diff --git a/0001-uds-set-right-permissions-at-bind-time.patch b/0001-uds-set-right-permissions-at-bind-time.patch new file mode 100644 index 0000000..541a0bc --- /dev/null +++ b/0001-uds-set-right-permissions-at-bind-time.patch @@ -0,0 +1,53 @@ +From e347f7ea20547052e8fc1b65cba5e3f3ef2bf3d8 Mon Sep 17 00:00:00 2001 +From: Prasanna Kumar Kalever +Date: Fri, 29 May 2020 18:31:21 +0530 +Subject: [PATCH 1/4] uds: set right permissions at bind() time + +We fixed it earlier with commit 6e4f39357a90a914d11bac21cc2d2b52c07c213d +but that fixes the issue when someone run the targetclid with systemd +only. + +If we don't use targetclid.socket and want to run `targetclid` from +command line, then socket.bind() will create the file with default +permissions. + +Hence its good if we can guard the permissions right at the time of .bind() + +Signed-off-by: Prasanna Kumar Kalever +--- + daemon/targetclid | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/daemon/targetclid b/daemon/targetclid +index 329cede5da87..9bf8ae7ed14e 100755 +--- a/daemon/targetclid ++++ b/daemon/targetclid +@@ -28,6 +28,7 @@ from threading import Thread + + import os + import sys ++import stat + import socket + import struct + import fcntl +@@ -238,12 +239,17 @@ def main(): + # save socket so a signal can clea it up + to.sock = sock + ++ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 ++ umask = 0o777 ^ mode # Prevents always downgrading umask to 0 ++ umask_original = os.umask(umask) + # Bind the socket path + try: + sock.bind(to.socket_path) + except socket.error as err: + to.display(to.render(err.strerror, 'red')) + sys.exit(1) ++ finally: ++ os.umask(umask_original) + + # Listen for incoming connections + try: +-- +2.26.2 + diff --git a/0002-saveconfig-set-0o600-perms-on-backupfiles.patch b/0002-saveconfig-set-0o600-perms-on-backupfiles.patch new file mode 100644 index 0000000..82b40f6 --- /dev/null +++ b/0002-saveconfig-set-0o600-perms-on-backupfiles.patch @@ -0,0 +1,35 @@ +From 1940a17986deaab92e6be395f20ee55dac0ac2bd Mon Sep 17 00:00:00 2001 +From: Prasanna Kumar Kalever +Date: Fri, 29 May 2020 14:51:28 +0530 +Subject: [PATCH 2/4] saveconfig: set 0o600 perms on backupfiles + +Signed-off-by: Prasanna Kumar Kalever +--- + targetcli/ui_root.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py +index 26815bd2b8fa..6e99b8cfcb78 100644 +--- a/targetcli/ui_root.py ++++ b/targetcli/ui_root.py +@@ -125,12 +125,17 @@ class UIRoot(UINode): + + # Save backup if backup dir is empty, or savefile is differnt from recent backup copy + if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): ++ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 ++ umask = 0o777 ^ mode # Prevents always downgrading umask to 0 ++ umask_original = os.umask(umask) + try: + with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: + shutil.copyfileobj(f_in, f_out) + f_out.flush() + except IOError as ioe: + backup_error = ioe.strerror or "Unknown error" ++ finally: ++ os.umask(umask_original) + + if backup_error == None: + # remove excess backups +-- +2.26.2 + diff --git a/0003-saveconfig-set-right-perms-on-backup-dir.patch b/0003-saveconfig-set-right-perms-on-backup-dir.patch new file mode 100644 index 0000000..bd3456c --- /dev/null +++ b/0003-saveconfig-set-right-perms-on-backup-dir.patch @@ -0,0 +1,49 @@ +From 3bdef6d1aa1f64c03816af68bd5fb2bd1bbb29be Mon Sep 17 00:00:00 2001 +From: Prasanna Kumar Kalever +Date: Fri, 29 May 2020 15:05:35 +0530 +Subject: [PATCH 3/4] saveconfig: set right perms on backup dir + +Signed-off-by: Prasanna Kumar Kalever +--- + targetcli/ui_root.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py +index 6e99b8cfcb78..b24c789f213d 100644 +--- a/targetcli/ui_root.py ++++ b/targetcli/ui_root.py +@@ -109,12 +109,21 @@ class UIRoot(UINode): + backupfile = backup_dir + backup_name + backup_error = None + ++ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 ++ umask = 0o777 ^ mode # Prevents always downgrading umask to 0 ++ + if not os.path.exists(backup_dir): ++ umask_original = os.umask(umask) + try: +- os.makedirs(backup_dir) ++ os.makedirs(backup_dir, mode) + except OSError as exe: + raise ExecutionError("Cannot create backup directory [%s] %s." + % (backup_dir, exe.strerror)) ++ finally: ++ os.umask(umask_original) ++ else: ++ if (os.stat(backup_dir).st_mode & 0o777) != mode: ++ os.chmod(backup_dir, mode) + + # Only save backups if savefile exits + if not os.path.exists(savefile): +@@ -125,8 +134,6 @@ class UIRoot(UINode): + + # Save backup if backup dir is empty, or savefile is differnt from recent backup copy + if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): +- mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 +- umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + umask_original = os.umask(umask) + try: + with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: +-- +2.26.2 + diff --git a/0004-saveconfig-set-right-perms-on-etc-target-dir.patch b/0004-saveconfig-set-right-perms-on-etc-target-dir.patch new file mode 100644 index 0000000..bb84296 --- /dev/null +++ b/0004-saveconfig-set-right-perms-on-etc-target-dir.patch @@ -0,0 +1,85 @@ +From 9f5764dac39b5b75ee6b5d9e4db419d09d64b898 Mon Sep 17 00:00:00 2001 +From: Prasanna Kumar Kalever +Date: Fri, 29 May 2020 15:36:27 +0530 +Subject: [PATCH 4/4] saveconfig: set right perms on /etc/target/ dir + +Signed-off-by: Prasanna Kumar Kalever +--- + targetcli/ui_root.py | 40 +++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py +index b24c789f213d..39e5ee99c342 100644 +--- a/targetcli/ui_root.py ++++ b/targetcli/ui_root.py +@@ -95,6 +95,26 @@ class UIRoot(UINode): + else: + return False + ++ def _create_dir(self, dirname): ++ ''' ++ create directory with permissions 0o600 set ++ if directory already exists, set right perms ++ ''' ++ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 ++ if not os.path.exists(dirname): ++ umask = 0o777 ^ mode # Prevents always downgrading umask to 0 ++ umask_original = os.umask(umask) ++ try: ++ os.makedirs(dirname, mode) ++ except OSError as exe: ++ raise ExecutionError("Cannot create directory [%s] %s." ++ % (dirname, exe.strerror)) ++ finally: ++ os.umask(umask_original) ++ else: ++ if (os.stat(dirname).st_mode & 0o777) != mode: ++ os.chmod(dirname, mode) ++ + def _save_backups(self, savefile): + ''' + Take backup of config-file if needed. +@@ -109,21 +129,7 @@ class UIRoot(UINode): + backupfile = backup_dir + backup_name + backup_error = None + +- mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 +- umask = 0o777 ^ mode # Prevents always downgrading umask to 0 +- +- if not os.path.exists(backup_dir): +- umask_original = os.umask(umask) +- try: +- os.makedirs(backup_dir, mode) +- except OSError as exe: +- raise ExecutionError("Cannot create backup directory [%s] %s." +- % (backup_dir, exe.strerror)) +- finally: +- os.umask(umask_original) +- else: +- if (os.stat(backup_dir).st_mode & 0o777) != mode: +- os.chmod(backup_dir, mode) ++ self._create_dir(backup_dir) + + # Only save backups if savefile exits + if not os.path.exists(savefile): +@@ -134,6 +140,8 @@ class UIRoot(UINode): + + # Save backup if backup dir is empty, or savefile is differnt from recent backup copy + if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): ++ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 ++ umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + umask_original = os.umask(umask) + try: + with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: +@@ -179,6 +187,8 @@ class UIRoot(UINode): + + savefile = os.path.expanduser(savefile) + ++ save_dir = os.path.dirname(savefile) ++ self._create_dir(save_dir) + self._save_backups(savefile) + + self.rtsroot.save_to_file(savefile) +-- +2.26.2 + diff --git a/targetcli-fb.changes b/targetcli-fb.changes index 788b1fc..7929c8b 100644 --- a/targetcli-fb.changes +++ b/targetcli-fb.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Jun 10 01:25:12 UTC 2020 - Lee Duncan + +- Added 4 upstream commits for CVE-2020-13867 (bsc#1172743), + adding patches: + * 0001-uds-set-right-permissions-at-bind-time.patch + * 0002-saveconfig-set-0o600-perms-on-backupfiles.patch + * 0003-saveconfig-set-right-perms-on-backup-dir.patch + * 0004-saveconfig-set-right-perms-on-etc-target-dir.patch + ------------------------------------------------------------------- Thu May 21 17:38:48 UTC 2020 - lduncan@suse.com diff --git a/targetcli-fb.spec b/targetcli-fb.spec index dfa1509..65de205 100644 --- a/targetcli-fb.spec +++ b/targetcli-fb.spec @@ -54,10 +54,18 @@ Provides: targetcli-rbd = %{version} Obsoletes: targetcli-rbd < %{version} %endif %{?systemd_ordering} + +# SUSE-specific patches Patch1: Split-out-blockdev-readonly-state-detection-helper.patch Patch2: rbd-support.patch Patch3: fix-setup-install.patch +# upstreamed patches +Patch11: 0001-uds-set-right-permissions-at-bind-time.patch +Patch12: 0002-saveconfig-set-0o600-perms-on-backupfiles.patch +Patch13: 0003-saveconfig-set-right-perms-on-backup-dir.patch +Patch14: 0004-saveconfig-set-right-perms-on-etc-target-dir.patch + %python_subpackages %description @@ -87,6 +95,10 @@ python2-targetcli-fb and python3-targetcli-fb. %patch2 -p1 %endif %patch3 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build %python_build