Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2020-06-03 20:31:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Wed Jun 3 20:31:57 2020 rev:6 rq:810509 version:7.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2020-05-07 14:55:15.362377195 +0200 +++ /work/SRC/openSUSE:Factory/.frr.new.3606/frr.changes 2020-06-03 20:32:47.965224696 +0200 @@ -1,0 +2,5 @@ +Sun May 31 22:40:46 UTC 2020 - Erico Mendonca <[email protected]> + +- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658). + +------------------------------------------------------------------- New: ---- 0001-build-use-configfile-mode-in-init-script.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.e49KgT/_old 2020-06-03 20:32:49.053228107 +0200 +++ /var/tmp/diff_new_pack.e49KgT/_new 2020-06-03 20:32:49.061228131 +0200 @@ -37,6 +37,8 @@ Group: Productivity/Networking/System URL: https://www.frrouting.org #Git-Clone: https://github.com/FRRouting/frr.git +# PATCH-FIX-UPSTREAM: build-use-configfile-mode-in-init-script +Patch1: 0001-build-use-configfile-mode-in-init-script.patch Source: https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.d BuildRequires: %{python_module Sphinx} @@ -170,6 +172,7 @@ %prep %setup -q -n %{name}-%{name}-%{version} +%patch1 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors ++++++ 0001-build-use-configfile-mode-in-init-script.patch ++++++ >From 5c9063771195bb51a8cc1c64f9924e53a0602817 Mon Sep 17 00:00:00 2001 From: David Lamparter <[email protected]> Date: Mon, 11 May 2020 21:37:08 +0200 Subject: [PATCH] build: use configfile mode in init script This only applies for split-config; the init script would create an empty config file with default permissions. Reported-by: Robert Scheck <[email protected]> Signed-off-by: David Lamparter <[email protected]> --- configure.ac | 1 + tools/frr.in | 2 ++ tools/frrcommon.sh.in | 2 ++ 3 files changed, 5 insertions(+) diff --git a/configure.ac b/configure.ac index faaf1dd23..d4c652c6e 100755 --- a/configure.ac +++ b/configure.ac @@ -813,6 +813,7 @@ AC_SUBST([enable_vty_group]) enable_configfile_mask=${enable_configfile_mask:-0600} AC_DEFINE_UNQUOTED([CONFIGFILE_MASK], [${enable_configfile_mask}], [Mask for config files]) +AC_SUBST([enable_configfile_mask]) enable_logfile_mask=${enable_logfile_mask:-0600} AC_DEFINE_UNQUOTED([LOGFILE_MASK], [${enable_logfile_mask}], [Mask for log files]) diff --git a/tools/frr.in b/tools/frr.in index d9816c256..40862aa4c 100755 --- a/tools/frr.in +++ b/tools/frr.in @@ -21,6 +21,7 @@ VTYSH="@vtysh_bin@" # /usr/bin/vtysh FRR_USER="@enable_user@" # frr FRR_GROUP="@enable_group@" # frr FRR_VTY_GROUP="@enable_vty_group@" # frrvty +FRR_CONFIG_MODE="@enable_configfile_mask@" # 0600 FRR_DEFAULT_PROFILE="@DFLT_NAME@" # traditional / datacenter # Local Daemon selection may be done by using /etc/frr/daemons. @@ -56,6 +57,7 @@ chownfrr() { test -n "$FRR_USER" && chown "$FRR_USER" "$1" test -n "$FRR_GROUP" && chgrp "$FRR_GROUP" "$1" + test -n "$FRR_CONFIG_MODE" && chmod "$FRR_CONFIG_MODE" "$1" } # Check if daemon is started by using the pidfile. diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in index 0dfdfd0ef..9dc8cea60 100644 --- a/tools/frrcommon.sh.in +++ b/tools/frrcommon.sh.in @@ -24,6 +24,7 @@ VTYSH="@vtysh_bin@" # /usr/bin/vtysh FRR_USER="@enable_user@" # frr FRR_GROUP="@enable_group@" # frr FRR_VTY_GROUP="@enable_vty_group@" # frrvty +FRR_CONFIG_MODE="@enable_configfile_mask@" # 0600 FRR_DEFAULT_PROFILE="@DFLT_NAME@" # traditional / datacenter # ORDER MATTERS FOR $DAEMONS! @@ -53,6 +54,7 @@ debug() { chownfrr() { [ -n "$FRR_USER" ] && chown "$FRR_USER" "$1" [ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1" + [ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1" } vtysh_b () { -- 2.21.1 (Apple Git-122.3)
