diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/openrc/APKBUILD | 15 | ||||
-rw-r--r-- | main/openrc/CVE-2018-21269.patch | 244 |
2 files changed, 256 insertions, 3 deletions
diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD index 2b1547333d3..f0e855736e1 100644 --- a/main/openrc/APKBUILD +++ b/main/openrc/APKBUILD @@ -2,7 +2,7 @@ pkgname=openrc pkgver=0.42.1 _ver=${pkgver/_git*/} -pkgrel=19 +pkgrel=20 pkgdesc="OpenRC manages the services, startup and shutdown of a host" url="https://github.com/OpenRC/openrc" arch="all" @@ -30,6 +30,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve 0013-fix-osclock.patch 0014-time_t-64bit.patch + CVE-2018-21269.patch + openrc.logrotate hostname.initd hwdrivers.initd @@ -44,6 +46,10 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve test-networking.sh " +# secfixes: +# 0.42.1-r20: +# - CVE-2018-21269 + prepare() { default_prepare sed -i -e '/^sed/d' "$builddir"/pkgconfig/Makefile @@ -129,7 +135,8 @@ zshcomp() { rm -rf "$pkgdir"/usr/share/zsh } -sha512sums="579b9bfbb151b945a364a2c12b037d2e15991820ca99a07ac18e9bdc50074e67fbf0dcf9865aa4deabe2bf82092e4623be51c9e0b4014384951e0a92ac1e7646 openrc-0.42.1.tar.gz +sha512sums=" +579b9bfbb151b945a364a2c12b037d2e15991820ca99a07ac18e9bdc50074e67fbf0dcf9865aa4deabe2bf82092e4623be51c9e0b4014384951e0a92ac1e7646 openrc-0.42.1.tar.gz 71fce711adbcb411189a089f1d49567c50348e12c42b7a9c9b582dae5d18051f88ccf81c768337e87d6792d953e84d1e8b93d7978a1947d7d20ef3b1cd330875 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch b1cedd38badda4fc308decdff06f9644b96fe35617792da8d6d62407409841705fd71b5b57d1804a6395095604a70898f80830c76395ec99f715038a0809d815 0002-force-root-be-rw-before-localmount.patch d54630d40a2d6b10a325cb012d4efcda997a60c008ca953ce5d60059d3f267308a59dabddf93a5fc0d301aa91967137d144effbe5f574394af768ce4ebc48738 0004-hide-error-when-migrating-var-run-to-run.patch @@ -143,6 +150,7 @@ ff9bf2f6e4f55633a9641385398f70a2e591e2b3b56b1903f168a97b07bd56dc5a65d151deeab942 24c665098475c8a1dca75677b48864dc554930f8039900785d8f73c4ebab857255607297fdcbce6249f18f2b97bd7804a35a782721d4658a1c7a7b7b985418ff 0012-gcc-10.patch 4dca5fb25dc9cf356716042650e3b50969b4749f4e839505f87054d45ca074931ac9ef9aca6b6be4f36cc82c46e838a9e9122ee27154de703d8d9eb7b6f6273b 0013-fix-osclock.patch af0d5a3e6bdd09abd65174a0292450ebb79116a6be50ad4dc368e7ade497020bf4f7d55487335eb32067616603c7d9c3f8596228064c93bfd47596fb12ef7215 0014-time_t-64bit.patch +715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 CVE-2018-21269.patch 12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate 493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd @@ -154,4 +162,5 @@ d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed 990855f875513a85c2b737685ac5bfdfa86f8dadacf00c1826a456547f99b69d4ecf1b9a09c0ce002f1df618b44b1febabe53f95a2c0cd02b504d565bccb50c8 firstboot.initd 2d5f9f6d41b7c0a8643cfdee1ce3c399bfe4ebff54421f33ab1e74c1c4c1b96a49e54b5cd69f0339a060342e4e5a11067bbff68c39fa487919259d73e8e46ed1 sysctl.initd 35682e1742196133b79e4a0b21fe8df039a982ba4fdd0181b1e3872f3885e40726179d4996fec83a1da11ff314d71f8910609c1c05acb3d0f9b923147e2f1d55 machine-id.initd -af17947aa3954e317dc06580da829200e0b0f2ddc37ce842c3fc7fc0d8ca2f40220e4f4665f61b4b5ec47c96416db0127e2ed979b9421bf21df89d4c4f998b7f test-networking.sh" +af17947aa3954e317dc06580da829200e0b0f2ddc37ce842c3fc7fc0d8ca2f40220e4f4665f61b4b5ec47c96416db0127e2ed979b9421bf21df89d4c4f998b7f test-networking.sh +" diff --git a/main/openrc/CVE-2018-21269.patch b/main/openrc/CVE-2018-21269.patch new file mode 100644 index 00000000000..9975d7bf81b --- /dev/null +++ b/main/openrc/CVE-2018-21269.patch @@ -0,0 +1,244 @@ +From 