diff --git a/.fwupd.metadata b/.fwupd.metadata index 19c69f0..8488b53 100644 --- a/.fwupd.metadata +++ b/.fwupd.metadata @@ -7,3 +7,7 @@ b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab 59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz 1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz +4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer +33e260486f5c12e47b72b90dfb779ca892f56c45 SOURCES/redhatsecureboot503.cer +cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer +e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer diff --git a/.gitignore b/.gitignore index 5b65834..828fc49 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,7 @@ SOURCES/DBXUpdate-20200729-x64.cab SOURCES/fwupd-1.7.8.tar.xz SOURCES/fwupd-efi-1.3.tar.xz SOURCES/libjcat-0.1.9.tar.xz +SOURCES/redhatsecureboot301.cer +SOURCES/redhatsecureboot503.cer +SOURCES/redhatsecurebootca3.cer +SOURCES/redhatsecurebootca5.cer diff --git a/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch new file mode 100644 index 0000000..4bc0dc7 --- /dev/null +++ b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch @@ -0,0 +1,29 @@ +From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 22 Aug 2023 10:05:27 +0100 +Subject: [PATCH] Use /usr/libexec/platform-python for RHEL + +--- + meson.build | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/meson.build b/meson.build +index bb406d616..ac90c8ee6 100644 +--- a/meson.build ++++ b/meson.build +@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes', + endif + + bashcomp = dependency('bash-completion', required: false) +-if host_machine.system() != 'freebsd' +- python3 = find_program('python3') +-else +- python3 = find_program('python3.8', 'python3', 'python3.9') +-endif ++python3 = find_program('/usr/libexec/platform-python') + + if get_option('gnutls') + gnutls = dependency('gnutls', version : '>= 3.6.0') +-- +2.41.0 + diff --git a/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch new file mode 100644 index 0000000..b3f334e --- /dev/null +++ b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch @@ -0,0 +1,28 @@ +From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 08:06:12 +0100 +Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install + time + +Although typically we set the password using fu_plugin_set_secure_config_value() +or something like Ansible or Puppet -- the user could just edit the file with +vim and we still want the permissions set correctly. +--- + plugins/redfish/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build +index 34ba4b7f6..7b19574de 100644 +--- a/plugins/redfish/meson.build ++++ b/plugins/redfish/meson.build +@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish', + + install_data(['redfish.conf'], + install_dir: join_paths(sysconfdir, 'fwupd'), ++ install_mode: 'rw-r-----', + ) + + if get_option('tests') +-- +2.39.1 + diff --git a/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch new file mode 100644 index 0000000..f7ec617 --- /dev/null +++ b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch @@ -0,0 +1,47 @@ +From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 09:13:52 +0100 +Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's + going to work + +Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI +implementations are not specification compliant and do entirely the wrong thing. +--- + plugins/redfish/fu-plugin-redfish.c | 8 ++++++++ + plugins/redfish/redfish.quirk | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c +index deb0fe742..3972d4b4b 100644 +--- a/plugins/redfish/fu-plugin-redfish.c ++++ b/plugins/redfish/fu-plugin-redfish.c +@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error) + #ifdef HAVE_LINUX_IPMI_H + /* we got neither a type 42 entry or config value, lets try IPMI */ + if (fu_redfish_backend_get_username(data->backend) == NULL) { ++ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) { ++ g_set_error_literal(error, ++ FWUPD_ERROR, ++ FWUPD_ERROR_NOT_SUPPORTED, ++ "no username and password specified, " ++ "and no vendor quirk for 'ipmi-create-user'"); ++ return FALSE; ++ } + if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) { + g_debug("attempting to create user using IPMI"); + if (!fu_redfish_plugin_ipmi_create_user(plugin, error)) +diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk +index b12439926..5e9722fda 100644 +--- a/plugins/redfish/redfish.quirk ++++ b/plugins/redfish/redfish.quirk +@@ -1,6 +1,6 @@ + # Lenovo ThinkSystem + [42f00735-c9ab-5374-bd63-a5deee5881e0] +-Flags = wildcard-targets,reset-required ++Flags = wildcard-targets,reset-required,ipmi-create-user + + [REDFISH\VENDOR_Lenovo&ID_BMC-Backup] + ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary +-- +2.39.1 + diff --git a/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch new file mode 100644 index 0000000..f9e717d --- /dev/null +++ b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch @@ -0,0 +1,141 @@ +From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 21 Sep 2022 