diff --git a/SOURCES/CVE-2024-23301.patch b/SOURCES/CVE-2024-23301.patch new file mode 100644 index 0000000..e0f441a --- /dev/null +++ b/SOURCES/CVE-2024-23301.patch @@ -0,0 +1,54 @@ +From 7b0e8e2427cf6b10bffb410b66dd02272be3e386 Mon Sep 17 00:00:00 2001 +From: Johannes Meixner +Date: Mon, 8 Jan 2024 14:40:42 +0100 +Subject: [PATCH 1/2] Make initrd accessible only by root + +In pack/GNU/Linux/900_create_initramfs.sh call +chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" +to let only root access the initrd because +the ReaR recovery system can contain secrets +see https://github.com/rear/rear/issues/3122 +--- + usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh +index 1e0c11039c..5d3f67a84b 100644 +--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh ++++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh +@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in + fi + ;; + esac ++ ++# Only root should allowed to access the initrd ++# because the ReaR recovery system can contain secrets ++# cf. https://github.com/rear/rear/issues/3122 ++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" ++ + popd >/dev/null + +From 1271257aedaa78e703c140a99f374fcecb48b4fd Mon Sep 17 00:00:00 2001 +From: Johannes Meixner +Date: Mon, 8 Jan 2024 15:57:36 +0100 +Subject: [PATCH 2/2] Update 900_create_initramfs.sh + +Typo fix in comment: +"should allowed" -> "should be allowed" +--- + usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh +index 5d3f67a84b..12be718ed8 100644 +--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh ++++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh +@@ -126,7 +126,7 @@ case "$REAR_INITRD_COMPRESSION" in + ;; + esac + +-# Only root should allowed to access the initrd ++# Only root should be allowed to access the initrd + # because the ReaR recovery system can contain secrets + # cf. https://github.com/rear/rear/issues/3122 + test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" diff --git a/SPECS/rear.spec b/SPECS/rear.spec index 9a7d315..7183ad5 100644 --- a/SPECS/rear.spec +++ b/SPECS/rear.spec @@ -3,7 +3,7 @@ Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool Name: rear Version: 2.6 -Release: 10%{?dist} +Release: 11%{?dist}.alma.1 License: GPLv3 Group: Applications/File URL: http://relax-and-recover.org/ @@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch Patch61: rear-uefi-usb-secureboot-bz2196445.patch Patch62: rear-vg-command-not-found-bz2121476.patch +# Patches were taken from: +# https://github.com/rear/rear/pull/3123 +Patch63: CVE-2024-23301.patch + ### Dependencies on all distributions BuildRequires: asciidoc Requires: binutils @@ -140,7 +144,7 @@ if [ $1 -gt 1 ] ; then fi %prep -%setup +%setup %patch4 -p1 %patch29 -p1 %patch30 -p1 @@ -171,6 +175,7 @@ fi %patch60 -p1 %patch61 -p1 %patch62 -p1 +%patch63 -p1 echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron @@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc %{_sbindir}/rear %changelog +* Wed Apr 10 2024 Eduard Abdullin - 2.6-11.alma.1 +- Make initrd accessible only by root (CVE-2024-23301) + * Tue Aug 22 2023 Pavel Cahyna - 2.6-10 - Apply PR 3027 to ensure correct creation of the rescue environment when a file is shrinking while being read @@ -415,7 +423,7 @@ TZ=UTC %{__make} -C doc - Related #1355667 * Mon Feb 20 2017 Jakub Mazanek - 2.00-1 -- Rebase to version 2.00 +- Rebase to version 2.00 - Resolves #1355667 * Tue Jul 19 2016 Petr Hracek - 1.17.2-6