Accepting request 1083878 from home:lee_duncan:branches:Base:System

- Added one upstream commit for CVE-2020-13867 (bsc#1172743),
  part 2. This time, only modify permisssions on directory where
  config is stored if it is /etc/target, adding patch:
  * Fix-changing-savedir-directory-mode.patch

OBS-URL: https://build.opensuse.org/request/show/1083878
OBS-URL: https://build.opensuse.org/package/show/Base:System/targetcli-fb?expand=0&rev=51

Fix-changing-savedir-directory-mode.patch

@@ -0,0 +1,47 @@
+From b8eb1933d4fdcbe806edead8cfa94879d0fc2015 Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Mon, 24 Apr 2023 10:34:39 -0700
+Subject: [PATCH] Fix changing savedir directory mode
+
+Commit 9f5764dac39b ("saveconfig: set right perms on /etc/target/ dir")
+fixed CVE-2020-13867 by ensuring that the mode of the target
+meta-data directory (/etc/target) was always mode 0600. But users
+can specify a different directory, such as "/tmp", and we don't
+want targetcli changing the mode of such directories to 0600. So
+only change the mode of the directory, when saving a config file,
+if the directory is /etc/target.
+---
+ targetcli/ui_root.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py
+index 39e5ee99c342..79ee985ba935 100644
+--- a/targetcli/ui_root.py
++++ b/targetcli/ui_root.py
+@@ -34,8 +34,9 @@ from .ui_backstore import complete_path, UIBackstores
+ from .ui_node import UINode
+ from .ui_target import UIFabricModule
+ 
+-default_save_file = "/etc/target/saveconfig.json"
+-universal_prefs_file = "/etc/target/targetcli.conf"
++default_target_dir = "/etc/target"
++default_save_file = os.path.join(default_target_dir, "saveconfig.json")
++universal_prefs_file = os.path.join(default_target_dir, "targetcli.conf")
+ 
+ class UIRoot(UINode):
+     '''
+@@ -112,8 +113,9 @@ class UIRoot(UINode):
+             finally:
+                 os.umask(umask_original)
+         else:
+-            if (os.stat(dirname).st_mode & 0o777) != mode:
+-                os.chmod(dirname, mode)
++            if dirname == default_target_dir:
++                if (os.stat(dirname).st_mode & 0o777) != mode:
++                    os.chmod(dirname, mode)
+ 
+     def _save_backups(self, savefile):
+         '''
+-- 
+2.35.3
+

targetcli-fb.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Apr 25 17:20:02 UTC 2023 - Lee Duncan <lduncan@suse.com>
+
+- Added one upstream commit for CVE-2020-13867 (bsc#1172743),
+  part 2. This time, only modify permisssions on directory where
+  config is stored if it is /etc/target, adding patch:
+  * Fix-changing-savedir-directory-mode.patch
+
 -------------------------------------------------------------------
 Wed Jun 09 15:47:58 UTC 2021 - lduncan@suse.com
 

targetcli-fb.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package targetcli-fb
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,7 +41,7 @@ Requires:       python-rtslib-fb
 Requires:       python-six
 Requires:       targetcli-fb-common
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 %if "%{python_flavor}" == "python3" || "%{?python_provides}" == "python3"
 Provides:       targetcli    = %{version}-%{release}
 Provides:       targetcli-fb = %{version}-%{release}
@@ -60,6 +60,9 @@ Obsoletes:      targetcli-rbd < %{version}
 Patch1:         Split-out-blockdev-readonly-state-detection-helper.patch
 Patch2:         rbd-support.patch
 
+# upstream
+Patch3:         Fix-changing-savedir-directory-mode.patch
+
 %python_subpackages
 
 %description
@@ -88,6 +91,7 @@ all python-version-dependant packages, such as python3-*-targetcli-fb.
 # RBD support is dependent on LIO changes present in the SLE/Leap kernel
 %patch2 -p1
 %endif
+%patch3 -p1
 
 %build
 %python_build