Hello community, here is the log from the commit of package targetcli-fb for openSUSE:Factory checked in at 2020-06-11 10:09:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/targetcli-fb (Old) and /work/SRC/openSUSE:Factory/.targetcli-fb.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "targetcli-fb" Thu Jun 11 10:09:30 2020 rev:19 rq:813264 version:2.1.52 Changes: -------- --- /work/SRC/openSUSE:Factory/targetcli-fb/targetcli-fb.changes 2020-05-26 17:19:19.911976292 +0200 +++ /work/SRC/openSUSE:Factory/.targetcli-fb.new.3606/targetcli-fb.changes 2020-06-11 10:11:37.232494115 +0200 @@ -1,0 +2,10 @@ +Wed Jun 10 01:25:12 UTC 2020 - Lee Duncan <[email protected]> + +- Added 4 upstream commits for CVE-2020-13867 (bsc#1172743), + adding patches: + * 0001-uds-set-right-permissions-at-bind-time.patch + * 0002-saveconfig-set-0o600-perms-on-backupfiles.patch + * 0003-saveconfig-set-right-perms-on-backup-dir.patch + * 0004-saveconfig-set-right-perms-on-etc-target-dir.patch + +------------------------------------------------------------------- New: ---- 0001-uds-set-right-permissions-at-bind-time.patch 0002-saveconfig-set-0o600-perms-on-backupfiles.patch 0003-saveconfig-set-right-perms-on-backup-dir.patch 0004-saveconfig-set-right-perms-on-etc-target-dir.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ targetcli-fb.spec ++++++ --- /var/tmp/diff_new_pack.j3C0IU/_old 2020-06-11 10:11:38.784499082 +0200 +++ /var/tmp/diff_new_pack.j3C0IU/_new 2020-06-11 10:11:38.784499082 +0200 @@ -54,10 +54,18 @@ Obsoletes: targetcli-rbd < %{version} %endif %{?systemd_ordering} + +# SUSE-specific patches Patch1: Split-out-blockdev-readonly-state-detection-helper.patch Patch2: rbd-support.patch Patch3: fix-setup-install.patch +# upstreamed patches +Patch11: 0001-uds-set-right-permissions-at-bind-time.patch +Patch12: 0002-saveconfig-set-0o600-perms-on-backupfiles.patch +Patch13: 0003-saveconfig-set-right-perms-on-backup-dir.patch +Patch14: 0004-saveconfig-set-right-perms-on-etc-target-dir.patch + %python_subpackages %description @@ -87,6 +95,10 @@ %patch2 -p1 %endif %patch3 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build %python_build ++++++ 0001-uds-set-right-permissions-at-bind-time.patch ++++++ >From e347f7ea20547052e8fc1b65cba5e3f3ef2bf3d8 Mon Sep 17 00:00:00 2001 From: Prasanna Kumar Kalever <[email protected]> Date: Fri, 29 May 2020 18:31:21 +0530 Subject: [PATCH 1/4] uds: set right permissions at bind() time We fixed it earlier with commit 6e4f39357a90a914d11bac21cc2d2b52c07c213d but that fixes the issue when someone run the targetclid with systemd only. If we don't use targetclid.socket and want to run `targetclid` from command line, then socket.bind() will create the file with default permissions. Hence its good if we can guard the permissions right at the time of .bind() Signed-off-by: Prasanna Kumar Kalever <[email protected]> --- daemon/targetclid | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/daemon/targetclid b/daemon/targetclid index 329cede5da87..9bf8ae7ed14e 100755 --- a/daemon/targetclid +++ b/daemon/targetclid @@ -28,6 +28,7 @@ from threading import Thread import os import sys +import stat import socket import struct import fcntl @@ -238,12 +239,17 @@ def main(): # save socket so a signal can clea it up to.sock = sock + mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 + umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + umask_original = os.umask(umask) # Bind the socket path try: sock.bind(to.socket_path) except socket.error as err: to.display(to.render(err.strerror, 'red')) sys.exit(1) + finally: + os.umask(umask_original) # Listen for incoming connections try: -- 2.26.2 ++++++ 0002-saveconfig-set-0o600-perms-on-backupfiles.patch ++++++ >From 1940a17986deaab92e6be395f20ee55dac0ac2bd Mon Sep 17 00:00:00 2001 From: Prasanna Kumar Kalever <[email protected]> Date: Fri, 29 May 2020 14:51:28 +0530 Subject: [PATCH 2/4] saveconfig: set 0o600 perms on backupfiles Signed-off-by: Prasanna Kumar Kalever <[email protected]> --- targetcli/ui_root.