14:56:10 +0100 +Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by + users + +When the redfish plugin automatically creates an OPERATOR user account on the +BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it +is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). + +Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with +the keyfile string data. +I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being +used to copy permissions, but alas not. + +GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, +which undoes the previous chmod(). + +Use g_file_set_contents_full() with the correct mode for newer GLib versions, +and provide a fallback with the same semantics for older versions. +--- + contrib/fwupd.spec.in | 3 ++ + libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------ + libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++ + 3 files changed, 114 insertions(+), 11 deletions(-) + +diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in +index a50e30a9c..0854fcf4f 100644 +--- a/contrib/fwupd.spec.in ++++ b/contrib/fwupd.spec.in +@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do + fi + done + ++# ensure this is private ++chmod 0660 /etc/fwupd/redfish.conf ++ + %preun + %systemd_preun fwupd.service + +diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c +index 18042a028..04951de85 100644 +--- a/libfwupdplugin/fu-plugin.c ++++ b/libfwupdplugin/fu-plugin.c +@@ -9,6 +9,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, + return g_key_file_save_to_file(keyfile, conf_path, error); + } + ++#if !GLIB_CHECK_VERSION(2, 66, 0) ++ ++#define G_FILE_SET_CONTENTS_CONSISTENT 0 ++typedef guint GFileSetContentsFlags; ++static gboolean ++g_file_set_contents_full(const gchar *filename, ++ const gchar *contents, ++ gssize length, ++ GFileSetContentsFlags flags, ++ int mode, ++ GError **error) ++{ ++ gint fd; ++ gssize wrote; ++ ++ if (length < 0) ++ length = strlen(contents); ++ fd = g_open(filename, O_CREAT, mode); ++ if (fd <= 0) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "could not open %s file", ++ filename); ++ return FALSE; ++ } ++ wrote = write(fd, contents, length); ++ if (wrote != length) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "did not write %s file", ++ filename); ++ g_close(fd, NULL); ++ return FALSE; ++ } ++ return g_close(fd, error); ++} ++#endif ++ + /** + * fu_plugin_set_secure_config_value: + * @self: a #FuPlugin +@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + GError **error) + { + g_autofree gchar *conf_path = fu_plugin_get_config_filename(self); +- gint ret; ++ g_autofree gchar *data = NULL; ++ g_autoptr(GKeyFile) keyfile = g_key_file_new(); + + g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE); + g_return_val_if_fail(error == NULL || *error == NULL, FALSE); +@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path); + return FALSE; + } +- ret = g_chmod(conf_path, 0660); +- if (ret == -1) { +- g_set_error(error, +- FWUPD_ERROR, +- FWUPD_ERROR_INTERNAL, +- "failed to set permissions on %s", +- conf_path); ++ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error)) + return FALSE; +- } +- +- return fu_plugin_set_config_value(self, key, value, error); ++ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value); ++ data = g_key_file_to_data(keyfile, NULL, error); ++ if (data == NULL) ++ return FALSE; ++ return g_file_set_contents_full(conf_path, ++ data, ++ -1, ++ G_FILE_SET_CONTENTS_CONSISTENT, ++ 0660, ++ error); + } + + /** +-- +2.39.1 + diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index 474713a..9549e0f 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -44,7 +44,7 @@ Summary: Firmware update daemon Name: fwupd Version: 1.7.8 -Release: 1%{?dist}.alma.1 +Release: 2%{?dist}.alma License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz @@ -62,6 +62,11 @@ Source15: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab # the real package sources, in order to reduce churn. Source300: almalinuxsecurebootca0.cer +Patch1: 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch +Patch2: 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch +Patch3: 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch +Patch4: 0001-Use-usr-libexec-platform-python-for-RHEL.patch + BuildRequires: efi-srpm-macros BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -164,7 +169,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Data files for installed tests. %prep -%setup -q +%autosetup -p1 mkdir -p subprojects/libjcat tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1 @@ -528,12 +533,12 @@ done %endif %changelog -* Mon Feb 27 2023 Eduard Abdullin - 1.7.8-1.alma.1 +* Wed Sep 27 2023 Eduard Abdullin - 1.7.8-2.alma - Use AlmaLinux cert -* Tue Nov 08 2022 Andrew Lukoshko - 1.7.8-1.alma -- AlmaLinux changes - +* Mon Feb 20 2023 Richard Hughes 1.7.8-2 +- Backport the Redfish security fixes which affect IDRAC. +- Resolves: rhbz#2170950 * Wed Jun 15 2022 Richard Hughes 1.7.8-1 - New upstream release - Resolves: rhbz#2095668