From 9912060ab62cf7dab079ac323329b3af3470ad88 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Tue, 25 Jan 2022 13:09:16 +0100 Subject: [PATCH] RHEL-9: 2.37.3-1 (CVEs, uuidd) * upgrade to v2.37.3 (this is security update) * rebase old patches (update subject lines, etc.) * add uuidd bugfix Resolves: #2040366 #2032274 #2032273 --- .gitignore | 1 + 0000-login-create-var-log-lastlog.patch | 26 +++++++ 0000-login-lastlog-create.patch | 12 ---- 0001-login-default-motd-file.patch | 17 ++++- 0002-tests-make-.-run.sh-more-robust.patch | 10 ++- ...sts-make-mount-fstab-all-more-robust.patch | 7 +- ...-make-eject-umount-tests-more-robust.patch | 15 ++-- ...AM-compliance-for-forked-child-in-su.patch | 7 +- 0006-uuidd-fix-open-lock-state-issue.patch | 70 +++++++++++++++++++ sources | 2 +- util-linux.spec | 12 +++- 11 files changed, 145 insertions(+), 34 deletions(-) create mode 100644 0000-login-create-var-log-lastlog.patch delete mode 100644 0000-login-lastlog-create.patch create mode 100644 0006-uuidd-fix-open-lock-state-issue.patch diff --git a/.gitignore b/.gitignore index a72093d..0a82f78 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,4 @@ /util-linux-2.37.tar.xz /util-linux-2.37.1.tar.xz /util-linux-2.37.2.tar.xz +/util-linux-2.37.3.tar.xz diff --git a/0000-login-create-var-log-lastlog.patch b/0000-login-create-var-log-lastlog.patch new file mode 100644 index 0000000..da40bf8 --- /dev/null +++ b/0000-login-create-var-log-lastlog.patch @@ -0,0 +1,26 @@ +From 579c49c9ebcea62127b5c3b4ccce82b543bbea21 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 20 Jun 2016 11:09:02 +0200 +Subject: login: create /var/log/lastlog + +Addresses: http://bugzilla.redhat.com/show_bug.cgi?id=151635 +--- + login-utils/login.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/login-utils/login.c b/login-utils/login.c +index c6cd340b6..3657f04cd 100644 +--- a/login-utils/login.c ++++ b/login-utils/login.c +@@ -662,7 +662,7 @@ static void log_lastlog(struct login_context *cxt) + sa.sa_handler = SIG_IGN; + sigaction(SIGXFSZ, &sa, &oldsa_xfsz); + +- fd = open(_PATH_LASTLOG, O_RDWR, 0); ++ fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0); + if (fd < 0) + goto done; + offset = cxt->pwd->pw_uid * sizeof(ll); +-- +2.34.1 + diff --git a/0000-login-lastlog-create.patch b/0000-login-lastlog-create.patch deleted file mode 100644 index e2523d3..0000000 --- a/0000-login-lastlog-create.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up util-linux-2.36/login-utils/login.c.kzak util-linux-2.36/login-utils/login.c ---- util-linux-2.36/login-utils/login.c.kzak 2020-07-23 14:13:26.777030764 +0200 -+++ util-linux-2.36/login-utils/login.c 2020-07-23 14:11:22.793686983 +0200 -@@ -585,7 +585,7 @@ static void log_lastlog(struct login_con - sa.sa_handler = SIG_IGN; - sigaction(SIGXFSZ, &sa, &oldsa_xfsz); - -- fd = open(_PATH_LASTLOG, O_RDWR, 0); -+ fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0); - if (fd < 0) - goto done; - offset = cxt->pwd->pw_uid * sizeof(ll); diff --git a/0001-login-default-motd-file.patch b/0001-login-default-motd-file.patch index 3670848..fbb97cc 100644 --- a/0001-login-default-motd-file.patch +++ b/0001-login-default-motd-file.patch @@ -1,5 +1,17 @@ +From dbdd1f385f25da1e7de8ff6ed2481c70d1864b6e Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 24 Aug 2021 13:50:57 +0200 +Subject: login: default motd file + +Add `/run/motd.d` to the hardcoded MOTD_FILE + +Addresses: https://github.com/coreos/console-login-helper-messages/issues/60 +--- + include/pathnames.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + diff --git a/include/pathnames.h b/include/pathnames.h -index 3845d4c33..fac3a0783 100644 +index 9be2baa83..7e7d9053f 100644 --- a/include/pathnames.h +++ b/include/pathnames.h @@ -41,7 +41,7 @@ @@ -11,3 +23,6 @@ index 3845d4c33..fac3a0783 100644 #ifndef _PATH_NOLOGIN # define _PATH_NOLOGIN "/etc/nologin" #endif +-- +2.34.1 + diff --git a/0002-tests-make-.-run.sh-more-robust.patch b/0002-tests-make-.-run.sh-more-robust.patch index f6273d6..63427ad 100644 --- a/0002-tests-make-.-run.sh-more-robust.patch +++ b/0002-tests-make-.-run.sh-more-robust.patch @@ -1,8 +1,12 @@ -From 331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6 Mon Sep 17 00:00:00 2001 +From c3e366aea99399767d3e291be7d2adadc0080797 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 23 Aug 2021 15:15:38 +0200 -Subject: [PATCH 1/2] tests: make ./run.sh more robust +Subject: tests: make ./run.sh more robust +Let's make upstream tests more stable to be usable in RHEL +environment where we do not use ASAN and meson. + +Upstream: http://github.com/karelzak/util-linux/commit/331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6 Signed-off-by: Karel Zak --- tests/run.sh | 2 +- @@ -22,5 +26,5 @@ index 9d26406c4..d020bfe88 100755 fi if [ -n "$asan" ]; then -- -2.31.1 +2.34.1 diff --git a/0003-tests-make-mount-fstab-all-more-robust.patch b/0003-tests-make-mount-fstab-all-more-robust.patch index a2cfbf1..b9c75bb 100644 --- a/0003-tests-make-mount-fstab-all-more-robust.patch +++ b/0003-tests-make-mount-fstab-all-more-robust.patch @@ -1,8 +1,9 @@ -From 85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da Mon Sep 17 00:00:00 2001 +From 03c5f9718b9c361985c9461700f93a7582a15c94 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 23 Aug 2021 16:28:52 +0200 -Subject: [PATCH] tests: make mount/fstab-all more robust +Subject: tests: make mount/fstab-all more robust +Upstream: http://github.com/karelzak/util-linux/commit/85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da Signed-off-by: Karel Zak --- tests/ts/mount/fstab-all | 6 ++++++ @@ -61,5 +62,5 @@ index acc64e462..6b7018823 100755 [ $? == 0 ] || ts_log "umount failed" ts_finalize_subtest -- -2.31.1 +2.34.1 diff --git a/0004-tests-make-eject-umount-tests-more-robust.patch b/0004-tests-make-eject-umount-tests-more-robust.patch index 0cfc17a..412dc43 100644 --- a/0004-tests-make-eject-umount-tests-more-robust.patch +++ b/0004-tests-make-eject-umount-tests-more-robust.patch @@ -1,18 +1,19 @@ -From abe16d0d34413555fbd621f90a0b93c2105116a2 Mon Sep 17 00:00:00 2001 +From 9e9dc7d3ae9a5fdd59ccecf73b2066fe2cdaa3c3 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Tue, 24 Aug 2021 10:49:32 +0200 -Subject: [PATCH] tests: make eject umount tests more robust +Subject: tests: make eject umount tests more robust +Upstream: http://github.com/karelzak/util-linux/commit/abe16d0d34413555fbd621f90a0b93c2105116a2 Signed-off-by: Karel Zak --- tests/ts/eject/umount | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/ts/eject/umount b/tests/ts/eject/umount -index 0a89b022e..a6d1f251d 100755 +index 2be281ee3..04f53ed99 100755 --- a/tests/ts/eject/umount +++ b/tests/ts/eject/umount -@@ -84,6 +84,7 @@ mkfs.ext2 -q -F $TS_DEVICE +@@ -83,6 +83,7 @@ mkfs.ext2 -q -F $TS_DEVICE udevadm settle mkdir -p $TS_MOUNTPOINT $TS_CMD_MOUNT $TS_DEVICE $TS_MOUNTPOINT @@ -20,7 +21,7 @@ index 0a89b022e..a6d1f251d 100755 $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success" deinit_device ts_finalize_subtest -@@ -96,6 +97,7 @@ mkdir -p ${TS_MOUNTPOINT}1 +@@ -95,6 +96,7 @@ mkdir -p ${TS_MOUNTPOINT}1 mkdir -p ${TS_MOUNTPOINT}2 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2 @@ -28,7 +29,7 @@ index 0a89b022e..a6d1f251d 100755 $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success" deinit_device ts_finalize_subtest -@@ -116,6 +118,7 @@ mkdir -p ${TS_MOUNTPOINT}1 +@@ -115,6 +117,7 @@ mkdir -p ${TS_MOUNTPOINT}1 mkdir -p ${TS_MOUNTPOINT}2 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2 @@ -37,5 +38,5 @@ index 0a89b022e..a6d1f251d 100755 deinit_device ts_finalize_subtest -- -2.31.1 +2.34.1 diff --git a/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch b/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch index 3475745..821463d 100644 --- a/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch +++ b/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch @@ -1,8 +1,7 @@ -From 962d3779ef1502ed234baea309cd75b2c1e2353a Mon Sep 17 00:00:00 2001 +From 88da20ee56491fc6c38c26810c95e199f51fb71d Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sat, 27 Nov 2021 21:00:22 -0800 -Subject: [PATCH] Complete Linux-PAM compliance for forked child in su and - login. +Subject: Complete Linux-PAM compliance for forked child in su and login. As documented here: @@ -49,5 +48,5 @@ index afd0ea8ad..7d4826bbc 100644 