Accepting request 813263 from home:lee_duncan:branches:Base:System

- Added 4 upstream commits for CVE-2020-13867 (bsc#1172743),
  adding patches:
  * 0001-uds-set-right-permissions-at-bind-time.patch
  * 0002-saveconfig-set-0o600-perms-on-backupfiles.patch
  * 0003-saveconfig-set-right-perms-on-backup-dir.patch
  * 0004-saveconfig-set-right-perms-on-etc-target-dir.patch

OBS-URL: https://build.opensuse.org/request/show/813263
OBS-URL: https://build.opensuse.org/package/show/Base:System/targetcli-fb?expand=0&rev=43
This commit is contained in:
Lee Duncan 2020-06-10 14:50:07 +00:00 committed by Git OBS Bridge
parent eca064f902
commit b0e48b3756
6 changed files with 244 additions and 0 deletions

View File

@ -0,0 +1,53 @@
From e347f7ea20547052e8fc1b65cba5e3f3ef2bf3d8 Mon Sep 17 00:00:00 2001
From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Fri, 29 May 2020 18:31:21 +0530
Subject: [PATCH 1/4] uds: set right permissions at bind() time
We fixed it earlier with commit 6e4f39357a90a914d11bac21cc2d2b52c07c213d
but that fixes the issue when someone run the targetclid with systemd
only.
If we don't use targetclid.socket and want to run `targetclid` from
command line, then socket.bind() will create the file with default
permissions.
Hence its good if we can guard the permissions right at the time of .bind()
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
---
daemon/targetclid | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/daemon/targetclid b/daemon/targetclid
index 329cede5da87..9bf8ae7ed14e 100755
--- a/daemon/targetclid
+++ b/daemon/targetclid
@@ -28,6 +28,7 @@ from threading import Thread
import os
import sys
+import stat
import socket
import struct
import fcntl
@@ -238,12 +239,17 @@ def main():
# save socket so a signal can clea it up
to.sock = sock
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
+ umask_original = os.umask(umask)
# Bind the socket path
try:
sock.bind(to.socket_path)
except socket.error as err:
to.display(to.render(err.strerror, 'red'))
sys.exit(1)
+ finally:
+ os.umask(umask_original)
# Listen for incoming connections
try:
--
2.26.2

View File

@ -0,0 +1,35 @@
From 1940a17986deaab92e6be395f20ee55dac0ac2bd Mon Sep 17 00:00:00 2001
From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Fri, 29 May 2020 14:51:28 +0530
Subject: [PATCH 2/4] saveconfig: set 0o600 perms on backupfiles
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
---
targetcli/ui_root.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py
index 26815bd2b8fa..6e99b8cfcb78 100644
--- a/targetcli/ui_root.py
+++ b/targetcli/ui_root.py
@@ -125,12 +125,17 @@ class UIRoot(UINode):
# Save backup if backup dir is empty, or savefile is differnt from recent backup copy
if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile):
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
+ umask_original = os.umask(umask)
try:
with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out:
shutil.copyfileobj(f_in, f_out)
f_out.flush()
except IOError as ioe:
backup_error = ioe.strerror or "Unknown error"
+ finally:
+ os.umask(umask_original)
if backup_error == None:
# remove excess backups
--
2.26.2

View File

@ -0,0 +1,49 @@
From 3bdef6d1aa1f64c03816af68bd5fb2bd1bbb29be Mon Sep 17 00:00:00 2001
From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Fri, 29 May 2020 15:05:35 +0530
Subject: [PATCH 3/4] saveconfig: set right perms on backup dir
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
---
targetcli/ui_root.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py
index 6e99b8cfcb78..b24c789f213d 100644
--- a/targetcli/ui_root.py
+++ b/targetcli/ui_root.py
@@ -109,12 +109,21 @@ class UIRoot(UINode):
backupfile = backup_dir + backup_name
backup_error = None
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
+
if not os.path.exists(backup_dir):
+ umask_original = os.umask(umask)
try:
- os.makedirs(backup_dir)
+ os.makedirs(backup_dir, mode)
except OSError as exe:
raise ExecutionError("Cannot create backup directory [%s] %s."
% (backup_dir, exe.strerror))
+ finally:
+ os.umask(umask_original)
+ else:
+ if (os.stat(backup_dir).st_mode & 0o777) != mode:
+ os.chmod(backup_dir, mode)
# Only save backups if savefile exits
if not os.path.exists(savefile):
@@ -125,8 +134,6 @@ class UIRoot(UINode):
# Save backup if backup dir is empty, or savefile is differnt from recent backup copy
if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile):
- mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
- umask = 0o777 ^ mode # Prevents always downgrading umask to 0
umask_original = os.umask(umask)
try:
with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out:
--
2.26.2

