Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rear for openSUSE:Factory checked in at 2024-01-22 20:34:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rear (Old) and /work/SRC/openSUSE:Factory/.rear.new.16006 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rear" Mon Jan 22 20:34:34 2024 rev:37 rq:1140364 version:2.7 Changes: -------- --- /work/SRC/openSUSE:Factory/rear/rear.changes 2022-07-14 16:35:05.460675872 +0200 +++ /work/SRC/openSUSE:Factory/.rear.new.16006/rear.changes 2024-01-22 20:34:57.174814458 +0100 @@ -1,0 +2,8 @@ +Mon Jan 22 07:10:11 UTC 2024 - Johannes Meixner <[email protected]> + +- GRUB_RESCUE_initrd.patch fixes CVE-2024-23301 + "ReaR creates world-readable initrd with GRUB_RESCUE=Y" + https://github.com/rear/rear/issues/3122 + (bsc#1218728) + +------------------------------------------------------------------- New: ---- GRUB_RESCUE_initrd.patch BETA DEBUG BEGIN: New: - GRUB_RESCUE_initrd.patch fixes CVE-2024-23301 "ReaR creates world-readable initrd with GRUB_RESCUE=Y" BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rear.spec ++++++ --- /var/tmp/diff_new_pack.wLrHnE/_old 2024-01-22 20:34:57.686833157 +0100 +++ /var/tmp/diff_new_pack.wLrHnE/_new 2024-01-22 20:34:57.690833304 +0100 @@ -1,7 +1,7 @@ # # spec file for package rear # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -58,6 +58,12 @@ # Source999 rear-rpmlintrc filters false positives rpmlint warning messages, see # https://en.opensuse.org/openSUSE:Packaging_checks#Building_Packages_despite_of_errors Source999: rear-rpmlintrc +# Patch100...Patch999 is for patches from SUSE which are not intended for upstream: +# Patch100 GRUB_RESCUE_initrd.patch fixes CVE-2024-23301 +# "ReaR creates world-readable initrd with GRUB_RESCUE=Y" +# https://github.com/rear/rear/issues/3122 +# https://bugzilla.suse.com/show_bug.cgi?id=1218728 +Patch100: GRUB_RESCUE_initrd.patch # Rear contains only bash scripts plus documentation so that on first glance it could be "BuildArch: noarch" # but actually it is not "noarch" because it only works on those architectures that are explicitly supported. # Of course the rear bash scripts can be installed on any architecture just as any binaries can be installed on any architecture. @@ -287,6 +293,11 @@ %prep %setup -q -n rear-%{upstream_version} +# Patch100 GRUB_RESCUE_initrd.patch fixes CVE-2024-23301 +# "ReaR creates world-readable initrd with GRUB_RESCUE=Y" +# https://github.com/rear/rear/issues/3122 +# https://bugzilla.suse.com/show_bug.cgi?id=1218728 +%patch100 # Add a specific os.conf to not depend on LSB dependencies # (otherwise it calls "lsb_release" in /usr/share/rear/lib/config-functions.sh) # for the suse_version values see the listings at ++++++ GRUB_RESCUE_initrd.patch ++++++ --- usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh.orig 2022-07-14 09:36:00.915410283 +0200 +++ usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh 2024-01-12 08:18:12.877116064 +0100 @@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in fi ;; esac + +# Only root should be allowed to access the initrd +# because the ReaR recovery system can contain secrets +# cf. https://github.com/rear/rear/issues/3122 +test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" + popd >/dev/null
