Accepting request 965461 from security

OBS-URL: https://build.opensuse.org/request/show/965461 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=101
2022-03-31 15:18:30 +00:00 · 2022-03-31 15:18:30 +00:00 · dfdf560849
commit dfdf560849
parent 54f6a26404 26999f1942
6 changed files with 159 additions and 3 deletions
--- a/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+++ b/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
@ -0,0 +1,31 @@
+From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001
+From: Enzo Matsumiya <ematsumiya@suse.com>
+Date: Thu, 24 Mar 2022 23:38:24 -0300
+Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254)
+
+If auditd.conf has disk_low_action=suspend and the partition where the
+log is triggers the disk_low_action, audisp-remote will hang in
+infinite loop.
+
+Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue")
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+---
+ audisp/plugins/remote/audisp-remote.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
+index b7e610e8ca32..3be91b3d5190 100644
+--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
+@@ -619,7 +619,7 @@ int main(int argc, char *argv[])
+ 
+ 	// If stdin is a pipe, then flush the queue
+ 	if (is_pipe(0)) {
+-		while (q_queue_length(queue) && transport_ok)
+		while (q_queue_length(queue) && !suspend && transport_ok)
+ 			send_one(queue);
+ 	}
+ 
+-- 
+2.35.1
+
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Sat Mar 26 11:14:19 UTC 2022 - Stephan Kulow <coolo@suse.com>
+
+- Fix buildrequire for openldap2-devel - audit doesn't require the
+  (outdated) C++ binding, but the C headers that happen to be pulled
+  in by buildrequiring the C++ devel package
+
+-------------------------------------------------------------------
+Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
+  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517)
+  * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+
+-------------------------------------------------------------------
+Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- add audit-userspace-517-compat.patch 
+
 -------------------------------------------------------------------
 Mon Nov 29 13:13:56 UTC 2021 - Fabian Vogt <fvogt@suse.com>

--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -41,12 +41,15 @@ Patch8:         change-default-log_format.patch
 Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
 Patch11:        create-augenrules-service.patch
+Patch12:        audit-userspace-517-compat.patch
+Patch13:        audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+Patch14:        libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
 BuildRequires:  kernel-headers >= 2.6.30
-BuildRequires:  libldapcpp-devel
 BuildRequires:  libtool
+BuildRequires:  openldap2-devel
 BuildRequires:  pkgconfig
 %if %{with python2}
 BuildRequires:  python2-devel
--- a/audit-userspace-517-compat.patch
+++ b/audit-userspace-517-compat.patch
@ -0,0 +1,38 @@
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+References: https://github.com/linux-audit/audit-userspace/issues/252
+Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49
+Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
+Patch-mainline: submitted for review upstream
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+---
+ bindings/swig/src/auditswig.i | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 21aafca31..9a2c5661d 100644
+--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
+ * generating setters against them: https://github.com/swig/swig/issues/1699
+ */
+%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
--- a/audit.spec
+++ b/audit.spec
@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
--- a/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+++ b/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
@ -0,0 +1,64 @@
+From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001
+From: Enzo Matsumiya <ematsumiya@suse.com>
+Date: Thu, 24 Mar 2022 23:36:53 -0300
+Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255)
+
+From: Luis Galdos <luis.galdos@suse.com>
+
+In some very specific scenarios with LDAP + network issues,
+getpwnam() and getgrnam() might return ECONNREFUSED.
+
+Up in the call chain to audit_name_to_uid()/audit_name_to_gid(),
+ECONNREFUSED will be handled as kernel auditd is not running,
+showing "The audit system is disabled" and stopping parsing rules.
+
+This patch manually sets errno to ENOENT after those affected calls, in
+case they fail, so rule parsing can continue cleanly.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+---
+ lib/libaudit.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/lib/libaudit.c b/lib/libaudit.c
+index 54e276156ef0..41303c244aee 100644
+--- a/lib/libaudit.c
+++ b/lib/libaudit.c
+@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid)
+ {
+ 	struct passwd *pw;
+ 
+	errno = 0;
+ 	pw = getpwnam(name);
+-	if (pw == NULL)
+	if (pw == NULL) {
+		/* getpwnam() might return ECONNREFUSED in some very
+		 * specific cases when using LDAP.
+		 * Manually set it to ENOENT so callers don't get confused
+		 * with netlink's ECONNREFUSED */
+		if (errno == ECONNREFUSED)
+			errno = ENOENT;
+ 		return 1;
+	}
+ 
+ 	memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd));
+ 	*uid = pw->pw_uid;
+@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid)
+ {
+ 	struct group *gr;
+ 
+	errno = 0;
+ 	gr = getgrnam(name);
+-	if (gr == NULL)
+	if (gr == NULL) {
+		/* See above for explanation. */
+		if (errno == ECONNREFUSED)
+			errno = ENOENT;
+ 		return 1;
+	}
+ 
+ 	*gid = gr->gr_gid;
+ 	return 0;
+-- 
+2.35.1
+