diff +Patch115: safesymlinks.diff +Patch116: verifynodup.diff Patch6464: auto-config-update-aarch64-ppc64le.diff Patch6465: auto-config-update-riscv64.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -229,7 +231,7 @@ rm -f rpmdb/db.h %patch -P 85 %patch -P 93 -P 94 -P 99 %patch -P 100 -P 102 -P 103 -P 108 -%patch -P 109 -P 111 -P 112 -P 113 -P 114 +%patch -P 109 -P 111 -P 112 -P 113 -P 114 -P 115 -P 116 %ifarch aarch64 ppc64le riscv64 %patch6464 diff --git a/safesymlinks.diff b/safesymlinks.diff new file mode 100644 index 0000000..4d99f91 --- /dev/null +++ b/safesymlinks.diff @@ -0,0 +1,44 @@ +--- ./lib/fsm.c.orig 2018-06-15 11:15:50.320133057 +0000 ++++ ./lib/fsm.c 2018-06-15 11:15:56.240118124 +0000 +@@ -653,7 +653,7 @@ static int fsmUtime(const char *path, mo + return rc; + } + +-static int fsmVerify(const char *path, rpmfi fi, const struct stat *fsb) ++static int fsmVerify(const char *path, rpmfi fi) + { + int rc; + int saveerrno = errno; +@@ -684,7 +684,7 @@ static int fsmVerify(const char *path, r + if (rc) return rc; + errno = saveerrno; + /* Only permit directory symlinks by target owner and root */ +- if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == fsb->st_uid)) ++ if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == dsb.st_uid)) + return 0; + } + } else if (S_ISLNK(mode)) { +@@ -928,7 +928,7 @@ int rpmPackageFilesInstall(rpmts ts, rpm + } + /* Assume file does't exist when tmp suffix is in use */ + if (!suffix) { +- rc = fsmVerify(fpath, fi, &sb); ++ rc = fsmVerify(fpath, fi); + } else { + rc = (action == FA_TOUCH) ? 0 : RPMERR_ENOENT; + } +--- ./lib/verify.c.orig 2018-06-15 11:16:03.904098773 +0000 ++++ ./lib/verify.c 2018-06-15 11:23:42.842941766 +0000 +@@ -98,11 +98,8 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f + struct stat dsb; + /* ...if it actually points to a directory */ + if (stat(fn, &dsb) == 0 && S_ISDIR(dsb.st_mode)) { +- uid_t fuid; + /* ...and is by a legit user, to match fsmVerify() behavior */ +- if (sb.st_uid == 0 || +- (rpmugUid(rpmfilesFUser(fi, ix), &fuid) == 0 && +- sb.st_uid == fuid)) { ++ if (sb.st_uid == 0 || sb.st_uid == dsb.st_uid) { + sb = dsb; /* struct assignment */ + } + } diff --git a/verifynodup.diff b/verifynodup.diff new file mode 100644 index 0000000..21e7617 --- /dev/null +++ b/verifynodup.diff @@ -0,0 +1,72 @@ +--- ./lib/verify.c.orig 2018-06-15 11:25:09.142724319 +0000 ++++ ./lib/verify.c 2018-06-15 11:27:32.246363744 +0000 +@@ -59,7 +59,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f + rpmfileAttrs fileAttrs = rpmfilesFFlags(fi, ix); + rpmVerifyAttrs flags = rpmfilesVFlags(fi, ix); + const char * fn = rpmfilesFN(fi, ix); +- struct stat sb; ++ struct stat sb, fsb; + rpmVerifyAttrs vfy = RPMVERIFY_NONE; + + /* +@@ -88,7 +88,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f + break; + } + +- if (fn == NULL || lstat(fn, &sb) != 0) { ++ if (fn == NULL || lstat(fn, &sb) != 0 || rpmfilesStat(fi, ix, 0, &fsb)) { + vfy |= RPMVERIFY_LSTATFAIL; + goto exit; + } +@@ -243,47 +243,11 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f + vfy |= RPMVERIFY_MTIME; + } + +- if (flags & RPMVERIFY_USER) { +- const char * name = rpmugUname(sb.st_uid); +- const char * fuser = rpmfilesFUser(fi, ix); +- uid_t uid; +- int namematch = 0; +- int idmatch = 0; +- +- if (name && fuser) +- namematch = rstreq(name, fuser); +- if (fuser && rpmugUid(fuser, &uid) == 0) +- idmatch = (uid == sb.st_uid); +- +- if (namematch != idmatch) { +- rpmlog(RPMLOG_WARNING, +- _("Duplicate username or UID for user %s\n"), fuser); +- } +- +- if (!