From eb3630bed55925e841cb0b4b6f9e4e75289cbc14 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mon, 6 Mar 2023 10:39:26 +0000
Subject: [PATCH] import pesign-115-6.el9_1

---
 ...mal-file-permissions-instead-of-ACLs.patch | 80 +++++++++++++++++++
 SOURCES/pesign.patches                        |  1 +
 SPECS/pesign.spec                             | 10 ++-
 3 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0006-Use-normal-file-permissions-instead-of-ACLs.patch

diff --git a/SOURCES/0006-Use-normal-file-permissions-instead-of-ACLs.patch b/SOURCES/0006-Use-normal-file-permissions-instead-of-ACLs.patch
new file mode 100644
index 0000000..72f5d37
--- /dev/null
+++ b/SOURCES/0006-Use-normal-file-permissions-instead-of-ACLs.patch
@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 18 Jan 2023 14:00:22 -0500
+Subject: [PATCH] Use normal file permissions instead of ACLs
+
+Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
+
+pesign-authorize is now deprecated and will be removed in a future
+release.
+
+Resolves: CVE-2022-3560
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/pesign-authorize.in | 50 +++----------------------------------------------
+ 1 file changed, 3 insertions(+), 47 deletions(-)
+
+diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
+index 69797d5..b4e89e0 100644
+--- a/src/pesign-authorize.in
++++ b/src/pesign-authorize.in
+@@ -2,56 +2,12 @@
+ set -e
+ set -u
+ 
+-#
+-# With /run/pesign/socket on tmpfs, a simple way of restoring the
+-# acls for specific users is useful
+-#
+-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+-#
+-
+ # License: GPLv2
+-declare -a fileusers=()
+-declare -a dirusers=()
+-while read -r user ; do
+-	dirusers[${#dirusers[@]}]=-m
+-	dirusers[${#dirusers[@]}]="u:$user:rwx"
+-	fileusers[${#fileusers[@]}]=-m
+-	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done </etc/pesign/users
+ 
+-declare -a filegroups=()
+-declare -a dirgroups=()
+-while read -r group ; do
+-	dirgroups[${#dirgroups[@]}]=-m
+-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+-	filegroups[${#filegroups[@]}]=-m
+-	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done </etc/pesign/groups
+-
+-update_subdir() {
+-	subdir=$1 && shift
+-
+-	setfacl -bk "${subdir}"
+-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+-	for x in "${subdir}"* ; do
+-		if [ -d "${x}" ]; then
+-			setfacl -bk "${x}"
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
+-			update_subdir "${x}/"
+-		elif [ -e "${x}" ]; then
+-			setfacl -bk "${x}"
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
+-		else
+-			:;
+-		fi
+-	done
+-}
++# This script is deprecated and will be removed in a future release.
+ 
+ sleep 3
+ for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
+-	if [ -d "${x}" ]; then
+-		update_subdir "${x}"
+-	else
+-		:;
+-	fi
++	chown -R pesign:pesign "${x}" || true
++	chmod -R ug+rwX "${x}" || true
+ done
diff --git a/SOURCES/pesign.patches b/SOURCES/pesign.patches
index d66e14a..e36e17f 100644
--- a/SOURCES/pesign.patches
+++ b/SOURCES/pesign.patches
@@ -3,3 +3,4 @@ Patch0002: 0002-Disable-pragmas-for-warnings-that-are-too-old.patch
 Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
 Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
 Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
+Patch0006: 0006-Use-normal-file-permissions-instead-of-ACLs.patch
diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec
index ce3959a..94a6972 100644
--- a/SPECS/pesign.spec
+++ b/SPECS/pesign.spec
@@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 115
-Release: 4%{?dist}
+Release: 6%{?dist}
 License: GPL-2.0-only
 URL:     https://github.com/rhboot/pesign
 
@@ -162,6 +162,14 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 
 %changelog
+* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 115-6
+- Fix chmod invocation
+- Resolves: CVE-2022-3560
+
+* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 115-5
+- Deprecate pesign-authorize and drop ACL use
+- Resolves: CVE-2022-3560
+
 * Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com>
 - Detect presence of rpm-sign when checking for rhel-ness
 - Resolves: #2044886