From c5c1572c1bb8f7df1903ef4e0b749e362e2de6c2 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Sep 2023 12:56:32 +0000 Subject: [PATCH] import CS fwupd-1.7.8-2.el8 --- .fwupd.metadata | 4 + .gitignore | 4 + ...usr-libexec-platform-python-for-RHEL.patch | 29 ++++ ...permissions-of-redfish.conf-at-insta.patch | 28 ++++ ...ate-users-using-IPMI-when-we-know-it.patch | 47 ++++++ ...edfish-passwords-to-a-file-readable-.patch | 141 ++++++++++++++++++ SOURCES/redhatsecureboot301.cer | Bin 839 -> 0 bytes SOURCES/redhatsecureboot503.cer | Bin 964 -> 0 bytes SOURCES/redhatsecurebootca3.cer | Bin 977 -> 0 bytes SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes SPECS/fwupd.spec | 13 +- 11 files changed, 264 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch create mode 100644 SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch create mode 100644 SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch create mode 100644 SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch delete mode 100644 SOURCES/redhatsecureboot301.cer delete mode 100644 SOURCES/redhatsecureboot503.cer delete mode 100644 SOURCES/redhatsecurebootca3.cer delete mode 100644 SOURCES/redhatsecurebootca5.cer diff --git a/.fwupd.metadata b/.fwupd.metadata index 19c69f0..8488b53 100644 --- a/.fwupd.metadata +++ b/.fwupd.metadata @@ -7,3 +7,7 @@ b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab 59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz 1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz +4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer +33e260486f5c12e47b72b90dfb779ca892f56c45 SOURCES/redhatsecureboot503.cer +cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer +e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer diff --git a/.gitignore b/.gitignore index 5b65834..828fc49 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,7 @@ SOURCES/DBXUpdate-20200729-x64.cab SOURCES/fwupd-1.7.8.tar.xz SOURCES/fwupd-efi-1.3.tar.xz SOURCES/libjcat-0.1.9.tar.xz +SOURCES/redhatsecureboot301.cer +SOURCES/redhatsecureboot503.cer +SOURCES/redhatsecurebootca3.cer +SOURCES/redhatsecurebootca5.cer diff --git a/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch new file mode 100644 index 0000000..4bc0dc7 --- /dev/null +++ b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch @@ -0,0 +1,29 @@ +From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 22 Aug 2023 10:05:27 +0100 +Subject: [PATCH] Use /usr/libexec/platform-python for RHEL + +--- + meson.build | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/meson.build b/meson.build +index bb406d616..ac90c8ee6 100644 +--- a/meson.build ++++ b/meson.build +@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes', + endif + + bashcomp = dependency('bash-completion', required: false) +-if host_machine.system() != 'freebsd' +- python3 = find_program('python3') +-else +- python3 = find_program('python3.8', 'python3', 'python3.9') +-endif ++python3 = find_program('/usr/libexec/platform-python') + + if get_option('gnutls') + gnutls = dependency('gnutls', version : '>= 3.6.0') +-- +2.41.0 + diff --git a/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch new file mode 100644 index 0000000..b3f334e --- /dev/null +++ b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch @@ -0,0 +1,28 @@ +From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 08:06:12 +0100 +Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install + time + +Although typically we set the password using fu_plugin_set_secure_config_value() +or something like Ansible or Puppet -- the user could just edit the file with +vim and we still want the permissions set correctly. +--- + plugins/redfish/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build +index 34ba4b7f6..7b19574de 100644 +--- a/plugins/redfish/meson.build ++++ b/plugins/redfish/meson.build +@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish', + + install_data(['redfish.conf'], + install_dir: join_paths(sysconfdir, 'fwupd'), ++ install_mode: 'rw-r-----', + ) + + if get_option('tests') +-- +2.39.1 + diff --git a/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch new file mode 100644 index 0000000..f7ec617 --- /dev/null +++ b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch @@ -0,0 +1,47 @@ +From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 09:13:52 +0100 +Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's + going to work + +Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI +implementations are not specification compliant and do entirely the wrong thing. +--- + plugins/redfish/fu-plugin-redfish.c | 8 ++++++++ + plugins/redfish/redfish.quirk | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c +index deb0fe742..3972d4b4b 100644 +--- a/plugins/redfish/fu-plugin-redfish.c ++++ b/plugins/redfish/fu-plugin-redfish.c +@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error) + #ifdef HAVE_LINUX_IPMI_H + /* we got neither a type 42 entry or config value, lets try IPMI */ + if (fu_redfish_backend_get_username(data->backend) == NULL) { ++ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) { ++ g_set_error_literal(error, ++ FWUPD_ERROR, ++ FWUPD_ERROR_NOT_SUPPORTED, ++ "no username and password specified, " ++ "and no vendor quirk for 'ipmi-create-user'"); ++ return FALSE; ++ } + if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) { + g_debug("attempting to create user using IPMI"); + if (!fu_redfish_plugin_ipmi_create_user(plugin, error)) +diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk +index b12439926..5e9722fda 100644 +--- a/plugins/redfish/redfish.quirk ++++ b/plugins/redfish/redfish.quirk +@@ -1,6 +1,6 @@ + # Lenovo ThinkSystem + [42f00735-c9ab-5374-bd63-a5deee5881e0] +-Flags = wildcard-targets,reset-required ++Flags = wildcard-targets,reset-required,ipmi-create-user + + [REDFISH\VENDOR_Lenovo&ID_BMC-Backup] + ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary +-- +2.39.1 + diff --git a/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch new file mode 100644 index 0000000..f9e717d --- /dev/null +++ b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch @@ -0,0 +1,141 @@ +From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 21 Sep 2022 14:56:10 +0100 +Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by + users + +When the redfish plugin automatically creates an OPERATOR user account on the +BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it +is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). + +Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with +the keyfile string data. +I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being +used to copy permissions, but alas not. + +GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, +which undoes the previous chmod(). + +Use g_file_set_contents_full() with the correct mode for newer GLib versions, +and provide a fallback with the same semantics for older versions. +--- + contrib/fwupd.spec.in | 3 ++ + libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------ + libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++ + 3 files changed, 114 insertions(+), 11 deletions(-) + +diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in +index a50e30a9c..0854fcf4f 100644 +--- a/contrib/fwupd.spec.in ++++ b/contrib/fwupd.spec.in +@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do + fi + done + ++# ensure this is private ++chmod 0660 /etc/fwupd/redfish.conf ++ + %preun + %systemd_preun fwupd.service + +diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c +index 18042a028..04951de85 100644 +--- a/libfwupdplugin/fu-plugin.c ++++ b/libfwupdplugin/fu-plugin.c +@@ -9,6 +9,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, + return g_key_file_save_to_file(keyfile, conf_path, error); + } + ++#if !GLIB_CHECK_VERSION(2, 66, 0) ++ ++#define G_FILE_SET_CONTENTS_CONSISTENT 0 ++typedef guint GFileSetContentsFlags; ++static gboolean ++g_file_set_contents_full(const gchar *filename, ++ const gchar *contents, ++ gssize length, ++ GFileSetContentsFlags flags, ++ int mode, ++ GError **error) ++{ ++ gint fd; ++ gssize wrote; ++ ++ if (length < 0) ++ length = strlen(contents); ++ fd = g_open(filename, O_CREAT, mode); ++ if (fd <= 0) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "could not open %s file", ++ filename); ++ return FALSE; ++ } ++ wrote = write(fd, contents, length); ++ if (wrote != length) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "did not write %s file", ++ filename); ++ g_close(fd, NULL); ++ return FALSE; ++ } ++ return g_close(fd, error); ++} ++#endif ++ + /** + * fu_plugin_set_secure_config_value: + * @self: a #FuPlugin +@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + GError **error) + { + g_autofree gchar *conf_path = fu_plugin_get_config_filename(self); +- gint ret; ++ g_autofree gchar *data = NULL; ++ g_autoptr(GKeyFile) keyfile = g_key_file_new(); + + g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE); + g_return_val_if_fail(error == NULL || *error == NULL, FALSE); +@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path); + return FALSE; + } +- ret = g_chmod(conf_path, 0660); +- if (ret == -1) { +- g_set_error(error, +- FWUPD_ERROR, +- FWUPD_ERROR_INTERNAL, +- "failed to set permissions on %s", +- conf_path); ++ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error)) + return FALSE; +- } +- +- return fu_plugin_set_config_value(self, key, value, error); ++ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value); ++ data = g_key_file_to_data(keyfile, NULL, error); ++ if (data == NULL) ++ return FALSE; ++ return g_file_set_contents_full(conf_path, ++ data, ++ -1, ++ G_FILE_SET_CONTENTS_CONSISTENT, ++ 0660, ++ error); + } + + /** +-- +2.39.1 + diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 839 zcmXqLVs5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(A3<>AWEFq*xbO#zzobaj4}u^)G^S4Sf`BDy5h|A zyv)3GQtWJER6_O@BP#=Q6C*!^K@%evQxhX2!zT5vqmx`?o`(oz{$eeCezR_cLPyl% zHpefqUbuO&%O^nA}y6#9BjM%~U7Q(5kw6_YN1epR)|xb9Elg4_B`%!~|-ixmyz4P=2K zFU!Xw#v&5#_@80Rp3FS`6#W&an$HJBb(91l2O=d+v%~@6}B_2%&Mg` zDvt6_STWb-ZhXD^RgaJz3Cq5o4B43+oEZD&XVQnj{jXOGHfUJJB>qmC?A`ut>Ahpw zdM-|DZzz7Yc^I3-u|J*vqdKqQ`kIF?LJd~2r8XOg&f%Z+Yj((@r{(*;Y?_w8rSDJJ zntk_K74NJ(drfx5hIZaKImf>p{fSPd=}qfHlV8OA-0dHz$M#&#on!XF_3NjY{(Hxy zbKN4k{8NvC{Y9;Yo!51>R!)l5n2-{5CgAUe(k!NLc|1u*B2w==ttY-NzWb+N=75O& zzv2uf{%c3S9%5x`<-dQv`g=w9>l=;D-vz#WO}UeuefPU1`=|Tw9$I=mIi&>vg+x|L diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer deleted file mode 100644 index 50e375c7461e78286033119e7b6f9d55fdb3543c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 964 zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JY;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQvWODrHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1>g&CdwU6j7rFUXJlnyZerwTFlb`rVrpV!WSFGBlyl!b z@AvOl&N7VJBQfm-*Gb3trqyBYpMP7O)-t#1KVhSL*Xm1lv+vaB_D}D5y>Gs;>;9|c zS*nVeCj;4XQqR$0JPJB$l15Dm#Ah z*G9?ng;qBhTt7zi_9piIB1HKryy*<#h?ozG0H9pAq!Hx`|9`sDeVhoQ|+Ba2Qv zo-yfhS&G=>BcJvO?o=@Oz`Lz_kxrWF{OxXgEW`@xmVMa7-nq`c>PBzQ|M_C~MBFr9 zPrLh_iJ6gsadCw~nE?+l)MbSk8UM2|888^|fq48N9t$%QdxL=(h_4Fb^B8ckacHwK zva+%>GaJZ)#Q9jnSVS6UDoF(Enx4Ng{cq63UVh2ku$$W8v?Qy{B4HrbAaW*u>2r;Y zU7miEXYbA6p6F6GYkog++yK)hFm4zb1h29y$1xV|D)`m!I6+~4tbNet)HA$J5+1X7 z^`aP;7*9J<6!|s6!sq4b3!SQO4a7XUc(LMA*hcX#E?K3&s2<&fsu=j-COdYrFG zd%)%2@WE8TTRmd4$Nz&#rSC6shKtRebdaxGHOuddxkF-v`v-gbQf5te+s{&O)6ChW zul|Xwxt5?3lD7D>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?Rq?77kYS zv==`X%}MC|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<i|1QMhsQHT z4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index 15ce573..03d4fa2 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -40,7 +40,7 @@ Summary: Firmware update daemon Name: fwupd Version: 1.7.8 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz @@ -61,6 +61,11 @@ Source301: redhatsecureboot301.cer Source500: redhatsecurebootca5.cer Source503: redhatsecureboot503.cer +Patch1: 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch +Patch2: 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch +Patch3: 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch +Patch4: 0001-Use-usr-libexec-platform-python-for-RHEL.patch + BuildRequires: efi-srpm-macros BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -163,7 +168,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Data files for installed tests. %prep -%setup -q +%autosetup -p1 mkdir -p subprojects/libjcat tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1 @@ -526,6 +531,10 @@ done %endif %changelog +* Mon Feb 20 2023 Richard Hughes 1.7.8-2 +- Backport the Redfish security fixes which affect IDRAC. +- Resolves: rhbz#2170950 + * Wed Jun 15 2022 Richard Hughes 1.7.8-1 - New upstream release - Resolves: rhbz#2095668