Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at 2020-02-07 15:53:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint (Old) and /work/SRC/openSUSE:Factory/.rpmlint.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint" Fri Feb 7 15:53:13 2020 rev:329 rq:770808 version:1.11 Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint/rpmlint-tests.changes 2020-02-03 11:12:17.613813855 +0100 +++ /work/SRC/openSUSE:Factory/.rpmlint.new.26092/rpmlint-tests.changes 2020-02-07 15:54:05.039500033 +0100 @@ -1,0 +2,14 @@ +Thu Feb 06 10:06:37 UTC 2020 - [email protected] + +- Update to version master: + * CheckSUIDPermissions.py: fix permissions.d checks + * add a lint to catch insecure mixed file/directory ownership similar to CVE-2019-3689 + +------------------------------------------------------------------- +Thu Feb 06 10:06:36 UTC 2020 - [email protected] + +- Update to version 84.87+git20200206.7e2b64f: + * permissions2: test that allowed permissions.d drop-ins work + * test for new file-parent-ownership-mismatch lint + +------------------------------------------------------------------- rpmlint.changes: same change Old: ---- rpmlint-tests-84.87+git20200130.c0de5f4.tar.xz New: ---- rpmlint-tests-84.87+git20200206.7e2b64f.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint-tests.spec ++++++ --- /var/tmp/diff_new_pack.s13XVc/_old 2020-02-07 15:54:08.131501723 +0100 +++ /var/tmp/diff_new_pack.s13XVc/_new 2020-02-07 15:54:08.135501725 +0100 @@ -1,7 +1,7 @@ # # spec file for package rpmlint-tests # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ BuildRequires: rpmlint-mini Name: rpmlint-tests -Version: 84.87+git20200130.c0de5f4 +Version: 84.87+git20200206.7e2b64f Release: 0 Summary: rpmlint regression tests License: SUSE-Public-Domain ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.s13XVc/_old 2020-02-07 15:54:08.155501736 +0100 +++ /var/tmp/diff_new_pack.s13XVc/_new 2020-02-07 15:54:08.159501738 +0100 @@ -1,7 +1,7 @@ # # spec file for package rpmlint # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.s13XVc/_old 2020-02-07 15:54:08.243501784 +0100 +++ /var/tmp/diff_new_pack.s13XVc/_new 2020-02-07 15:54:08.243501784 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/rpmlint-tests.git</param> - <param name="changesrevision">6e0e54e073ce56ea3a81cedbce436f3f4b8cb094</param></service><service name="tar_scm"> + <param name="changesrevision">c45a69ba2c917d23ef888b044bc8114ad3611f4d</param></service><service name="tar_scm"> <param name="url">https://github.com/openSUSE/rpmlint-checks.git</param> - <param name="changesrevision">20b469207308def7aa2d27665c9a9a224d3afe25</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">d26befa3c953dd4f96265bd58c6dad472a6ea512</param></service></servicedata> \ No newline at end of file ++++++ rpmlint-checks-master.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-checks-master/CheckSUIDPermissions.py new/rpmlint-checks-master/CheckSUIDPermissions.py --- old/rpmlint-checks-master/CheckSUIDPermissions.py 2019-12-27 11:53:26.000000000 +0100 +++ new/rpmlint-checks-master/CheckSUIDPermissions.py 2020-02-06 10:14:08.000000000 +0100 @@ -116,8 +116,8 @@ for f in permfiles: # check for a .secure file first, falling back to the plain file for path in self._paths_to(f + '.secure', f): - if os.path.exists(path): - self._parsefile(path) + if path in files: + self._parsefile(pkg.dirName() + path) break need_set_permissions = False diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-checks-master/MixedFileOwnerships.py new/rpmlint-checks-master/MixedFileOwnerships.py --- old/rpmlint-checks-master/MixedFileOwnerships.py 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-checks-master/MixedFileOwnerships.py 2020-02-06 10:14:08.000000000 +0100 @@ -0,0 +1,40 @@ +############################################################################# +# File : MixedFileOwnerships.py +# Package : rpmlint +# Author : Malte Kraus +# Purpose : Check for files which have a parent with insecure owner. +############################################################################# + +from AbstractCheck import AbstractCheck +from Filter import addDetails, printError + + +class MixedFileOwnerships(AbstractCheck): + def __init__(self): + super().