Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package quagga for openSUSE:Factory checked in at 2022-11-12 17:41:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/quagga (Old) and /work/SRC/openSUSE:Factory/.quagga.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "quagga" Sat Nov 12 17:41:20 2022 rev:58 rq:1035295 version:1.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2022-11-02 12:48:19.497928469 +0100 +++ /work/SRC/openSUSE:Factory/.quagga.new.1597/quagga.changes 2022-11-12 17:41:42.386359906 +0100 @@ -1,0 +2,12 @@ +Fri Nov 11 09:07:22 UTC 2022 - Marius Tomaschewski <[email protected]> + +- Remove attempts to correct configuration file ownership and + permissions in service files, that may lead to local privilege + escalation from quagga to root (bsc#1191890,CVE-2021-44038). + [+ remove-chown-chmod.service.patch] +- Correct hardening patches adding ReadWritePaths=/etc/quagga +- Add update-messages that quagga is not developed for years, + is about to get dropped from Factory/Tumbleweed soon and + users should migrate to FRR (https://frrouting.org/). + +------------------------------------------------------------------- New: ---- remove-chown-chmod.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.030363740 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.034363764 +0100 @@ -63,6 +63,7 @@ Patch8: harden_ripd.service.patch Patch9: harden_ripngd.service.patch Patch10: harden_zebra.service.patch +Patch11: remove-chown-chmod.service.patch BuildRequires: autoconf >= 2.6 BuildRequires: automake >= 1.6 BuildRequires: c-ares-devel @@ -159,6 +160,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -265,13 +267,23 @@ done %endif -%if 0%{?suse_version} > 1500 %posttrans +%if 0%{?suse_version} > 1500 # Migration to /usr/etc, restore just created .rpmsave for i in logrotate.d/quagga ; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: done %endif +cat > /var/adm/update-messages/%{name}-%{version}-%{release} << __EOF__ +Quagga has not been developed further since 2018, we are about to +remove it from openSUSE:Factory / Tumbleweed soon. + +Please migrate to FRR which has its roots in the Quagga project: + + https://frrouting.org/ + +The frr package is available since SLE 15-SP3 and openSUSE Leap 15.3. +__EOF__ %post %if %{with systemd} ++++++ harden_bgpd.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.070363978 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.074364002 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/bgpd.service +++ quagga-1.2.4/redhat/bgpd.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/bgpd.con +@@ -8,6 +8,18 @@ Documentation=man:bgpd [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/bgpd.pid ++++++ harden_isisd.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.086364074 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.090364097 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/isisd.service +++ quagga-1.2.4/redhat/isisd.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/isisd.co +@@ -8,6 +8,18 @@ Documentation=man:isisd [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/isisd.pid ++++++ harden_ospf6d.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.102364169 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.106364192 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/ospf6d.service +++ quagga-1.2.4/redhat/ospf6d.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ospf6d.c +@@ -8,6 +8,18 @@ Documentation=man:ospf6d [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/ospf6d.pid ++++++ harden_ospfd.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.118364264 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.122364288 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/ospfd.service +++ quagga-1.2.4/redhat/ospfd.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ospfd.co +@@ -8,6 +8,18 @@ Documentation=man:ospfd [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/ospfd.pid ++++++ harden_ripd.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.138364383 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.142364407 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/ripd.service +++ quagga-1.2.4/redhat/ripd.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ripd.con +@@ -8,6 +8,18 @@ Documentation=man:ripd [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/ripd.pid ++++++ harden_ripngd.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.158364502 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.162364526 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/ripngd.service +++ quagga-1.2.4/redhat/ripngd.service -@@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ripngd.c +@@ -8,6 +8,18 @@ Documentation=man:ripngd [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/zebra.pid ++++++ harden_zebra.service.patch ++++++ --- /var/tmp/diff_new_pack.LsVyFK/_old 2022-11-12 17:41:43.178364621 +0100 +++ /var/tmp/diff_new_pack.LsVyFK/_new 2022-11-12 17:41:43.178364621 +0100 @@ -2,7 +2,7 @@ =================================================================== --- quagga-1.2.4.orig/redhat/zebra.service +++ quagga-1.2.4/redhat/zebra.service -@@ -6,6 +6,17 @@ ConditionPathExists=/etc/quagga/zebra.co +@@ -6,6 +6,18 @@ Documentation=man:zebra [Service] @@ -16,6 +16,7 @@ +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ++ReadWritePaths=/etc/quagga +# end of automatic additions Type=forking PIDFile=/run/quagga/zebra.pid ++++++ remove-chown-chmod.service.patch ++++++ References: bsc#1191890,CVE-2021-44038 Upstream: no The services ensure using ConditionPathExists that configuration files exist at start time. This change reverts to quagga-1.1.1 service behavior and removes the attempts to fix configuration file ownership and permissions that may lead to local privilege escalation from quagga to root. --- quagga-1.2.4-orig/redhat/bgpd.service +++ quagga-1.2.4/redhat/bgpd.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/bgpd.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/isisd.service +++ quagga-1.2.4/redhat/isisd.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/isisd.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/ospf6d.service +++ quagga-1.2.4/redhat/ospf6d.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/ospf6d.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/ospfd.service +++ quagga-1.2.4/redhat/ospfd.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/ospfd.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/ripd.service +++ quagga-1.2.4/redhat/ripd.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/ripd.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/ripngd.service +++ quagga-1.2.4/redhat/ripngd.service @@ -23,8 +23,6 @@ Type=forking PIDFile=/run/quagga/zebra.pid EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf Restart=on-abort --- quagga-1.2.4-orig/redhat/zebra.service +++ quagga-1.2.4/redhat/zebra.service @@ -22,9 +22,6 @@ PIDFile=/run/quagga/zebra.pid EnvironmentFile=-/etc/sysconfig/quagga ExecStartPre=/sbin/ip route flush proto zebra -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf -ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf Restart=on-abort