577f00abe5f8ec6da40ac79d77df3e514593090d Mon Sep 17 00:00:00 2001 +From: William Hubbs <w.d.hubbs@gmail.com> +Date: Wed, 11 Nov 2020 10:28:50 -0600 +Subject: [PATCH] checkpath: fix CVE-2018-21269 + +This walks the directory path to the file we are going to manipulate to make +sure that when we create the file and change the ownership and permissions +we are working on the same file. +Also, all non-terminal symbolic links must be owned by root. This will +keep a non-root user from making a symbolic link as described in the +bug. If root creates the symbolic link, it is assumed to be trusted. + +On non-linux platforms, we no longer follow non-terminal symbolic links +by default. If you need to do that, add the -s option on the checkpath +command line, but keep in mind that this is not secure. + +This fixes #201. +--- + man/openrc-run.8 | 6 +++ + src/rc/checkpath.c | 103 ++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 102 insertions(+), 7 deletions(-) + +diff --git a/man/openrc-run.8 b/man/openrc-run.8 +index 1102daaa..ec4b88de 100644 +--- a/man/openrc-run.8 ++++ b/man/openrc-run.8 +@@ -461,6 +461,7 @@ Mark the service as inactive. + .Op Fl p , -pipe + .Op Fl m , -mode Ar mode + .Op Fl o , -owner Ar owner ++.Op Fl s , -symlinks + .Op Fl W , -writable + .Op Fl q , -quiet + .Ar path ... +@@ -481,6 +482,11 @@ or with names, and are separated by a colon. + The truncate options (-D and -F) cause the directory or file to be + cleared of all contents. + .Pp ++If -s is not specified on a non-linux platform, checkpath will refuse to ++allow non-terminal symbolic links to exist in the path. This is for ++security reasons so that a non-root user can't create a symbolic link to ++a root-owned file and take ownership of that file. ++.Pp + If -W is specified, checkpath checks to see if the first path given on + the command line is writable. This is different from how the test + command in the shell works, because it also checks to make sure the file +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index 448c9cf8..ff54a892 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -16,6 +16,7 @@ + * except according to the terms contained in the LICENSE file. + */ + ++#define _GNU_SOURCE + #include <sys/types.h> + #include <sys/stat.h> + +@@ -23,6 +24,7 @@ + #include <fcntl.h> + #include <getopt.h> + #include <grp.h> ++#include <libgen.h> + #include <pwd.h> + #include <stdio.h> + #include <stdlib.h> +@@ -44,7 +46,7 @@ typedef enum { + + const char *applet = NULL; + const char *extraopts ="path1 [path2] [...]"; +-const char *getoptstring = "dDfFpm:o:W" getoptstring_COMMON; ++const char *getoptstring = "dDfFpm:o:sW" getoptstring_COMMON; + const struct option longopts[] = { + { "directory", 0, NULL, 'd'}, + { "directory-truncate", 0, NULL, 'D'}, +@@ -53,6 +55,7 @@ const struct option longopts[] = { + { "pipe", 0, NULL, 'p'}, + { "mode", 1, NULL, 'm'}, + { "owner", 1, NULL, 'o'}, ++ { "symlinks", 0, NULL, 's'}, + { "writable", 0, NULL, 'W'}, + longopts_COMMON + }; +@@ -64,15 +67,92 @@ const char * const longopts_help[] = { + "Create a named pipe (FIFO) if not exists", + "Mode to check", + "Owner to check (user:group)", ++ "follow symbolic links (irrelivent on linux)", + "Check whether the path is writable or not", + longopts_help_COMMON + }; + const char *usagestring = NULL; + ++static int get_dirfd(char *path, bool symlinks) { ++ char *ch; ++ char *item; ++ char *linkpath = NULL; ++ char *path_dupe; ++ char *str; ++ int components = 0; ++ int dirfd; ++ int flags = 0; ++ int new_dirfd; ++ struct stat st; ++ ssize_t linksize; ++ ++ if (!path || *path != '/') ++ eerrorx("%s: empty or relative path", applet); ++ dirfd = openat(dirfd, "/", O_RDONLY); ++ if (dirfd == -1) ++ eerrorx("%s: unable to open the root directory: %s", ++ applet, strerror(errno)); ++ path_dupe = xstrdup(path); ++ ch = path_dupe; ++ while (*ch) { ++ if (*ch == '/') ++ components++; ++ ch++; ++ } ++ item = strtok(path_dupe, "/"); ++#ifdef O_PATH ++ flags |= O_PATH; ++#endif ++ if (!symlinks) ++ flags |= O_NOFOLLOW; ++ flags |= O_RDONLY; ++ while (dirfd > 0 && item && components > 1) { ++ str = xstrdup(linkpath ? linkpath : item); ++ new_dirfd = openat(dirfd, str, flags); ++ if (new_dirfd == -1) ++ eerrorx("%s: %s: could not open %s: %s", applet, path, str, ++ strerror(errno)); ++ if (fstat(new_dirfd, &st) == -1) ++ eerrorx("%s: %s: unable to stat %s: %s", applet, path, item, ++ strerror(errno)); ++ if (S_ISLNK(st.st_mode) ) { ++ if (st.st_uid != 0) ++ eerrorx("%s: %s: synbolic link %s not owned by root", ++ applet, path, str); ++ linksize = st.st_size+1; ++ if (linkpath) ++ free(linkpath); ++ linkpath = xmalloc(linksize); ++ memset(linkpath, 0, linksize); ++ if (readlinkat(new_dirfd, "", linkpath, linksize) != st.st_size) ++ eerrorx("%s: symbolic link destination changed", applet); ++ /* ++ * now follow the symlink. ++ */ ++ close(new_dirfd); ++ } else { ++ close(dirfd); ++ dirfd = new_dirfd; ++ free(linkpath); ++ linkpath = NULL; ++ item = strtok(NULL, "/"); ++ components--; ++ } ++ } ++ free(path_dupe); ++ if (linkpath) { ++ free(linkpath); ++ linkpath = NULL; ++ } ++ return dirfd; ++} ++ + static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, +- inode_t type, bool trunc, bool chowner, bool selinux_on) ++ inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on) + { + struct stat st; ++ char *name = NULL; ++ int dirfd; + int fd; + int flags; + int r; +@@ -93,14 +173,16 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + #endif + if (trunc) + flags |= O_TRUNC; +- readfd = open(path, readflags); ++ xasprintf(&name, "%s", basename_c(path)); ++ dirfd = get_dirfd(path, symlinks); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1 || (type == inode_file && trunc)) { + if (type == inode_file) { + einfo("%s: creating file", path); + if (!mode) /* 664 */ + mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH; + u = umask(0); +- fd = open(path, flags, mode); ++ fd = openat(dirfd, name, flags, mode); + umask(u); + if (fd == -1) { + eerror("%s: open: %s", applet, strerror(errno)); +@@ -122,7 +204,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + strerror (errno)); + return -1; + } +- readfd = open(path, readflags); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1) { + eerror("%s: unable to open directory: %s", applet, + strerror(errno)); +@@ -140,7 +222,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + strerror (errno)); + return -1; + } +- readfd = open(path, readflags); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1) { + eerror("%s: unable to open fifo: %s", applet, + strerror(errno)); +@@ -259,6 +341,7 @@ int main(int argc, char **argv) + int retval = EXIT_SUCCESS; + bool trunc = false; + bool chowner = false; ++ bool symlinks = false; + bool writable = false; + bool selinux_on = false; + +@@ -293,6 +376,11 @@ int main(int argc, char **argv) + eerrorx("%s: owner `%s' not found", + applet, optarg); + break; ++ case 's': ++#ifndef O_PATH ++ symlinks = true; ++#endif ++ break; + case 'W': + writable = true; + break; +@@ -320,7 +408,8 @@ int main(int argc, char **argv) + while (optind < argc) { + if (writable) + exit(!is_writable(argv[optind])); +- if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on)) ++ if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, ++ symlinks, selinux_on)) + retval = EXIT_FAILURE; + optind++; + } |