View File

@ -0,0 +1,85 @@
From 9f5764dac39b5b75ee6b5d9e4db419d09d64b898 Mon Sep 17 00:00:00 2001
From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Fri, 29 May 2020 15:36:27 +0530
Subject: [PATCH 4/4] saveconfig: set right perms on /etc/target/ dir
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
---
targetcli/ui_root.py | 40 +++++++++++++++++++++++++---------------
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py
index b24c789f213d..39e5ee99c342 100644
--- a/targetcli/ui_root.py
+++ b/targetcli/ui_root.py
@@ -95,6 +95,26 @@ class UIRoot(UINode):
else:
return False
+ def _create_dir(self, dirname):
+ '''
+ create directory with permissions 0o600 set
+ if directory already exists, set right perms
+ '''
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ if not os.path.exists(dirname):
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
+ umask_original = os.umask(umask)
+ try:
+ os.makedirs(dirname, mode)
+ except OSError as exe:
+ raise ExecutionError("Cannot create directory [%s] %s."
+ % (dirname, exe.strerror))
+ finally:
+ os.umask(umask_original)
+ else:
+ if (os.stat(dirname).st_mode & 0o777) != mode:
+ os.chmod(dirname, mode)
+
def _save_backups(self, savefile):
'''
Take backup of config-file if needed.
@@ -109,21 +129,7 @@ class UIRoot(UINode):
backupfile = backup_dir + backup_name
backup_error = None
- mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
- umask = 0o777 ^ mode # Prevents always downgrading umask to 0
-
- if not os.path.exists(backup_dir):
- umask_original = os.umask(umask)
- try:
- os.makedirs(backup_dir, mode)
- except OSError as exe:
- raise ExecutionError("Cannot create backup directory [%s] %s."
- % (backup_dir, exe.strerror))
- finally:
- os.umask(umask_original)
- else:
- if (os.stat(backup_dir).st_mode & 0o777) != mode:
- os.chmod(backup_dir, mode)
+ self._create_dir(backup_dir)
# Only save backups if savefile exits
if not os.path.exists(savefile):
@@ -134,6 +140,8 @@ class UIRoot(UINode):
# Save backup if backup dir is empty, or savefile is differnt from recent backup copy
if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile):
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
umask_original = os.umask(umask)
try:
with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out:
@@ -179,6 +187,8 @@ class UIRoot(UINode):
savefile = os.path.expanduser(savefile)
+ save_dir = os.path.dirname(savefile)
+ self._create_dir(save_dir)
self._save_backups(savefile)
self.rtsroot.save_to_file(savefile)
--
2.26.2

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Wed Jun 10 01:25:12 UTC 2020 - Lee Duncan <lduncan@suse.com>
- Added 4 upstream commits for CVE-2020-13867 (bsc#1172743),
adding patches:
* 0001-uds-set-right-permissions-at-bind-time.patch
* 0002-saveconfig-set-0o600-perms-on-backupfiles.patch
* 0003-saveconfig-set-right-perms-on-backup-dir.patch
* 0004-saveconfig-set-right-perms-on-etc-target-dir.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 21 17:38:48 UTC 2020 - lduncan@suse.com Thu May 21 17:38:48 UTC 2020 - lduncan@suse.com

View File

@ -54,10 +54,18 @@ Provides: targetcli-rbd = %{version}
Obsoletes: targetcli-rbd < %{version} Obsoletes: targetcli-rbd < %{version}
%endif %endif
%{?systemd_ordering} %{?systemd_ordering}
# SUSE-specific patches
Patch1: Split-out-blockdev-readonly-state-detection-helper.patch Patch1: Split-out-blockdev-readonly-state-detection-helper.patch
Patch2: rbd-support.patch Patch2: rbd-support.patch
Patch3: fix-setup-install.patch Patch3: fix-setup-install.patch
# upstreamed patches
Patch11: 0001-uds-set-right-permissions-at-bind-time.patch
Patch12: 0002-saveconfig-set-0o600-perms-on-backupfiles.patch
Patch13: 0003-saveconfig-set-right-perms-on-backup-dir.patch
Patch14: 0004-saveconfig-set-right-perms-on-etc-target-dir.patch
%python_subpackages %python_subpackages
%description %description
@ -87,6 +95,10 @@ python2-targetcli-fb and python3-targetcli-fb.
%patch2 -p1 %patch2 -p1
%endif %endif
%patch3 -p1 %patch3 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%build %build
%python_build %python_build