CVE was already fixed long ago and we didn't notice

OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=122
2019-05-27 13:22:14 +00:00 · 2019-05-27 13:22:14 +00:00 · 6b234e6773
commit 6b234e6773
parent 838fd1d444
3 changed files with 0 additions and 102 deletions
--- a/CVE-2019-10143.patch
+++ b/CVE-2019-10143.patch
@ -1,94 +0,0 @@
-From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 7 May 2019 16:04:29 -0400
-Subject: [PATCH] su to radiusd user/group when rotating logs
-
-The su directive to logrotate ensures that log rotation happens under the
-owner of the logs. Otherwise, logrotate runs as root:root, potentially
-enabling privilege escalation if a RCE is discovered against the
-FreeRADIUS daemon.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- debian/freeradius.logrotate  | 3 +++
- redhat/freeradius-logrotate  | 1 +
- scripts/logrotate/freeradius | 3 +++
- suse/radiusd-logrotate       | 1 +
- 4 files changed, 8 insertions(+)
-
-diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
-index 7d837d53bd..a8d29b7adf 100644
--- a/debian/freeradius.logrotate
-+++ b/debian/freeradius.logrotate
-@@ -9,6 +9,7 @@
- 	notifempty
- 
- 	copytruncate
-+	su freerad freerad
- }
- 
- # (in order)
-@@ -26,6 +27,7 @@
- 	notifempty
- 
- 	nocreate
-+	su freerad freerad
- }
- 
- # There are different detail-rotating strategies you can use.  One is
-@@ -45,4 +47,5 @@
- 	notifempty
- 
- 	nocreate
-+	su freerad freerad
- }
-diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
-index 360765ddc4..bb97ca5547 100644
--- a/redhat/freeradius-logrotate
-+++ b/redhat/freeradius-logrotate
-@@ -9,6 +9,7 @@ rotate 4
- missingok
- compress
- delaycompress
-+su radiusd radiusd
- 
- #
- #  The main server log
-diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
-index 3de435e76e..eecf63175a 100644
--- a/scripts/logrotate/freeradius
-+++ b/scripts/logrotate/freeradius
-@@ -17,6 +17,7 @@
- 	notifempty
- 
- 	copytruncate
-+	su radiusd radiusd
- }
- 
- # (in order)
-@@ -34,6 +35,7 @@
- 	notifempty
- 
- 	nocreate
-+	su radiusd radiusd
- }
- 
- # There are different detail-rotating strategies you can use.  One is
-@@ -53,4 +55,5 @@
- 	notifempty
- 
- 	nocreate
-+	su radiusd radiusd
- }
-diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
-index 24d56be1a9..be5a797684 100644
--- a/suse/radiusd-logrotate
-+++ b/suse/radiusd-logrotate
-@@ -11,6 +11,7 @@ missingok
- compress
- delaycompress
- notifempty
-+su radiusd radiusd
- 
- #
- #  The main server log
--- a/freeradius-server.changes
+++ b/freeradius-server.changes
@ -1,9 +1,3 @@
-------------------------------------------------------------------
-Mon May 27 11:12:27 UTC 2019 - Adam Majer <adam.majer@suse.de>
-
- CVE-2019-10143.patch: fix potential privilege escalation due to
-  insecure logrotation permissions (bsc#1136195, CVE-2019-10143)
-
 -------------------------------------------------------------------
 Wed Apr 10 17:01:55 UTC 2019 - Michael Ströder <michael@stroeder.com>

--- a/freeradius-server.spec
+++ b/freeradius-server.spec
@ -62,7 +62,6 @@ Patch3:         freeradius-server-rcradiusd.patch
 Patch5:         freeradius-server-rlm_sql_unixodbc-configure.patch
 Patch6:         freeradius-server-radclient-init-error-buffer.patch
 Patch7:         freeradius-server-opensslversion.patch
-Patch8:         CVE-2019-10143.patch
 BuildRequires:  apache2-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  db-devel
@ -240,7 +239,6 @@ FreeRADIUS plugin providing SQLite support.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
-%patch8 -p1

 %build
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"