import CS fwupd-1.7.8-2.el8

2023-09-27 12:56:32 +00:00 · 2023-09-27 12:56:32 +00:00 · c5c1572c1b
parent f4eb986697
commit c5c1572c1b
11 changed files with 264 additions and 2 deletions
--- a/.fwupd.metadata
+++ b/.fwupd.metadata
@ -7,3 +7,7 @@ b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
 59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz
 1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz
 a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz
+4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
+33e260486f5c12e47b72b90dfb779ca892f56c45 SOURCES/redhatsecureboot503.cer
+cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
+e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,7 @@ SOURCES/DBXUpdate-20200729-x64.cab
 SOURCES/fwupd-1.7.8.tar.xz
 SOURCES/fwupd-efi-1.3.tar.xz
 SOURCES/libjcat-0.1.9.tar.xz
+SOURCES/redhatsecureboot301.cer
+SOURCES/redhatsecureboot503.cer
+SOURCES/redhatsecurebootca3.cer
+SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
+++ b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
@ -0,0 +1,29 @@
+From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 22 Aug 2023 10:05:27 +0100
+Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
+
+---
+ meson.build | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index bb406d616..ac90c8ee6 100644
+--- a/meson.build
+++ b/meson.build
+@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
+ endif
+ 
+ bashcomp = dependency('bash-completion', required: false)
+-if host_machine.system() != 'freebsd'
+-  python3 = find_program('python3')
+-else
+-  python3 = find_program('python3.8', 'python3', 'python3.9')
+-endif
+python3 = find_program('/usr/libexec/platform-python')
+ 
+ if get_option('gnutls')
+   gnutls = dependency('gnutls', version : '>= 3.6.0')
+-- 
+2.41.0
+
--- a/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
+++ b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
@ -0,0 +1,28 @@
+From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 08:06:12 +0100
+Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
+ time
+
+Although typically we set the password using fu_plugin_set_secure_config_value()
+or something like Ansible or Puppet -- the user could just edit the file with
+vim and we still want the permissions set correctly.
+---
+ plugins/redfish/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
+index 34ba4b7f6..7b19574de 100644
+--- a/plugins/redfish/meson.build
+++ b/plugins/redfish/meson.build
+@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
+ 
+ install_data(['redfish.conf'],
+   install_dir:  join_paths(sysconfdir, 'fwupd'),
+  install_mode: 'rw-r-----',
+ )
+ 
+ if get_option('tests')
+-- 
+2.39.1
+
--- a/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
+++ b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
@ -0,0 +1,47 @@
+From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 09:13:52 +0100
+Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
+ going to work
+
+Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
+implementations are not specification compliant and do entirely the wrong thing.
+---
+ plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
+ plugins/redfish/redfish.quirk       | 2 +-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
+index deb0fe742..3972d4b4b 100644
+--- a/plugins/redfish/fu-plugin-redfish.c
+++ b/plugins/redfish/fu-plugin-redfish.c
+@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
+ #ifdef HAVE_LINUX_IPMI_H
+ 	/* we got neither a type 42 entry or config value, lets try IPMI */
+ 	if (fu_redfish_backend_get_username(data->backend) == NULL) {
+		if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
+			g_set_error_literal(error,
+					    FWUPD_ERROR,
+					    FWUPD_ERROR_NOT_SUPPORTED,
+					    "no username and password specified, "
+					    "and no vendor quirk for 'ipmi-create-user'");
+			return FALSE;
+		}
+ 		if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
+ 			g_debug("attempting to create user using IPMI");
+ 			if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
+diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
+index b12439926..5e9722fda 100644
+--- a/plugins/redfish/redfish.quirk
+++ b/plugins/redfish/redfish.quirk
+@@ -1,6 +1,6 @@
+ # Lenovo ThinkSystem
+ [42f00735-c9ab-5374-bd63-a5deee5881e0]
+-Flags = wildcard-targets,reset-required
+Flags = wildcard-targets,reset-required,ipmi-create-user
+ 
+ [REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
+ ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
+-- 
+2.39.1
+
--- a/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
+++ b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
@ -0,0 +1,141 @@
+From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 21 Sep 2022 14:56:10 +0100
+Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
+ users
+
