Hello community, here is the log from the commit of package libosinfo for openSUSE:Factory checked in at 2019-07-17 13:14:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libosinfo (Old) and /work/SRC/openSUSE:Factory/.libosinfo.new.1887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libosinfo" Wed Jul 17 13:14:21 2019 rev:36 rq:715537 version:1.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libosinfo/libosinfo.changes 2019-05-12 11:32:14.693667258 +0200 +++ /work/SRC/openSUSE:Factory/.libosinfo.new.1887/libosinfo.changes 2019-07-17 13:14:22.751844768 +0200 @@ -1,0 +2,8 @@ +Mon Jul 8 13:12:39 MDT 2019 - carn...@suse.com + +- bsc#1140749 - VUL-1: CVE-2019-13313: libosinfo: osinfo-install- + script option leaks password via command line argument + CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch + CVE-2019-13313-pass-username-password-via-config-file.patch + +------------------------------------------------------------------- New: ---- CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch CVE-2019-13313-pass-username-password-via-config-file.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libosinfo.spec ++++++ --- /var/tmp/diff_new_pack.04pYaK/_old 2019-07-17 13:14:23.371844467 +0200 +++ /var/tmp/diff_new_pack.04pYaK/_new 2019-07-17 13:14:23.371844467 +0200 @@ -28,6 +28,8 @@ Url: https://releases.pagure.org/libosinfo/ Source0: https://releases.pagure.org/libosinfo/%{name}-%{version}.tar.gz Source1: ids.tar.bz2 +Patch1: CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch +Patch2: CVE-2019-13313-pass-username-password-via-config-file.patch BuildRequires: libcurl-devel BuildRequires: vala BuildRequires: pkgconfig(check) @@ -85,6 +87,8 @@ %endif %prep %setup -q -a 1 +%patch1 -p1 +%patch2 -p1 %build %configure \ ++++++ CVE-2019-13313-add-new-option-so-users-can-set-config-from-file.patch ++++++ Let's add a new option so users can set their config from a file, instead of directly passing the values via command-line. Signed-off-by: Fabiano FidĂȘncio <fidencio redhat com> --- tools/osinfo-install-script.c | 100 +++++++++++++++++++++++++++++++++- 1 file changed, 97 insertions(+), 3 deletions(-) diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c index 15af48d..efa96ee 100644 --- a/tools/osinfo-install-script.c +++ b/tools/osinfo-install-script.c @@ -37,6 +37,34 @@ static gboolean list_profile = FALSE; static gboolean list_inj_method = FALSE; static gboolean quiet = FALSE; +static const gchar *configs[] = { + OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH, + OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE, + OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE, + OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD, + OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD, + OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD, + OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN, + OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME, + OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN, + OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN, + OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN, + OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD, + OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY, + OSINFO_INSTALL_CONFIG_PROP_HOSTNAME, + OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK, + OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK, + OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION, + OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK, + OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK, + OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION, + OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, + OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, + OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, + NULL +}; + static OsinfoInstallConfig *config; static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, @@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, } +static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED, + const gchar *value, + gpointer data G_GNUC_UNUSED, + GError **error) +{ + GKeyFile *key_file = NULL; + gchar *val = NULL; + gsize i; + gboolean ret = FALSE; + + key_file = g_key_file_new(); + if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error)) + goto error; + + for (i = 0; configs[i] != NULL; i++) { + val = g_key_file_get_string(key_file, "install-script", configs[i], error); + if (val == NULL) { + if (g_error_matches(*error, G_KEY_FILE_ERROR, + G_KEY_FILE_ERROR_KEY_NOT_FOUND)) { + g_clear_error(error); + continue; + } + + goto error; + } + + osinfo_entity_set_param(OSINFO_ENTITY(config), + configs[i], + val); + g_free(val); + } + + ret = TRUE; + +error: + g_key_file_unref(key_file); + + return ret; +} + + static GOptionEntry entries[] = { { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile, @@ -78,6 +147,9 @@ static GOptionEntry entries[] = { "config", 'c', 0, G_OPTION_ARG_CALLBACK, handle_config, N_("Set configuration parameter"), "key=value" }, + { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK, + handle_config_file, + N_("Set configuration parameters"), "file:///path/to/config/file" }, { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config, N_("List configuration parameters"), NULL }, { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile, @@ -448,6 +520,10 @@ script. Defaults to C<media>, but can also be C<network>. Set the configuration parameter C<key> to C<value>. +=item B<--config-file=config-file> + +Set the configurations parameters according to the config-file passed. + =back =head1 CONFIGURATION KEYS @@ -510,18 +586,36 @@ The software registration user password =back +=head1 CONFIGURATION FILE FORMAT + +The configuration file must consist in a file which contains a +`install-script` group and, under this group, C<key>=C<value> +pairs, as shown below: + +[install-script] +l10n-timezone=GMT +l10n-keyboard=uk +l10n-language=en_GB +admin-password=123456 +user-login=berrange +user-password=123456 +user-realname="Daniel P Berrange" + =head1 EXAMPLE USAGE -The following usage generates a Fedora 16 kickstart script +The following usages generates a Fedora 16 kickstart script + + # osinfo-install-script \ + --profile jeos \ + --config-file /path/to/the/config/file \ + fedora16 # osinfo-install-script \ --profile jeos \ --config l10n-timezone=GMT \ --config l10n-keyboard=uk \ --config l10n-language=en_GB \ - --config admin-password=123456 \ --config user-login=berrange \ - --config user-password=123456 \ --config user-realname="Daniel P Berrange" \ fedora16 ++++++ CVE-2019-13313-pass-username-password-via-config-file.patch ++++++ As passing user & admin password via command line is a low impact CVE, let's error out when it's done and advertise the users to use --config-file instead. Signed-off-by: Fabiano FidĂȘncio <fidencio redhat com> --- tools/osinfo-install-script.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c index efa96ee..3da4a69 100644 --- a/tools/osinfo-install-script.c +++ b/tools/osinfo-install-script.c @@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, val++; key = g_strndup(value, len); + if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) || + g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) { + g_set_error(error, OSINFO_ERROR, 0, + _("When setting user or admin password, use " + "--config-file instead.\n")); + g_free(key); + return FALSE; + } + osinfo_entity_set_param(OSINFO_ENTITY(config), key, val); @@ -520,6 +529,8 @@ script. Defaults to C<media>, but can also be C<network>. Set the configuration parameter C<key> to C<value>. +Note: this option has been deprecated, use B<--config-file=> instead. + =item B<--config-file=config-file> Set the configurations parameters according to the config-file passed.