diff options
-rw-r--r-- | main/chrony/APKBUILD | 13 | ||||
-rw-r--r-- | main/chrony/CVE-2020-14367.patch | 204 |
2 files changed, 215 insertions, 2 deletions
diff --git a/main/chrony/APKBUILD b/main/chrony/APKBUILD index 8327c29f690..d4e0add1481 100644 --- a/main/chrony/APKBUILD +++ b/main/chrony/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=chrony pkgver=3.4 -pkgrel=1 +pkgrel=2 _ver=${pkgver/_/-} pkgdesc="NTP client and server programs" url="https://chrony.tuxfamily.org" @@ -26,8 +26,16 @@ source="https://download.tuxfamily.org/$pkgname/$pkgname-$_ver.tar.gz chrony.logrotate chrony.conf timepps.h + + CVE-2020-14367.patch " builddir="$srcdir/$pkgname-$_ver" +options="!check" # line 82 of test/unit/util.c fails on all arches + +# secfixes: +# 3.4-r2: +# - CVE-2020-14367 + prepare() { default_prepare @@ -91,4 +99,5 @@ b26581ed32680585edea5b8163a0062a87f648394c0f363c77a7d01a36608fcf4d005d9e6ab179ed 60d6aab60132b11e82888b755a47aa6ae2949db07016b475e7bce53ed5083c888ab88f3b53e87bfa7396f0559f6870c28816b395361645dda157ab7649b28236 chronyd.initd ab38f06bf45888846778ad935e24abb30d13b6805e9a750bc694ff953695fa8c5b33aac560f5f7f96dc46031c1a38660e5c418b6fce6fb34a87908a9a3c99357 chrony.logrotate 0ae453fca3461b6e56a32a9eb6be0d448c39bf0279583222ab2fecef307e1113f082d4e86f957e4baac4f223c5c57804cdea97322678009f3413ab99d54694b6 chrony.conf -eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h" +eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h +777c5b83fac51424eaaf5e348e138389c449fcb03e382deebab727c6d265332ef3e1b7a168740b18ca669add05ba02c21a7c52edfdd442ed2b3893706098c343 CVE-2020-14367.patch" diff --git a/main/chrony/CVE-2020-14367.patch b/main/chrony/CVE-2020-14367.patch new file mode 100644 index 00000000000..f0e331bd97e --- /dev/null +++ b/main/chrony/CVE-2020-14367.patch @@ -0,0 +1,204 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: [PATCH] main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed filesystem like NFS is not generally expected, but if +there is a reason to do that, these old kernel and NFS versions are not +considered to be supported for saving files by chronyd. + +This is a minimal backport specific to this issue of the following +commits: +- commit 2fc8edacb810 ("use PATH_MAX") +- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()") +- commit 7a4c396bba8f ("util: add functions for common file operations") +- commit e18903a6b563 ("switch to new util file functions") + +Reported-by: Matthias Gerstner <mgerstner@suse.de> +--- + logging.c | 1 + + main.c | 10 ++---- + sysincl.h | 1 + + util.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + util.h | 11 +++++++ + 5 files changed, 111 insertions(+), 7 deletions(-) + +diff --git a/logging.c b/logging.c +index d2296e0..fd7f900 100644 +--- a/logging.c ++++ b/logging.c +@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity, + system_log = 0; + log_message(1, severity, buf); + } ++ exit(1); + break; + default: + assert(0); +diff --git a/main.c b/main.c +index 6ccf32e..8edb2e1 100644 +--- a/main.c ++++ b/main.c +@@ -281,13 +281,9 @@ write_pidfile(void) + if (!pidfile[0]) + return; + +- out = fopen(pidfile, "w"); +- if (!out) { +- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno)); +- } else { +- fprintf(out, "%d\n", (int)getpid()); +- fclose(out); +- } ++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644); ++ fprintf(out, "%d\n", (int)getpid()); ++ fclose(out); + } + + /* ================================================== */ +diff --git a/sysincl.h b/sysincl.h +index 296c5e6..873a3bd 100644 +--- a/sysincl.h ++++ b/sysincl.h +@@ -37,6 +37,7 @@ + #include <glob.h> + #include <grp.h> + #include <inttypes.h> ++#include <limits.h> + #include <math.h> + #include <netinet/in.h> + #include <pwd.h> +diff --git a/util.c b/util.c +index e7e3442..83b3b20 100644 +--- a/util.c ++++ b/util.c +@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++static int ++join_path(const char *basedir, const char *name, const char *suffix, ++ char *buffer, size_t length, LOG_Severity severity) ++{ ++ const char *sep; ++ ++ if (!basedir) { ++ basedir = ""; ++ sep = ""; ++ } else { ++ sep = "/"; ++ } ++ ++ if (!suffix) ++ suffix = ""; ++ ++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) { ++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ ++FILE * ++UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm) ++{ ++ const char *file_mode; ++ char path[PATH_MAX]; ++ LOG_Severity severity; ++ int fd, flags; ++ FILE *file; ++ ++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR; ++ ++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity)) ++ return NULL; ++ ++ switch (mode) { ++ case 'r': ++ case 'R': ++ flags = O_RDONLY; ++ file_mode = "r"; ++ if (severity != LOGS_FATAL) ++ severity = LOGS_DEBUG; ++ break; ++ case 'w': ++ case 'W': ++ flags = O_WRONLY | O_CREAT | O_EXCL; ++ file_mode = "w"; ++ break; ++ case 'a': ++ case 'A': ++ flags = O_WRONLY | O_CREAT | O_APPEND; ++ file_mode = "a"; ++ break; ++ default: ++ assert(0); ++ return NULL; ++ } ++ ++try_again: ++ fd = open(path, flags, perm); ++ if (fd < 0) { ++ if (errno == EEXIST) { ++ if (unlink(path) < 0) { ++ LOG(severity, "Could not remove %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ DEBUG_LOG("Removed %s", path); ++ goto try_again; ++ } ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ ++ UTI_FdSetCloexec(fd); ++ ++ file = fdopen(fd, file_mode); ++ if (!file) { ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ close(fd); ++ return NULL; ++ } ++ ++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode); ++ ++ return file; ++} ++ ++/* ================================================== */ ++ + void + UTI_DropRoot(uid_t uid, gid_t gid) + { +diff --git a/util.h b/util.h +index e3d6767..a2481cc 100644 +--- a/util.h ++++ b/util.h +@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Open a file. The full path of the file is constructed from the basedir ++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). ++ Created files have specified permissions (umasked). Returns NULL on error. ++ The following modes are supported (if the mode is an uppercase character, ++ errors are fatal): ++ r/R - open an existing file for reading ++ w/W - open a new file for writing (remove existing file) ++ a/A - open an existing file for appending (create if does not exist) */ ++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm); ++ + /* Set process user/group IDs and drop supplementary groups */ + extern void UTI_DropRoot(uid_t uid, gid_t gid); + |