Make initrd accessible only by root
This commit is contained in:
parent
a3fe46d75a
commit
3984d5b59c
54
SOURCES/CVE-2024-23301.patch
Normal file
54
SOURCES/CVE-2024-23301.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 7b0e8e2427cf6b10bffb410b66dd02272be3e386 Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Meixner <jsmeix@suse.com>
|
||||
Date: Mon, 8 Jan 2024 14:40:42 +0100
|
||||
Subject: [PATCH 1/2] Make initrd accessible only by root
|
||||
|
||||
In pack/GNU/Linux/900_create_initramfs.sh call
|
||||
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
|
||||
to let only root access the initrd because
|
||||
the ReaR recovery system can contain secrets
|
||||
see https://github.com/rear/rear/issues/3122
|
||||
---
|
||||
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
index 1e0c11039c..5d3f67a84b 100644
|
||||
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
+
|
||||
+# Only root should allowed to access the initrd
|
||||
+# because the ReaR recovery system can contain secrets
|
||||
+# cf. https://github.com/rear/rear/issues/3122
|
||||
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
|
||||
+
|
||||
popd >/dev/null
|
||||
|
||||
From 1271257aedaa78e703c140a99f374fcecb48b4fd Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Meixner <jsmeix@suse.com>
|
||||
Date: Mon, 8 Jan 2024 15:57:36 +0100
|
||||
Subject: [PATCH 2/2] Update 900_create_initramfs.sh
|
||||
|
||||
Typo fix in comment:
|
||||
"should allowed" -> "should be allowed"
|
||||
---
|
||||
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
index 5d3f67a84b..12be718ed8 100644
|
||||
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
||||
@@ -126,7 +126,7 @@ case "$REAR_INITRD_COMPRESSION" in
|
||||
;;
|
||||
esac
|
||||
|
||||
-# Only root should allowed to access the initrd
|
||||
+# Only root should be allowed to access the initrd
|
||||
# because the ReaR recovery system can contain secrets
|
||||
# cf. https://github.com/rear/rear/issues/3122
|
||||
test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
|
@ -3,7 +3,7 @@
|
||||
Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
|
||||
Name: rear
|
||||
Version: 2.6
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}.alma.1
|
||||
License: GPLv3
|
||||
Group: Applications/File
|
||||
URL: http://relax-and-recover.org/
|
||||
@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch
|
||||
Patch61: rear-uefi-usb-secureboot-bz2196445.patch
|
||||
Patch62: rear-vg-command-not-found-bz2121476.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://github.com/rear/rear/pull/3123
|
||||
Patch63: CVE-2024-23301.patch
|
||||
|
||||
### Dependencies on all distributions
|
||||
BuildRequires: asciidoc
|
||||
Requires: binutils
|
||||
@ -140,7 +144,7 @@ if [ $1 -gt 1 ] ; then
|
||||
fi
|
||||
|
||||
%prep
|
||||
%setup
|
||||
%setup
|
||||
%patch4 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
@ -171,6 +175,7 @@ fi
|
||||
%patch60 -p1
|
||||
%patch61 -p1
|
||||
%patch62 -p1
|
||||
%patch63 -p1
|
||||
|
||||
echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron
|
||||
|
||||
@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc
|
||||
%{_sbindir}/rear
|
||||
|
||||
%changelog
|
||||
* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.6-11.alma.1
|
||||
- Make initrd accessible only by root (CVE-2024-23301)
|
||||
|
||||
* Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10
|
||||
- Apply PR 3027 to ensure correct creation of the rescue environment
|
||||
when a file is shrinking while being read
|
||||
@ -415,7 +423,7 @@ TZ=UTC %{__make} -C doc
|
||||
- Related #1355667
|
||||
|
||||
* Mon Feb 20 2017 Jakub Mazanek <jmazanek@redhat.com> - 2.00-1
|
||||
- Rebase to version 2.00
|
||||
- Rebase to version 2.00
|
||||
- Resolves #1355667
|
||||
|
||||
* Tue Jul 19 2016 Petr Hracek <phracek@redhat.com> - 1.17.2-6
|
||||
|
Loading…
Reference in New Issue
Block a user