Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pesign for openSUSE:Factory checked in at 2023-02-09 16:21:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign (Old) and /work/SRC/openSUSE:Factory/.pesign.new.4462 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign" Thu Feb 9 16:21:51 2023 rev:41 rq:1063715 version:113 Changes: -------- --- /work/SRC/openSUSE:Factory/pesign/pesign.changes 2021-11-25 23:05:27.265338158 +0100 +++ /work/SRC/openSUSE:Factory/.pesign.new.4462/pesign.changes 2023-02-09 16:21:55.542316926 +0100 @@ -1,0 +2,11 @@ +Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <[email protected]> + +- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + to use the normal file permissions in pesign-authorize to avoid + the potential security issue (bsc#1202933, CVE-2022-3560) +- Set the libexecdir path for "make" to fix the path to + pesign-authorize in pesign.service (bsc#1202933) +- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make + the default NSS datebase writeable (bsc#1202933) + +------------------------------------------------------------------- @@ -79,0 +91 @@ + + Fix wrong oid offsets (bsc#1205323) New: ---- pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ --- /var/tmp/diff_new_pack.tQelEL/_old 2023-02-09 16:21:56.542322078 +0100 +++ /var/tmp/diff_new_pack.tQelEL/_new 2023-02-09 16:21:56.546322098 +0100 @@ -1,7 +1,7 @@ # # spec file for package pesign # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,8 @@ # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 [email protected] -- Set the rpm macro directory at build time Patch8: pesign-boo1185663-set-rpmmacrodir.patch Patch9: harden_pesign.service.patch +Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch +Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -68,10 +70,12 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf -make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" +make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} %install mkdir -p %{buildroot}%{_localstatedir}/lib/pesign ++++++ pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch ++++++ >From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Tue, 7 Feb 2023 15:34:09 +0800 Subject: [PATCH] Make /etc/pki/pesign/ writeable The default NSS database for the pesign daemon is stored in /etc/pki/pesign/. Make it writeable after hardening the service. Signed-off-by: Gary Lin <[email protected]> --- src/pesign.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pesign.service.in b/src/pesign.service.in index 87accee..8542c63 100644 --- a/src/pesign.service.in +++ b/src/pesign.service.in @@ -20,3 +20,4 @@ Type=forking PIDFile=/run/pesign.pid ExecStart=/usr/bin/pesign --daemonize ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +ReadWritePaths=/etc/pki/pesign/ -- 2.35.3 ++++++ pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch ++++++ >From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Wed, 18 Jan 2023 14:00:22 -0500 Subject: [PATCH] Use normal file permissions instead of ACLs Fixes a symlink attack that can't be mitigated using getfacl/setfacl. pesign-authorize is now deprecated and will be removed in a future release. Resolves: CVE-2022-3560 Signed-off-by: Robbie Harwood <[email protected]> --- src/pesign-authorize | 53 +++++--------------------------------------- 1 file changed, 5 insertions(+), 48 deletions(-) Index: pesign-113/src/pesign-authorize =================================================================== --- pesign-113.orig/src/pesign-authorize +++ pesign-113/src/pesign-authorize @@ -2,55 +2,12 @@ set -e set -u -# -# With /run/pesign/socket on tmpfs, a simple way of restoring the -# acls for specific users is useful -# -# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 -# - # License: GPLv2 -declare -a fileusers=() -declare -a dirusers=() -for user in $(cat /etc/pesign/users); do - dirusers[${#dirusers[@]}]=-m - dirusers[${#dirusers[@]}]="u:$user:rwx" - fileusers[${#fileusers[@]}]=-m - fileusers[${#fileusers[@]}]="u:$user:rw" -done - -declare -a filegroups=() -declare -a dirgroups=() -for group in $(cat /etc/pesign/groups); do - dirgroups[${#dirgroups[@]}]=-m - dirgroups[${#dirgroups[@]}]="g:$group:rwx" - filegroups[${#filegroups[@]}]=-m - filegroups[${#filegroups[@]}]="g:$group:rw" -done - -update_subdir() { - subdir=$1 && shift - setfacl -bk "${subdir}" - setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" - for x in "${subdir}"* ; do - if [ -d "${x}" ]; then - setfacl -bk ${x} - setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} - update_subdir "${x}/" - elif [ -e "${x}" ]; then - setfacl -bk ${x} - setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} - else - :; - fi - done -} +# This script is deprecated and will be removed in a future release. -for x in /run/pesign/ /etc/pki/pesign*/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else - :; - fi +sleep 3 +for x in /run/pesign/ /etc/pki/pesign/ ; do + chown -R pesign:pesign "${x}" || true + chmod -R ug+rwX "${x}" || true done