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py index 26815bd2b8fa..6e99b8cfcb78 100644 --- a/targetcli/ui_root.py +++ b/targetcli/ui_root.py @@ -125,12 +125,17 @@ class UIRoot(UINode): # Save backup if backup dir is empty, or savefile is differnt from recent backup copy if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): + mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 + umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + umask_original = os.umask(umask) try: with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: shutil.copyfileobj(f_in, f_out) f_out.flush() except IOError as ioe: backup_error = ioe.strerror or "Unknown error" + finally: + os.umask(umask_original) if backup_error == None: # remove excess backups -- 2.26.2 ++++++ 0003-saveconfig-set-right-perms-on-backup-dir.patch ++++++ >From 3bdef6d1aa1f64c03816af68bd5fb2bd1bbb29be Mon Sep 17 00:00:00 2001 From: Prasanna Kumar Kalever <[email protected]> Date: Fri, 29 May 2020 15:05:35 +0530 Subject: [PATCH 3/4] saveconfig: set right perms on backup dir Signed-off-by: Prasanna Kumar Kalever <[email protected]> --- targetcli/ui_root.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py index 6e99b8cfcb78..b24c789f213d 100644 --- a/targetcli/ui_root.py +++ b/targetcli/ui_root.py @@ -109,12 +109,21 @@ class UIRoot(UINode): backupfile = backup_dir + backup_name backup_error = None + mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 + umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + if not os.path.exists(backup_dir): + umask_original = os.umask(umask) try: - os.makedirs(backup_dir) + os.makedirs(backup_dir, mode) except OSError as exe: raise ExecutionError("Cannot create backup directory [%s] %s." % (backup_dir, exe.strerror)) + finally: + os.umask(umask_original) + else: + if (os.stat(backup_dir).st_mode & 0o777) != mode: + os.chmod(backup_dir, mode) # Only save backups if savefile exits if not os.path.exists(savefile): @@ -125,8 +134,6 @@ class UIRoot(UINode): # Save backup if backup dir is empty, or savefile is differnt from recent backup copy if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): - mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 - umask = 0o777 ^ mode # Prevents always downgrading umask to 0 umask_original = os.umask(umask) try: with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: -- 2.26.2 ++++++ 0004-saveconfig-set-right-perms-on-etc-target-dir.patch ++++++ >From 9f5764dac39b5b75ee6b5d9e4db419d09d64b898 Mon Sep 17 00:00:00 2001 From: Prasanna Kumar Kalever <[email protected]> Date: Fri, 29 May 2020 15:36:27 +0530 Subject: [PATCH 4/4] saveconfig: set right perms on /etc/target/ dir Signed-off-by: Prasanna Kumar Kalever <[email protected]> --- targetcli/ui_root.py | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py index b24c789f213d..39e5ee99c342 100644 --- a/targetcli/ui_root.py +++ b/targetcli/ui_root.py @@ -95,6 +95,26 @@ class UIRoot(UINode): else: return False + def _create_dir(self, dirname): + ''' + create directory with permissions 0o600 set + if directory already exists, set right perms + ''' + mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 + if not os.path.exists(dirname): + umask = 0o777 ^ mode # Prevents always downgrading umask to 0 + umask_original = os.umask(umask) + try: + os.makedirs(dirname, mode) + except OSError as exe: + raise ExecutionError("Cannot create directory [%s] %s." + % (dirname, exe.strerror)) + finally: + os.umask(umask_original) + else: + if (os.stat(dirname).st_mode & 0o777) != mode: + os.chmod(dirname, mode) + def _save_backups(self, savefile): ''' Take backup of config-file if needed. @@ -109,21 +129,7 @@ class UIRoot(UINode): backupfile = backup_dir + backup_name backup_error = None - mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 - umask = 0o777 ^ mode # Prevents always downgrading umask to 0 - - if not os.path.exists(backup_dir): - umask_original = os.umask(umask) - try: - os.makedirs(backup_dir, mode) - except OSError as exe: - raise ExecutionError("Cannot create backup directory [%s] %s." - % (backup_dir, exe.strerror)) - finally: - os.umask(umask_original) - else: - if (os.stat(backup_dir).st_mode & 0o777) != mode: - os.chmod(backup_dir, mode) + self._create_dir(backup_dir) # Only save backups if savefile exits if not os.path.exists(savefile): @@ -134,6 +140,8 @@ class UIRoot(UINode): # Save backup if backup dir is empty, or savefile is differnt from recent backup copy if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile): + mode = stat.S_IRUSR | stat.S_IWUSR # 0o600 + umask = 0o777 ^ mode # Prevents always downgrading umask to 0 umask_original = os.umask(umask) try: with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out: @@ -179,6 +187,8 @@ class UIRoot(UINode): savefile = os.path.expanduser(savefile) + save_dir = os.path.dirname(savefile) + self._create_dir(save_dir) self._save_backups(savefile) self.rtsroot.save_to_file(savefile) -- 2.26.2
