rpms/rear
7
0
Fork 0
Code Issues Pull Requests Releases Activity

make initrd accessible only by root

Browse Source 
CVE-2024-23301

Upstream PR #3123

Resolves: RHEL-21534
This commit is contained in:
Pavel Cahyna 2024-02-08 16:31:18 +01:00
parent dc6587e57b
commit 3e644809f0
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
rear-CVE-2024-23301.patch Normal file
View File

@ -0,0 +1,32 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

5
rear.spec
View File

@ -42,6 +42,10 @@ Patch62: rear-vg-command-not-found-bz2121476.patch
Patch64: rear-save-lvm-poolmetadatasize-RHEL-6984.patch Patch64: rear-save-lvm-poolmetadatasize-RHEL-6984.patch
Patch65: rear-skip-useless-xfs-mount-options-RHEL-10478.patch Patch65: rear-skip-useless-xfs-mount-options-RHEL-10478.patch
# make initrd accessible only by root
# https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
Patch111: rear-CVE-2024-23301.patch
# Support saving and restoring hybrid BIOS/UEFI bootloader setup and clean up bootloader detection # Support saving and restoring hybrid BIOS/UEFI bootloader setup and clean up bootloader detection
# https://github.com/rear/rear/pull/3145 # https://github.com/rear/rear/pull/3145
Patch113: rear-restore-hybrid-bootloader-RHEL-16864.patch Patch113: rear-restore-hybrid-bootloader-RHEL-16864.patch
@ -179,6 +183,7 @@ fi
%patch62 -p1 %patch62 -p1
%patch64 -p1 %patch64 -p1
%patch65 -p1 %patch65 -p1
%patch111 -p1
%patch113 -p1 %patch113 -p1
echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron