rpms/rear
5
0
Fork 0
Code Issues Pull Requests Releases Activity

make initrd accessible only by root

Browse Source 
Resolves: CVE-2024-23301
This commit is contained in:
Lukáš Zaoral 2024-02-06 12:57:19 +01:00
parent 816978a083
commit d5cf14e032
No known key found for this signature in database
GPG Key ID: 39157506DD67752D
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
rear-CVE-2024-23301.patch Normal file
View File

@ -0,0 +1,32 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

9
rear.spec
View File

@ -3,7 +3,7 @@
Name: rear
Version: 2.7
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
URL: https://relax-and-recover.org
License: GPL-3.0-only
@ -57,6 +57,10 @@ Patch109: rear-skip-useless-xfs-mount-options-RHEL-10478.patch
# https://github.com/rear/rear/commit/060fef89b6968f0c8f254e6f612eff839b83c057
Patch110: rear-fix-compatibility-with-newer-systemd-bz2254871.patch
# make initrd accessible only by root
# https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
Patch111: rear-CVE-2024-23301.patch
######################
# downstream patches #
######################
@ -195,6 +199,9 @@ install -m 0644 %{SOURCE3} %{buildroot}%{_docdir}/%{name}/
#-- CHANGELOG -----------------------------------------------------------------#
%changelog
* Tue Feb 06 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.7-4
- make initrd accessible only by root (CVE-2024-23301)
* Tue Feb 06 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.7-3
- fix unusable recovery with newer systemd (rbhz#2254871)