diff --git a/rhbz653606,653604.patch b/rhbz653606,653604.patch new file mode 100644 index 0000000..dbd9690 --- /dev/null +++ b/rhbz653606,653604.patch @@ -0,0 +1,115 @@ +diff --git a/runtime/staprun/staprun.c b/runtime/staprun/staprun.c +index d72e335..ca245e3 100644 +--- a/runtime/staprun/staprun.c ++++ b/runtime/staprun/staprun.c +@@ -119,19 +119,7 @@ static int enable_uprobes(void) + if (run_as(0, uid, gid, argv[0], argv) == 0) + return 0; + +- /* +- * TODO: If user can't setresuid to root here, staprun will exit. +- * Is there a situation where that would fail but the subsequent +- * attempt to insert_module() would succeed? +- */ +- dbug(2, "Inserting uprobes module from /lib/modules, if any.\n"); +- i = 0; +- argv[i++] = "/sbin/modprobe"; +- argv[i++] = "-q"; +- argv[i++] = "uprobes"; +- argv[i] = NULL; +- if (run_as(0, 0, 0, argv[0], argv) == 0) +- return 0; ++ /* NB: don't use /sbin/modprobe, without more env. sanitation. */ + + /* This module may be signed, so use insert_module to load it. */ + snprintf (runtimeko, sizeof(runtimeko), "%s/uprobes/uprobes.ko", +@@ -190,9 +178,16 @@ static int remove_module(const char *name, int verb) + return 0; + } + +- /* We could call init_ctl_channel / close_ctl_channel here, as a heuristic +- to determine whether the module is being used by some other stapio process. +- However, delete_module() does basically the same thing. */ ++ /* We call init_ctl_channel/close_ctl_channel to check whether ++ the module is a systemtap-built one (having the right files), ++ and that it's already unattached (because otherwise it'd EBUSY ++ the opens. */ ++ ret = init_ctl_channel (name, 0); ++ if (ret < 0) { ++ err("Error, '%s' is not a zombie systemtap module.\n", name); ++ return ret; ++ } ++ close_ctl_channel (); + + dbug(2, "removing module %s\n", name); + STAP_PROBE1(staprun, remove__module, name); +@@ -227,7 +222,7 @@ int init_staprun(void) + without first removing the kernel module. This would block + a subsequent rerun attempt. So here we gingerly try to + unload it first. */ +- int ret = delete_module (modname, O_NONBLOCK); ++ int ret = remove_module (modname, 0); + err("Retrying, after attempted removal of module %s (rc %d)\n", modname, ret); + /* Then we try an insert a second time. */ + if (insert_stap_module() < 0) +diff --git a/README.security b/README.security +index 124ad8d..998bf3d 100644 +--- a/README.security ++++ b/README.security +@@ -15,7 +15,7 @@ following: + + * the root user; + +- * a member of the 'stapdev' group; or ++ * a member of both 'stapdev' and 'stapusr' groups; or + + * a member of the 'stapusr' group. Members of the stapusr group can + only use modules located in the /lib/modules/VERSION/systemtap +@@ -23,8 +23,8 @@ following: + directory must be owned by root and not be world writable. + + So, there are two classes of users: systemtap developers (the root user +-and members of the stapdev group) and systemtap users (members of the +-stapusr group). Systemtap developers can compile and run any ++and members of the stapdev/stapusr groups) and systemtap users (members of ++only the stapusr group). Systemtap developers can compile and run any + systemtap script. Systemtap users can only run "approved" + pre-compiled modules located in /lib/modules/VERSION/systemtap. + +diff --git a/staprun.8 b/staprun.8 +index f4a5a08..7523031 100644 +--- a/staprun.8 ++++ b/staprun.8 +@@ -205,14 +205,14 @@ structures and potentially private user information. See the + .IR stap (1) + manual page for additional information on safety and security. + .PP +-To increase system security, only the root user and members of the +-.I stapdev +-group can use ++To increase system security, only the root user and members of both ++.I stapdev " and " staprun ++groups can use + .I staprun + to insert systemtap modules (or attach to existing ones). + Members of the + .I stapusr +-group can use ++group only can use + .I staprun + to insert or remove systemtap modules (or attach to existing systemtap modules) + under the following conditions: +diff --git a/runtime/staprun/ctl.c b/runtime/staprun/ctl.c +index 335006e..8baf0db 100644 +--- a/runtime/staprun/ctl.c ++++ b/runtime/staprun/ctl.c +@@ -27,6 +27,9 @@ int init_ctl_channel(const char *name, int verb) + return -2; + } + ++ if (access(buf, R_OK|W_OK) != 0) ++ return -5; ++ + control_channel = open(buf, O_RDWR); + dbug(2, "Opened %s (%d)\n", buf, control_channel); + if (control_channel < 0) { diff --git a/systemtap.spec b/systemtap.spec index 972068a..bc7f08f 100644 --- a/systemtap.spec +++ b/systemtap.spec @@ -16,7 +16,7 @@ Name: systemtap Version: 1.3 -Release: 2%{?dist} +Release: 3%{?dist} # for version, see also configure.ac Summary: Instrumentation System Group: Development/System @@ -24,6 +24,8 @@ License: GPLv2+ URL: http://sourceware.org/systemtap/ Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz +#Patch1 is elfutils-portability.patch below +Patch2: rhbz653606,653604.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: kernel >= 2.6.9-11 @@ -189,6 +191,7 @@ sleep 1 find . \( -name configure -o -name config.h.in \) -print | xargs touch cd .. %endif +%patch2 -p1 %build @@ -270,10 +273,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/examples examples # Fix paths in the example & testsuite scripts find examples testsuite -type f -name '*.stp' -print0 | xargs -0 sed -i -r -e '1s@^#!.+stap@#!%{_bindir}/stap@' -# Because "make install" may install staprun with mode 04111, the +# Because "make install" may install staprun with whatever mode, the # post-processing programs rpmbuild runs won't be able to read it. # So, we change permissions so that they can read it. We'll set the -# permissions back to 04111 in the %files section below. +# permissions back to 04110 in the %files section below. chmod 755 $RPM_BUILD_ROOT%{_bindir}/staprun #install the useful stap-prep script @@ -432,7 +435,7 @@ exit 0 %files runtime %defattr(-,root,root) -%attr(4111,root,root) %{_bindir}/staprun +%attr(4110,root,stapusr) %{_bindir}/staprun %{_bindir}/stap-report %{_bindir}/stap-authorize-signing-cert %{_libexecdir}/%{name}/stapio @@ -511,6 +514,10 @@ exit 0 %changelog +* Tue Nov 16 2010 David Smith - 1.3-3 +- CVE-2010-4170 +- CVE-2010-4171 + * Wed Jul 21 2010 Josh Stone - 1.3-2 - Disable crash on ppc.