commit scap-workbench for openSUSE:Factory

root Tue, 31 Jul 2018 07:05:04 -0700

Hello community,

here is the log from the commit of package scap-workbench for openSUSE:Factory 
checked in at 2018-07-31 16:04:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/scap-workbench (Old)
 and      /work/SRC/openSUSE:Factory/.scap-workbench.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "scap-workbench"

Tue Jul 31 16:04:19 2018 rev:10 rq:626684 version:1.1.5

Changes:
--------
--- /work/SRC/openSUSE:Factory/scap-workbench/scap-workbench.changes    
2018-01-03 13:39:32.371231584 +0100
+++ /work/SRC/openSUSE:Factory/.scap-workbench.new/scap-workbench.changes       
2018-07-31 16:04:29.540066170 +0200
@@ -1,0 +2,6 @@
+Thu Jul 26 09:11:29 UTC 2018 - matthias.gerst...@suse.com
+
+- 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch:
+  harden and sanitize the pkexec wrapper (bsc#1084706).
+
+-------------------------------------------------------------------

New:
----
  0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ scap-workbench.spec ++++++
--- /var/tmp/diff_new_pack.1hVxZt/_old  2018-07-31 16:04:30.276067425 +0200
+++ /var/tmp/diff_new_pack.1hVxZt/_new  2018-07-31 16:04:30.276067425 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package scap-workbench
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,10 +20,11 @@
 Version:        1.1.5
 Release:        0
 Summary:        A SCAP scanner and SCAP content editor
-License:        GPL-3.0
+License:        GPL-3.0-only
 Group:          Productivity/Security
 Url:            https://github.com/OpenSCAP/scap-workbench
 Source:         
https://github.com/OpenSCAP/scap-workbench/releases/download/%version/scap-workbench-%version.tar.bz2
+Patch0:         0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  openscap-devel
 # SLE 11 SP3: libopenscap needs libxslt without requiring it
@@ -57,6 +58,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %if 0%{?cmake}

++++++ 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch ++++++
>From 2dff0925c5435d3bdb35186c015a89613ce4e3ad Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerst...@suse.de>
Date: Thu, 19 Jul 2018 12:27:46 +0200
Subject: [PATCH] pkexec: avoid potential local root exploit by using
 PKEXEC_UID and sudo

If an admin relaxes the required polkit authentication for running
scap-workbench-oscap.sh from auth_admin to auth_self or yes, then the
current implementation of the wrapper script allows for a local root
exploit.

A command line like this would overwrite /etc/shadow with a file owned
by the non-privileged user:

pkexec --disable-internal-agent 
/usr/lib64/scap-workbench/scap-workbench-oscap.sh 1000 100 \
        xccdf eval --profile Default --oval-results --results /etc/shadow \
        --results-arf /tmp/scap.results.arf --report /tmp/scap.report \
        --progress /usr/share/openscap/scap-yast2sec-xccdf.xml

The copying of the target files needs to be done in the context of the
unprivileged user to prevent any symlink attacks or maliciously
specified paths. This is done by using sudo as a frontend to cp.

Also the user should not pass his own uid and gid. This would allow to
change ownership of files to arbitrary other users. Instead pkexec
offers the PKEXEC_UID environment variable which contains the uid of the
authenticated user. The gid can be derived from the uid.
---
 scap-workbench-oscap.sh        | 32 ++++++++++++++++++++++++--------
 scap-workbench-pkexec-oscap.sh |  7 ++-----
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/scap-workbench-oscap.sh b/scap-workbench-oscap.sh
index 216376f..6f720de 100755
--- a/scap-workbench-oscap.sh
+++ b/scap-workbench-oscap.sh
@@ -25,14 +25,15 @@ trap "" SIGHUP SIGINT
 # valuable gets skipped
 echo "Dummy text" 1>&2
 
-wrapper_uid=$1
-shift
-wrapper_gid=$1
-shift
+# prevent world-readable files being created
+umask 0007
 
 real_uid=`id -u`
 real_gid=`id -g`
 
+wrapper_uid=${PKEXEC_UID:-${real_uid}}
+wrapper_gid=$(id -g ${wrapper_uid})
+
 TEMP_DIR=`mktemp -d`
 
 args=("$@")
@@ -84,19 +85,34 @@ RET=$?
 
 popd > /dev/null
 
+# only copy files with the target user's permissions via sudo if we're running
+# privileged, otherwise he can trick us into overwriting arbitrary files
+do_chown=false
+if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then
+    do_chown=true
+fi
+
 function chown_copy
 {
     local what="$1"
     local where="$2"
 
-    [ ! -f "$what" ] || cp "$what" "$where"
+    [ -f "$what" ] || return
 
-    # chown only required if wrapper_{uid,gid} differs from real_{uid,gid}
-    if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then
-        chown $wrapper_uid:$wrapper_gid $where
+    if $do_chown; then
+        chown $wrapper_uid:$wrapper_gid "$what"
+        sudo -u "#${wrapper_uid}" cp "$what" "$where"
+    else
+        cp "$what" "$where"
     fi
 }
 
+if $do_chown; then
+    # don't grant the user ownership of or write access to the directory,
+    # otherwise he could trick us by replacing the files with symlinks
+    chmod o+rx "${TEMP_DIR}"
+fi
+
 chown_copy "$TEMP_DIR/results-xccdf.xml" "$TARGET_RESULTS_XCCDF"
 chown_copy "$TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF"
 chown_copy "$TEMP_DIR/report.html" "$TARGET_REPORT"
diff --git a/scap-workbench-pkexec-oscap.sh b/scap-workbench-pkexec-oscap.sh
index 1ae8329..a8d9b2b 100755
--- a/scap-workbench-pkexec-oscap.sh
+++ b/scap-workbench-pkexec-oscap.sh
@@ -18,9 +18,6 @@
 
 set -u -o pipefail
 
-uid=`id -u`
-gid=`id -g`
-
 PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 PKEXEC_PATH="pkexec"
@@ -29,7 +26,7 @@ SCAP_WORKBENCH_OSCAP="$PARENT_DIR/scap-workbench-oscap.sh"
 # We run unprivileged if pkexec was not found.
 #which $PKEXEC_PATH > /dev/null || exit 1 # fail if pkexec was not found
 
-$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 
2> >(tail -n +2 1>&2)
+$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail 
-n +2 1>&2)
 EC=$?
 
 # 126 is a special exit code of pkexec when user dismisses the auth dialog
@@ -38,7 +35,7 @@ EC=$?
 # This is common in niche desktop environments.
 if [ $EC -eq 126 ] || [ $EC -eq 127 ]; then
     # in case of dismissed dialog we run without super user rights
-    "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 2> >(tail -n +2 1>&2);
+    "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail -n +2 1>&2);
     exit $?
 fi
 
-- 
2.16.4

commit scap-workbench for openSUSE:Factory

Reply via email to