+When the redfish plugin automatically creates an OPERATOR user account on the
+BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
+is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
+
+Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
+the keyfile string data.
+I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
+used to copy permissions, but alas not.
+
+GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
+which undoes the previous chmod().
+
+Use g_file_set_contents_full() with the correct mode for newer GLib versions,
+and provide a fallback with the same semantics for older versions.
+---
+ contrib/fwupd.spec.in         |  3 ++
+ libfwupdplugin/fu-plugin.c    | 65 +++++++++++++++++++++++++++++------
+ libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
+ 3 files changed, 114 insertions(+), 11 deletions(-)
+
+diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
+index a50e30a9c..0854fcf4f 100644
+--- a/contrib/fwupd.spec.in
+++ b/contrib/fwupd.spec.in
+@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
+     fi
+ done
+ 
+# ensure this is private
+chmod 0660 /etc/fwupd/redfish.conf
+
+ %preun
+ %systemd_preun fwupd.service
+ 
+diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
+index 18042a028..04951de85 100644
+--- a/libfwupdplugin/fu-plugin.c
+++ b/libfwupdplugin/fu-plugin.c
+@@ -9,6 +9,7 @@
+ #include "config.h"
+ 
+ #include <errno.h>
+#include <fcntl.h>
+ #include <fwupd.h>
+ #include <glib/gstdio.h>
+ #include <gmodule.h>
+@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
+ 	return g_key_file_save_to_file(keyfile, conf_path, error);
+ }
+ 
+#if !GLIB_CHECK_VERSION(2, 66, 0)
+
+#define G_FILE_SET_CONTENTS_CONSISTENT 0
+typedef guint GFileSetContentsFlags;
+static gboolean
+g_file_set_contents_full(const gchar *filename,
+			 const gchar *contents,
+			 gssize length,
+			 GFileSetContentsFlags flags,
+			 int mode,
+			 GError **error)
+{
+	gint fd;
+	gssize wrote;
+
+	if (length < 0)
+		length = strlen(contents);
+	fd = g_open(filename, O_CREAT, mode);
+	if (fd <= 0) {
+		g_set_error(error,
+			    G_IO_ERROR,
+			    G_IO_ERROR_FAILED,
+			    "could not open %s file",
+			    filename);
+		return FALSE;
+	}
+	wrote = write(fd, contents, length);
+	if (wrote != length) {
+		g_set_error(error,
+			    G_IO_ERROR,
+			    G_IO_ERROR_FAILED,
+			    "did not write %s file",
+			    filename);
+		g_close(fd, NULL);
+		return FALSE;
+	}
+	return g_close(fd, error);
+}
+#endif
+
+ /**
+  * fu_plugin_set_secure_config_value:
+  * @self: a #FuPlugin
+@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 				  GError **error)
+ {
+ 	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
+-	gint ret;
+	g_autofree gchar *data = NULL;
+	g_autoptr(GKeyFile) keyfile = g_key_file_new();
+ 
+ 	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
+ 	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
+@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
+ 		return FALSE;
+ 	}
+-	ret = g_chmod(conf_path, 0660);
+-	if (ret == -1) {
+-		g_set_error(error,
+-			    FWUPD_ERROR,
+-			    FWUPD_ERROR_INTERNAL,
+-			    "failed to set permissions on %s",
+-			    conf_path);
+	if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
+ 		return FALSE;
+-	}
+-
+-	return fu_plugin_set_config_value(self, key, value, error);
+	g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
+	data = g_key_file_to_data(keyfile, NULL, error);
+	if (data == NULL)
+		return FALSE;
+	return g_file_set_contents_full(conf_path,
+					data,
+					-1,
+					G_FILE_SET_CONTENTS_CONSISTENT,
+					0660,
+					error);
+ }
+ 
+ /**
+-- 
+2.39.1
+
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot503.cer
+++ b/SOURCES/redhatsecureboot503.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -40,7 +40,7 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.7.8
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
@ -61,6 +61,11 @@ Source301:   redhatsecureboot301.cer
 Source500:   redhatsecurebootca5.cer
 Source503:   redhatsecureboot503.cer

+Patch1:    0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
+Patch2:    0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
+Patch3:    0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
+Patch4:    0001-Use-usr-libexec-platform-python-for-RHEL.patch
+
 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@ -163,7 +168,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
 Data files for installed tests.

 %prep
-%setup -q
+%autosetup -p1

 mkdir -p subprojects/libjcat
 tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
@ -526,6 +531,10 @@ done
 %endif

 %changelog
+* Mon Feb 20 2023 Richard Hughes <richard@hughsie.com> 1.7.8-2
+- Backport the Redfish security fixes which affect IDRAC.
+- Resolves: rhbz#2170950
+
 * Wed Jun 15 2022 Richard Hughes <richard@hughsie.com> 1.7.8-1
 - New upstream release
 - Resolves: rhbz#2095668