From 88fb4f57d38920ed9f7d516f90e5b79326705bd80dd227dbfe7acac622550863 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 8 Feb 2023 05:33:34 +0000
Subject: [PATCH] Accepting request 1063580 from home:gary_lin:bsc1202933

- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
  to use the normal file permissions in pesign-authorize to avoid
  the potential security issue (bsc#1202933, CVE-2022-3560)
- Set the libexecdir path for "make" to fix the path to
  pesign-authorize in pesign.service (bsc#1202933)
- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make
  the default NSS datebase writeable (bsc#1202933)

OBS-URL: https://build.opensuse.org/request/show/1063580
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=68
---
 ...202933-Make-etc-pki-pesign-writeable.patch | 25 ++++++
 ...mal-file-permissions-instead-of-ACLs.patch | 81 +++++++++++++++++++
 pesign.changes                                | 12 +++
 pesign.spec                                   |  8 +-
 4 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
 create mode 100644 pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch

diff --git a/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
new file mode 100644
index 0000000..c9db7b7
--- /dev/null
+++ b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
@@ -0,0 +1,25 @@
+From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 7 Feb 2023 15:34:09 +0800
+Subject: [PATCH] Make /etc/pki/pesign/ writeable
+
+The default NSS database for the pesign daemon is stored in /etc/pki/pesign/.
+Make it writeable after hardening the service.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/pesign.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pesign.service.in b/src/pesign.service.in
+index 87accee..8542c63 100644
+--- a/src/pesign.service.in
++++ b/src/pesign.service.in
+@@ -20,3 +20,4 @@ Type=forking
+ PIDFile=/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
+ ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
++ReadWritePaths=/etc/pki/pesign/
+-- 
+2.35.3
+
diff --git a/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
new file mode 100644
index 0000000..f5f441f
--- /dev/null
+++ b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
@@ -0,0 +1,81 @@
+From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 18 Jan 2023 14:00:22 -0500
+Subject: [PATCH] Use normal file permissions instead of ACLs
+
+Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
+
+pesign-authorize is now deprecated and will be removed in a future
+release.
+
+Resolves: CVE-2022-3560
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/pesign-authorize | 53 +++++---------------------------------------
+ 1 file changed, 5 insertions(+), 48 deletions(-)
+
+Index: pesign-113/src/pesign-authorize
+===================================================================
+--- pesign-113.orig/src/pesign-authorize
++++ pesign-113/src/pesign-authorize
+@@ -2,55 +2,12 @@
+ set -e
+ set -u
+ 
+-#
+-# With /run/pesign/socket on tmpfs, a simple way of restoring the
+-# acls for specific users is useful
+-#
+-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+-#
+-
+ # License: GPLv2
+-declare -a fileusers=()
+-declare -a dirusers=()
+-for user in $(cat /etc/pesign/users); do
+-	dirusers[${#dirusers[@]}]=-m
+-	dirusers[${#dirusers[@]}]="u:$user:rwx"
+-	fileusers[${#fileusers[@]}]=-m
+-	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done
+-
+-declare -a filegroups=()
+-declare -a dirgroups=()
+-for group in $(cat /etc/pesign/groups); do
+-	dirgroups[${#dirgroups[@]}]=-m
+-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+-	filegroups[${#filegroups[@]}]=-m
+-	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done
+-
+-update_subdir() {
+-	subdir=$1 && shift
+ 
+-	setfacl -bk "${subdir}"
+-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+-	for x in "${subdir}"* ; do
+-		if [ -d "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+-			update_subdir "${x}/"
+-		elif [ -e "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+-		else
+-			:;
+-		fi
+-	done
+-}
++# This script is deprecated and will be removed in a future release.
+ 
+-for x in /run/pesign/ /etc/pki/pesign*/ ; do
+-	if [ -d "${x}" ]; then
+-		update_subdir "${x}"
+-	else
+-		:;
+-	fi
++sleep 3
++for x in /run/pesign/ /etc/pki/pesign/ ; do
++	chown -R pesign:pesign "${x}" || true
++	chmod -R ug+rwX "${x}" || true
+ done
diff --git a/pesign.changes b/pesign.changes
index dfdbee4..e766c99 100644
--- a/pesign.changes
+++ b/pesign.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Feb  7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
+  to use the normal file permissions in pesign-authorize to avoid
+  the potential security issue (bsc#1202933, CVE-2022-3560)
+- Set the libexecdir path for "make" to fix the path to
+  pesign-authorize in pesign.service (bsc#1202933)
+- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make
+  the default NSS datebase writeable (bsc#1202933)
+
 -------------------------------------------------------------------
 Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab <schwab@suse.de>
 
@@ -77,6 +88,7 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
   + Various documentation improvements.
   + Improve /etc/pki/pesign authorization scripts
   + Various pesigcheck improvements
+  + Fix wrong oid offsets (bsc#1205323)
 - Refresh patches
   + pesign-suse-build.patch
   + pesign-privkey_unneeded.diff
diff --git a/pesign.spec b/pesign.spec
index 9b44f66..5284cc1 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pesign
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -42,6 +42,8 @@ Patch7:         pesign-boo1158197-fix-pesigncheck-gcc10.patch
 # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
 Patch8:         pesign-boo1185663-set-rpmmacrodir.patch
 Patch9:         harden_pesign.service.patch
+Patch10:        pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
+Patch11:        pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
 BuildRequires:  efivar-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  mozilla-nss-devel
@@ -68,10 +70,12 @@ with the PE and Authenticode specifications.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 
 %build
 %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf
-make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie"
+make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir}
 
 %install
 mkdir -p %{buildroot}%{_localstatedir}/lib/pesign