diff --git a/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch new file mode 100644 index 0000000..c9db7b7 --- /dev/null +++ b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch @@ -0,0 +1,25 @@ +From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 7 Feb 2023 15:34:09 +0800 +Subject: [PATCH] Make /etc/pki/pesign/ writeable + +The default NSS database for the pesign daemon is stored in /etc/pki/pesign/. +Make it writeable after hardening the service. + +Signed-off-by: Gary Lin +--- + src/pesign.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pesign.service.in b/src/pesign.service.in +index 87accee..8542c63 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -20,3 +20,4 @@ Type=forking + PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize ++ReadWritePaths=/etc/pki/pesign/ +-- +2.35.3 + diff --git a/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch new file mode 100644 index 0000000..f5f441f --- /dev/null +++ b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch @@ -0,0 +1,81 @@ +From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 18 Jan 2023 14:00:22 -0500 +Subject: [PATCH] Use normal file permissions instead of ACLs + +Fixes a symlink attack that can't be mitigated using getfacl/setfacl. + +pesign-authorize is now deprecated and will be removed in a future +release. + +Resolves: CVE-2022-3560 +Signed-off-by: Robbie Harwood +--- + src/pesign-authorize | 53 +++++--------------------------------------- + 1 file changed, 5 insertions(+), 48 deletions(-) + +Index: pesign-113/src/pesign-authorize +=================================================================== +--- pesign-113.orig/src/pesign-authorize ++++ pesign-113/src/pesign-authorize +@@ -2,55 +2,12 @@ + set -e + set -u + +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific users is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- + # License: GPLv2 +-declare -a fileusers=() +-declare -a dirusers=() +-for user in $(cat /etc/pesign/users); do +- dirusers[${#dirusers[@]}]=-m +- dirusers[${#dirusers[@]}]="u:$user:rwx" +- fileusers[${#fileusers[@]}]=-m +- fileusers[${#fileusers[@]}]="u:$user:rw" +-done +- +-declare -a filegroups=() +-declare -a dirgroups=() +-for group in $(cat /etc/pesign/groups); do +- dirgroups[${#dirgroups[@]}]=-m +- dirgroups[${#dirgroups[@]}]="g:$group:rwx" +- filegroups[${#filegroups[@]}]=-m +- filegroups[${#filegroups[@]}]="g:$group:rw" +-done +- +-update_subdir() { +- subdir=$1 && shift + +- setfacl -bk "${subdir}" +- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" +- for x in "${subdir}"* ; do +- if [ -d "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} +- update_subdir "${x}/" +- elif [ -e "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} +- else +- :; +- fi +- done +-} ++# This script is deprecated and will be removed in a future release. + +-for x in /run/pesign/ /etc/pki/pesign*/ ; do +- if [ -d "${x}" ]; then +- update_subdir "${x}" +- else +- :; +- fi ++sleep 3 ++for x in /run/pesign/ /etc/pki/pesign/ ; do ++ chown -R pesign:pesign "${x}" || true ++ chmod -R ug+rwX "${x}" || true + done diff --git a/pesign.changes b/pesign.changes index dfdbee4..e766c99 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin + +- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + to use the normal file permissions in pesign-authorize to avoid + the potential security issue (bsc#1202933, CVE-2022-3560) +- Set the libexecdir path for "make" to fix the path to + pesign-authorize in pesign.service (bsc#1202933) +- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make + the default NSS datebase writeable (bsc#1202933) + ------------------------------------------------------------------- Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab @@ -77,6 +88,7 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin + Various documentation improvements. + Improve /etc/pki/pesign authorization scripts + Various pesigcheck improvements + + Fix wrong oid offsets (bsc#1205323) - Refresh patches + pesign-suse-build.patch + pesign-privkey_unneeded.diff diff --git a/pesign.spec b/pesign.spec index 9b44f66..5284cc1 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ # # spec file for package pesign # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,8 @@ Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time Patch8: pesign-boo1185663-set-rpmmacrodir.patch Patch9: harden_pesign.service.patch +Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch +Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -68,10 +70,12 @@ with the PE and Authenticode specifications. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf -make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" +make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} %install mkdir -p %{buildroot}%{_localstatedir}/lib/pesign