RHEL 9.1.0 ERRATUM

- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path Resolves: rhbz#2069123 - Faulty handling of static applications Resolves: rhbz#2096457 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2022-06-16 17:20:05 +02:00 · 2022-06-16 17:20:05 +02:00 · 586b5e37fd
commit 586b5e37fd
parent c17d1d3f6b
3 changed files with 70 additions and 4 deletions
--- a/fapolicyd-1.1.1-ld_so.patch
+++ b/fapolicyd-1.1.1-ld_so.patch
@ -0,0 +1,27 @@
+diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
+--- fapolicyd-1.1.1.orig/fapolicyd.spec	2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/fapolicyd.spec	2022-01-28 15:19:31.594155397 -0500
+@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
+ # generate rules for python
+ sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+ sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev  | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+ 
+ %build
+ %configure \
+diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
+--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4	2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/m4/dyn_linker.m4	2022-01-28 15:20:02.048609672 -0500
+@@ -1,6 +1,10 @@
+ AC_DEFUN([LD_SO_PATH],
+ [
+-  xpath=`realpath /usr/lib64/ld-2.*.so`
+  xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
+  xpath=`realpath $xpath1`
+  if test ! -f "$xpath" ; then
+    AC_MSG_ERROR([Cant find the dynamic linker])
+  fi
+   echo "dynamic linker is.....$xpath"
+   AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
+ ])
--- a/fapolicyd-1.1.1-static.patch
+++ b/fapolicyd-1.1.1-static.patch
@ -0,0 +1,19 @@
+diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
+--- fapolicyd-1.1.1.orig/src/library/event.c	2022-01-28 15:23:58.000000000 -0500
+++ fapolicyd-1.1.1/src/library/event.c	2022-01-30 20:11:05.516785465 -0500
+@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
+ 
+ 		// We need to reset everything now that execve has finished
+ 		if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
+-			s->info->state = STATE_STATIC;
+			// If the static app itself launches an app right
+			// away, go back to collecting.
+			if (e->type & FAN_OPEN_EXEC_PERM)
+				s->info->state = STATE_COLLECTING;
+			else {
+				s->info->state = STATE_STATIC;
+				skip_path = 1;
+			}
+ 			evict = 0;
+ 			skip_path = 1;
+ 			subject_reset(s, EXE);
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.1
-Release: 101%{?dist}
+Release: 104%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -34,6 +34,9 @@ Patch1: fapolicyd-uthash-bundle.patch
 Patch2: fapolicyd-selinux.patch
 Patch3: fapolicyd-reorder-rules.patch
 Patch4: fagenrules-group.patch
+# 2069123 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-9.1.0]
+Patch5: fapolicyd-1.1.1-ld_so.patch
+Patch6: fapolicyd-1.1.1-static.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -82,10 +85,20 @@ Don't use dnf and rpm plugin together.
 %patch2 -p1 -b .selinux
 %patch3 -p1 -b .reorder
 %patch4 -p1 -b .group
+%patch5 -p1 -b .ld_so
+%patch6 -p1 -b .static

-sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name  'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+# generate rules for python
+sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
+sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
+
+interpret=`readelf -e /usr/bin/bash \
+                   | grep Requesting \
+                   | sed 's/.$//' \
+                   | rev | cut -d" " -f1 \
+                   | rev`
+
+sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules

 %build
 ./autogen.sh
@ -265,6 +278,13 @@ fi


 %changelog
+* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
+RHEL 9.1.0 ERRATUM
+- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
+Resolves: rhbz#2069123
+- Faulty handling of static applications
+Resolves: rhbz#2096457
+
 * Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
 RHEL 9.1.0 ERRATUM
 - fapolicyd denies access to /usr/lib64/ld-2.28.so