Deprecate pesign-authorize and drop ACL use

Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2023-01-18 19:09:44 +00:00
parent 56134881b9
commit 4774e9d249
3 changed files with 86 additions and 1 deletions

View File

@ -0,0 +1,80 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Jan 2023 14:00:22 -0500
Subject: [PATCH] Use normal file permissions instead of ACLs
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
pesign-authorize is now deprecated and will be removed in a future
release.
Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/pesign-authorize.in | 50 +++----------------------------------------------
1 file changed, 3 insertions(+), 47 deletions(-)
diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
index 69797d5..d98657c 100644
--- a/src/pesign-authorize.in
+++ b/src/pesign-authorize.in
@@ -2,56 +2,12 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-while read -r user ; do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done </etc/pesign/users
-declare -a filegroups=()
-declare -a dirgroups=()
-while read -r group ; do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done </etc/pesign/groups
-
-update_subdir() {
- subdir=$1 && shift
-
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk "${x}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk "${x}"
- setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
sleep 3
for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+ chown -R pesign:pesign "${x}" || true
+ chmod ug+rwX "${x}" || true
done

View File

@ -3,3 +3,4 @@ Patch0002: 0002-Disable-pragmas-for-warnings-that-are-too-old.patch
Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
Patch0006: 0006-Use-normal-file-permissions-instead-of-ACLs.patch

View File

@ -3,7 +3,7 @@
Name: pesign Name: pesign
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Version: 115 Version: 115
Release: 4%{?dist} Release: 5%{?dist}
License: GPL-2.0-only License: GPL-2.0-only
URL: https://github.com/rhboot/pesign URL: https://github.com/rhboot/pesign
@ -162,6 +162,10 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.* %{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog %changelog
* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 115-5
- Deprecate pesign-authorize and drop ACL use
- Resolves: CVE-2022-3560
* Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com> * Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com>
- Detect presence of rpm-sign when checking for rhel-ness - Detect presence of rpm-sign when checking for rhel-ness
- Resolves: #2044886 - Resolves: #2044886