Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2022-04-12 21:43:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Tue Apr 12 21:43:17 2022 rev:167 rq:968253 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2022-04-05 19:55:44.142044762 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1900/apparmor.changes 2022-04-12 21:43:23.175649328 +0200 @@ -1,0 +2,6 @@ +Sun Apr 10 13:08:56 UTC 2022 - Christian Boltz <suse-b...@cboltz.de> + +- add profile for zgrep and xzgrep to prevent CVE-2022-1271 + (zgrep-profile-mr870.diff) + +------------------------------------------------------------------- New: ---- zgrep-profile-mr870.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.M0lfC0/_old 2022-04-12 21:43:23.863641417 +0200 +++ /var/tmp/diff_new_pack.M0lfC0/_new 2022-04-12 21:43:23.871641325 +0200 @@ -86,6 +86,9 @@ # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) Patch8: update-usr-sbin-smbd.diff +# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870) +Patch9: zgrep-profile-mr870.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor @@ -350,6 +353,7 @@ %patch5 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build %define _lto_cflags %{nil} @@ -580,6 +584,7 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe %config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd +%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep %config(noreplace) %{_sysconfdir}/apparmor.d/local/* %dir /usr/share/apparmor/ %if %{with precompiled_cache} ++++++ zgrep-profile-mr870.diff ++++++ >From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001 From: Christian Boltz <appar...@cboltz.de> Date: Sun, 10 Apr 2022 15:03:08 +0200 Subject: [PATCH] Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 (code execution via "funny" filenames) --- profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 profiles/apparmor.d/zgrep diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep new file mode 100644 index 000000000..0bf0765d1 --- /dev/null +++ b/profiles/apparmor.d/zgrep @@ -0,0 +1,59 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi <abi/3.0>, + +include <tunables/global> + +profile zgrep /usr/bin/{x,}zgrep { + include <abstractions/base> + include <abstractions/bash> + + /dev/tty rw, + /usr/bin/bash ix, + /usr/bin/bzip2 Cx -> helper, + /usr/bin/cat ix, + /usr/bin/grep Cx -> helper, + /usr/bin/gzip Cx -> helper, + /usr/bin/mktemp ix, + /usr/bin/rm ix, + /usr/bin/sed Cx -> sed, + /usr/bin/xz Cx -> helper, + /usr/bin/xzgrep r, + /usr/bin/zgrep Cx -> helper, + owner /tmp/zgrep* rw, + /usr/bin/zgrep r, + + include if exists <local/zgrep> + + profile helper { + include <abstractions/base> + + capability dac_override, + capability dac_read_search, + + /usr/bin/bash ix, + /usr/bin/bzip2 mr, + /usr/bin/grep mr, + /usr/bin/gzip mr, + /usr/bin/xz mr, + /{,**} r, + + } + + profile sed { + include <abstractions/base> + + /dev/tty rw, + /usr/bin/bash ix, + /usr/bin/sed mr, + + } +}
