drop CVE-2021-3621.patch refresh a few patches fixup configure-unsafe globally via sed in build.m4
=== test RESULTS - sssd.SSSDTest.test_sssd_help: PASSED (1.70s) RESULTS - sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk: PASSED (2.71s) RESULTS - sssd.SSSDTest.test_sssd_sssctl_deamon: PASSED (2.07s) Signed-off-by: Armin Kuster <akuster...@gmail.com> --- .../sssd/files/CVE-2021-3621.patch | 288 ------------------ .../recipes-security/sssd/files/fix_gid.patch | 8 +- .../recipes-security/sssd/files/no_gen.patch | 8 +- .../sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} | 27 +- 4 files changed, 24 insertions(+), 307 deletions(-) delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} (86%) diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch deleted file mode 100644 index 7a59df9..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch +++ /dev/null @@ -1,288 +0,0 @@ -Backport patch to fix CVE-2021-3621. - -Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9] -CVE: CVE-2021-3621 - -Signed-off-by: Kai Kang <kai.k...@windriver.com> - -From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikh...@redhat.com> -Date: Fri, 18 Jun 2021 13:17:19 +0200 -Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of - user supplied command -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -:relnote: A flaw was found in SSSD, where the sssctl command was -vulnerable to shell command injection via the logs-fetch and -cache-expire subcommands. This flaw allows an attacker to trick -the root user into running a specially crafted sssctl command, -such as via sudo, to gain root access. The highest threat from this -vulnerability is to confidentiality, integrity, as well as system -availability. -This patch fixes a flaw by replacing system() with execvp(). - -:fixes: CVE-2021-3621 - -Reviewed-by: Pavel Březina <pbrez...@redhat.com> ---- - src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- - src/tools/sssctl/sssctl.h | 2 +- - src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- - src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- - 4 files changed, 73 insertions(+), 57 deletions(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 2997dbf968..8adaf30910 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, - return SSSCTL_PROMPT_ERROR; - } - --errno_t sssctl_run_command(const char *command) -+errno_t sssctl_run_command(const char *const argv[]) - { - int ret; -+ int wstatus; - -- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); -+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); - -- ret = system(command); -+ ret = fork(); - if (ret == -1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); - ERROR("Error while executing external command\n"); - return EFAULT; -- } else if (WEXITSTATUS(ret) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", -- command, WEXITSTATUS(ret)); -+ } -+ -+ if (ret == 0) { -+ /* cast is safe - see -+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html -+ "The statement about argv[] and envp[] being constants ... " -+ */ -+ execvp(argv[0], discard_const_p(char * const, argv)); - ERROR("Error while executing external command\n"); -- return EIO; -+ _exit(1); -+ } else { -+ if (waitpid(ret, &wstatus, 0) == -1) { -+ ERROR("Error while executing external command '%s'\n", argv[0]); -+ return EFAULT; -+ } else if (WEXITSTATUS(wstatus) != 0) { -+ ERROR("Command '%s' failed with [%d]\n", -+ argv[0], WEXITSTATUS(wstatus)); -+ return EIO; -+ } - } - - return EOK; -@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) - #elif defined(HAVE_SERVICE) - switch (action) { - case SSSCTL_SVC_START: -- return sssctl_run_command(SERVICE_PATH" sssd start"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); - case SSSCTL_SVC_STOP: -- return sssctl_run_command(SERVICE_PATH" sssd stop"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); - case SSSCTL_SVC_RESTART: -- return sssctl_run_command(SERVICE_PATH" sssd restart"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); - } - #endif - -diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h -index 0115b2457c..599ef65196 100644 ---- a/src/tools/sssctl/sssctl.h -+++ b/src/tools/sssctl/sssctl.h -@@ -47,7 +47,7 @@ enum sssctl_prompt_result - sssctl_prompt(const char *message, - enum sssctl_prompt_result defval); - --errno_t sssctl_run_command(const char *command); -+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ - bool sssctl_start_sssd(bool force); - bool sssctl_stop_sssd(bool force); - bool sssctl_restart_sssd(bool force); -diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c -index 8d79b977fd..bf22913416 100644 ---- a/src/tools/sssctl/sssctl_data.c -+++ b/src/tools/sssctl/sssctl_data.c -@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) - } - } - -- ret = sssctl_run_command("sss_override user-export " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export user overrides\n"); - return ret; - } - -- ret = sssctl_run_command("sss_override group-export " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export group overrides\n"); - return ret; -@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override user-import " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import user overrides\n"); - return ret; -@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override group-import " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import group overrides\n"); - return ret; -@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, - void *pvt) - { - errno_t ret; -- char *cmd_args = NULL; -- const char *cachecmd = SSS_CACHE; -- char *cmd = NULL; -- int i; -- -- if (cmdline->argc == 0) { -- ret = sssctl_run_command(cachecmd); -- goto done; -- } - -- cmd_args = talloc_strdup(tool_ctx, ""); -- if (cmd_args == NULL) { -- ret = ENOMEM; -- goto done; -+ const char **args = talloc_array_size(tool_ctx, -+ sizeof(char *), -+ cmdline->argc + 2); -+ if (!args) { -+ return ENOMEM; - } -+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); -+ args[0] = SSS_CACHE; -+ args[cmdline->argc + 1] = NULL; - -- for (i = 0; i < cmdline->argc; i++) { -- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); -- if (i != cmdline->argc - 1) { -- cmd_args = talloc_strdup_append(cmd_args, " "); -- } -- } -- -- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); -- if (cmd == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = sssctl_run_command(cmd); -- --done: -- talloc_free(cmd_args); -- talloc_free(cmd); -+ ret = sssctl_run_command(args); - -+ talloc_free(args); - return ret; - } -diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c -index 9ff2be05b6..ebb2c4571c 100644 ---- a/src/tools/sssctl/sssctl_logs.c -+++ b/src/tools/sssctl/sssctl_logs.c -@@ -31,6 +31,7 @@ - #include <ldb.h> - #include <popt.h> - #include <stdio.h> -+#include <glob.h> - - #include "util/util.h" - #include "tools/common/sss_process.h" -@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - { - struct sssctl_logs_opts opts = {0}; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - struct poptOption options[] = { -@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - - sss_signal(SIGHUP); - } else { -+ globbuf.gl_offs = 4; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; -+ } -+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); -+ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); -+ globbuf.gl_pathv[3] = discard_const_p(char, "0"); -+ - PRINT("Truncating log files...\n"); -- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to truncate log files\n"); - return ret; -@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - void *pvt) - { - const char *file; -- const char *cmd; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, -@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - return ret; - } - -- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); -- if (cmd == NULL) { -- ERROR("Out of memory!"); -+ globbuf.gl_offs = 3; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; - } -+ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); -+ globbuf.gl_pathv[2] = discard_const_p(char, file); - - PRINT("Archiving log files into %s...\n", file); -- ret = sssctl_run_command(cmd); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to archive log files\n"); - return ret; diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch index 9b481cc..419b83f 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch @@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27: Upstream-Status: Pending Signed-off-by: Armin Kuster <akuster...@gmail.com> -Index: sssd-2.5.0/src/util/debug.h +Index: sssd-2.7.1/src/util/debug.h =================================================================== ---- sssd-2.5.0.orig/src/util/debug.h -+++ sssd-2.5.0/src/util/debug.h +--- sssd-2.7.1.orig/src/util/debug.h ++++ sssd-2.7.1/src/util/debug.h @@ -24,6 +24,8 @@ #include "config.h" @@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h +#include <unistd.h> +#include <sys/types.h> #include <stdbool.h> + #include <sys/types.h> - #include "util/util_errors.h" diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch index 5c83777..7d8e80b 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch @@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific] Signed-off-by: Armin Kuster <akuster...@gmail.com> -Index: sssd-2.5.0/Makefile.am +Index: sssd-2.7.1/Makefile.am =================================================================== ---- sssd-2.5.0.orig/Makefile.am -+++ sssd-2.5.0/Makefile.am -@@ -1033,8 +1033,6 @@ generate-sbus-code: +--- sssd-2.7.1.orig/Makefile.am ++++ sssd-2.7.1/Makefile.am +@@ -1023,8 +1023,6 @@ generate-sbus-code: .PHONY: generate-sbus-code diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb similarity index 86% rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb index 9f1d627..71f14a0 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb @@ -5,8 +5,9 @@ SECTION = "base" LICENSE = "GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" +DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent" +DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring" DEPENDS:append:libc-musl = " musl-nscd" @@ -23,10 +24,9 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ - file://CVE-2021-3621.patch \ " -SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" +SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3" inherit autotools pkgconfig gettext python3-dir features_check systemd @@ -39,7 +39,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ " -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG ?="nss autofs sudo infopipe" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" @@ -49,8 +49,8 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = ", ,nss," +PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child" PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" @@ -65,7 +65,6 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ - --without-secrets \ --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ --with-pid-path=/run \ " @@ -74,8 +73,8 @@ do_configure:prepend() { mkdir -p ${AUTOTOOLS_AUXDIR}/build cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 + # additional_libdir defaults to /usr/lib so replace with staging_libdir globally + sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4 } do_compile:prepend () { @@ -84,7 +83,11 @@ do_compile:prepend () { do_install () { oe_runmake install DESTDIR="${D}" rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -d ${D}/${PYTHON_SITEPACKAGES_DIR} + mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} # /var/log/sssd needs to be created in runtime. Use rmdir to catch if @@ -106,6 +109,7 @@ do_install () { # Remove /run as it is created on startup rm -rf ${D}/run +# rm -fr ${D}/sssd rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } @@ -116,8 +120,6 @@ fi chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } -FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" - CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" INITSCRIPT_NAME = "sssd" @@ -141,10 +143,13 @@ PACKAGES =+ "libsss-sudo" ALLOW_EMPTY:libsss-sudo = "1" FILES:${PN} += "${base_libdir}/security/pam_sss*.so \ + ${nonarch_libdir}/tmpfiles.d \ ${datadir}/dbus-1/system-services/*.service \ ${libdir}/krb5/* \ ${libdir}/ldb/* \ + ${PYTHON_SITEPACKAGES_DIR}/sssd \ " + FILES:libsss-sudo = "${libdir}/libsss_sudo.so" RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57323): https://lists.yoctoproject.org/g/yocto/message/57323 Mute This Topic: https://lists.yoctoproject.org/mt/91694051/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-