__init__("MixedFileOwnerships") + + def check(self, pkg): + if pkg.isSource(): + return + + files = pkg.files() + for path, info in files.items(): + parent = path.rpartition("/")[0] + if parent not in files: + # can't figure out who owns the parent directory if it's part of another RPM :( + continue + + parent_owner = files[parent].user + + # root user is trusted + if info.user != parent_owner and parent_owner not in ('root', '0'): + printError(pkg, 'file-parent-ownership-mismatch', path, "owned by", info.user, + "is stored in directory owned by different user", parent_owner) + + +check = MixedFileOwnerships() + +addDetails("file-parent-ownership-mismatch", + """A file or directory is stored in a directory owned by another unprivileged user. + This is a security issue since the owner of the parent directory can replace this + file/directory with a different one.""") ++++++ rpmlint-tests-84.87+git20200130.c0de5f4.tar.xz -> rpmlint-tests-84.87+git20200206.7e2b64f.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.ignore new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.ignore --- old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.ignore 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.ignore 2020-02-06 10:17:47.000000000 +0100 @@ -0,0 +1 @@ +addFilter(" no-binary") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.ref new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.ref --- old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.ref 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.ref 2020-02-06 10:17:47.000000000 +0100 @@ -0,0 +1,2 @@ +mixed-file-owners: W: file-parent-ownership-mismatch /usr/share/foo/bar owned by root is stored in directory owned by different user bin +1 packages and 0 specfiles checked; 0 errors, 1 warnings. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.spec new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.spec --- old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/mixed-file-owners.spec 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/mixed-file-owners.spec 2020-02-06 10:17:47.000000000 +0100 @@ -0,0 +1,41 @@ +# +# spec file for package mixed-file-owners +# +# Copyright (c) 2019 SUSE LLC. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: mixed-file-owners +Version: 1 +Release: 0 +Summary: Test package with a file hierarchy with mixed users +License: GPL-2.0+ +Url: https://www.opensuse.org/ + +%description +description of the package that is longer than the summary so it has some filler text + +%install +mkdir -p ${RPM_BUILD_ROOT}/%_datadir/foo/{bar,baz} + +%files +%dir %attr(-,bin,root) %_datadir/foo +# bad: user 'foo' has control over root-owned file +%dir %attr(-,root,root) %_datadir/foo/bar +# good: file owner matches dir owner +%dir %attr(-,bin,root) %_datadir/foo/baz + +%changelog +* Fri Jan 17 2020 [email protected] + - change history of the spec diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/permissions2.spec new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/permissions2.spec --- old/rpmlint-tests-84.87+git20200130.c0de5f4/tests/permissions2.spec 2020-01-30 13:31:47.000000000 +0100 +++ new/rpmlint-tests-84.87+git20200206.7e2b64f/tests/permissions2.spec 2020-02-06 10:17:47.000000000 +0100 @@ -23,19 +23,36 @@ %install install -d -m 755 %buildroot/bin cp /bin/su %buildroot/bin +cp /bin/su %buildroot/bin/foo +printf '\0' >> %buildroot/bin/foo +cp /bin/su %buildroot/bin/bar +printf '\0\0' >> %buildroot/bin/bar +# postfix and sendmail are allowed to install their own permissions file +mkdir -p %buildroot/etc/permissions.d %buildroot/usr/share/permissions/permissions.d +echo "/bin/foo root:root 4755" > %buildroot/etc/permissions.d/postfix +echo "/bin/bar root:root 4755" > %buildroot/usr/share/permissions/permissions.d/sendmail %clean rm -rf %buildroot %verifyscript %verify_permissions -e /bin/su +%verify_permissions -e /bin/foo +%verify_permissions -e /bin/bar %post %set_permissions /bin/su +%set_permissions /bin/foo +%set_permissions /bin/bar %files %defattr(-,root,root) %attr(4755,root,root) /bin/su +%attr(4755,root,root) /bin/foo +%attr(4755,root,root) /bin/bar +%config /etc/permissions.d/postfix +%attr(0600,root,root) /etc/permissions.d/postfix +%attr(0600,root,root) /usr/share/permissions/permissions.d/sendmail %changelog * Mon Apr 18 2011 [email protected]