(namematch || idmatch)) +- vfy |= RPMVERIFY_USER; +- } +- +- if (flags & RPMVERIFY_GROUP) { +- const char * name = rpmugGname(sb.st_gid); +- const char * fgroup = rpmfilesFGroup(fi, ix); +- gid_t gid; +- int namematch = 0; +- int idmatch = 0; +- +- if (name && fgroup) +- namematch = rstreq(name, fgroup); +- if (fgroup && rpmugGid(fgroup, &gid) == 0) +- idmatch = (gid == sb.st_gid); +- +- if (namematch != idmatch) { +- rpmlog(RPMLOG_WARNING, +- _("Duplicate groupname or GID for group %s\n"), fgroup); +- } ++ if ((flags & RPMVERIFY_USER) && (sb.st_uid != fsb.st_uid)) ++ vfy |= RPMVERIFY_USER; + +- if (!(namematch || idmatch)) +- vfy |= RPMVERIFY_GROUP; +- } ++ if ((flags & RPMVERIFY_GROUP) && (sb.st_gid != fsb.st_gid)) ++ vfy |= RPMVERIFY_GROUP; + + exit: + return vfy; From 0dd65708198afef97e1d1c9532575c88bf80ba2bd1f65ea2de0c3137ebbc2509 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Schr=C3=B6der?= Date: Fri, 15 Jun 2018 13:08:00 +0000 Subject: [PATCH 4/4] Accepting request 617095 from home:michals - Add kernel export provides on openSUSE (boo#1095148). OBS-URL: https://build.opensuse.org/request/show/617095 OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=470 --- fileattrs.diff | 6 +++--- findksyms.diff | 14 +++++++------- rpm.changes | 5 +++++ 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/fileattrs.diff b/fileattrs.diff index dcf6e99..230fb2d 100644 --- a/fileattrs.diff +++ b/fileattrs.diff @@ -32,13 +32,13 @@ --- ./fileattrs/kernel.attr.orig 2017-12-01 15:46:28.172720497 +0000 +++ ./fileattrs/kernel.attr 2017-12-01 15:46:28.172720497 +0000 @@ -0,0 +1,2 @@ -+%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse} ++%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} +%__kernel_path ^(/lib/modules/[^/]*/kernel/.*\.ko(\.gz)?|/boot/vmlinu[xz].*)$ --- ./fileattrs/kmp.attr.orig 2017-12-01 15:46:28.172720497 +0000 +++ ./fileattrs/kmp.attr 2017-12-01 15:46:28.172720497 +0000 @@ -0,0 +1,4 @@ -+%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse} -+%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --suse-release 0%{?sle_version} ++%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} ++%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} +%__kmp_supplements %{_rpmconfigdir}/find-supplements.ksyms +%__kmp_path ^/lib/modules/[^/]*/(updates|extra)/.*\.ko(\.gz)? --- ./fileattrs/perl.attr.orig 2017-08-10 08:08:07.113108701 +0000 diff --git a/findksyms.diff b/findksyms.diff index cd66a6d..15ad9f0 100644 --- a/findksyms.diff +++ b/findksyms.diff @@ -23,16 +23,16 @@ + +IFS=$'\n' + -+is_opensuse=false ++is_tumbleweed=false + -+if test "$1" = "--opensuse"; then ++if test "$1" = "--tumbleweed"; then + if test "$2" -gt 0; then -+ is_opensuse=true ++ is_tumbleweed=true + fi + shift 2 +fi + -+if ! $is_opensuse; then ++if ! $is_tumbleweed; then + trap 'rm -f "$tmp"' EXIT + tmp=$(mktemp) +fi @@ -58,7 +58,7 @@ + *) + continue + esac -+ if $is_opensuse; then ++ if $is_tumbleweed; then + continue + fi + unzip=false @@ -109,8 +109,8 @@ + +is_tumbleweed=false + -+if test "$1" = "--suse-release"; then -+ if test "$2" -eq 0; then ++if test "$1" = "--tumbleweed"; then ++ if test "$2" -gt 0; then + is_tumbleweed=true + fi + shift 2 diff --git a/rpm.changes b/rpm.changes index 22f5b6e..835e366 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jun 15 12:46:10 UTC 2018 - msuchanek@suse.com + +- Add kernel export provides on openSUSE (boo#1095148). + ------------------------------------------------------------------- Fri Jun 15 13:25:18 CEST 2018 - mls@suse.de