run_shell(su, shell, command, argv + optind, max(0, argc - optind)); -- -2.31.1 +2.34.1 diff --git a/0006-uuidd-fix-open-lock-state-issue.patch b/0006-uuidd-fix-open-lock-state-issue.patch new file mode 100644 index 0000000..ea085cc --- /dev/null +++ b/0006-uuidd-fix-open-lock-state-issue.patch @@ -0,0 +1,70 @@ +From e2cfe37333d14d1d317d4f22b5e47ce9b86e3347 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 24 Jan 2022 14:08:08 +0100 +Subject: uuidd: fix open/lock state issue + +* warn on open/lock state issue + +* enable access to /var/lib/libuuid/, because ProtectSystem=strict make it read-only + + openat(AT_FDCWD, "/var/lib/libuuid/clock.txt", + O_RDWR|O_CREAT|O_CLOEXEC, 0660) = -1 EROFS (Read-only file system) + +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2040366 +Upstream: http://github.com/util-linux/util-linux/commit/f27876f9c1056bf41fd940d5c4990b4277e0024f +Upstream: http://github.com/util-linux/util-linux/commit/417982d0236a12756923d88e627f5e4facf8951c +Signed-off-by: Karel Zak +--- + misc-utils/uuidd.c | 9 ++++++--- + misc-utils/uuidd.service.in | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/misc-utils/uuidd.c b/misc-utils/uuidd.c +index fa8db173b..78a37d2e8 100644 +--- a/misc-utils/uuidd.c ++++ b/misc-utils/uuidd.c +@@ -494,7 +494,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path, + break; + case UUIDD_OP_TIME_UUID: + num = 1; +- __uuid_generate_time(uu, &num); ++ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet) ++ warnx(_("failed to open/lock clock counter")); + if (uuidd_cxt->debug) { + uuid_unparse(uu, str); + fprintf(stderr, _("Generated time UUID: %s\n"), str); +@@ -504,7 +505,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path, + break; + case UUIDD_OP_RANDOM_UUID: + num = 1; +- __uuid_generate_random(uu, &num); ++ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet) ++ warnx(_("failed to open/lock clock counter")); + if (uuidd_cxt->debug) { + uuid_unparse(uu, str); + fprintf(stderr, _("Generated random UUID: %s\n"), str); +@@ -513,7 +515,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path, + reply_len = sizeof(uu); + break; + case UUIDD_OP_BULK_TIME_UUID: +- __uuid_generate_time(uu, &num); ++ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet) ++ warnx(_("failed to open/lock clock counter")); + if (uuidd_cxt->debug) { + uuid_unparse(uu, str); + fprintf(stderr, P_("Generated time UUID %s " +diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in +index b4c9c4635..e64ca59b5 100644 +--- a/misc-utils/uuidd.service.in ++++ b/misc-utils/uuidd.service.in +@@ -18,6 +18,7 @@ ProtectKernelModules=yes + ProtectControlGroups=yes + RestrictAddressFamilies=AF_UNIX + MemoryDenyWriteExecute=yes ++ReadWritePaths=/var/lib/libuuid/ + SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io + + [Install] +-- +2.34.1 + diff --git a/sources b/sources index 92733ce..8705cfd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (util-linux-2.37.2.tar.xz) = 38f0fe820445e3bfa79550e6581c230f98c7661566ccc4daa51c7208a5f972c61b4e57dfc86bed074fdbc7c40bc79f856be8f6a05a8860c1c0cecc4208e8b81d +SHA512 (util-linux-2.37.3.tar.xz) = 2303b5c55b1fd932c73b0a079d37e56e10b6a20270b72d0b7e81ec7a6b715b42ebaa336714c3e1722d05e5aa4499f8be17ceaf61bb1341532bf9697c9a2174e9 diff --git a/util-linux.spec b/util-linux.spec index ee061e8..35aefdf 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -1,8 +1,8 @@ ### Header Summary: A collection of basic system utilities Name: util-linux -Version: 2.37.2 -Release: 3%{?dist} +Version: 2.37.3 +Release: 1%{?dist} License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: http://en.wikipedia.org/wiki/Util-linux @@ -89,7 +89,7 @@ Requires: libfdisk = %{version}-%{release} Requires: util-linux-core = %{version}-%{release} # 151635 - makeing /var/log/lastlog -Patch0: 0000-login-lastlog-create.patch +Patch0: 0000-login-create-var-log-lastlog.patch # Add `/run/motd.d` to the hardcoded MOTD_FILE # https://github.com/coreos/console-login-helper-messages/issues/60 Patch1: 0001-login-default-motd-file.patch @@ -99,6 +99,8 @@ Patch3: 0003-tests-make-mount-fstab-all-more-robust.patch Patch4: 0004-tests-make-eject-umount-tests-more-robust.patch # 2037212 - Complete Linux-PAM compliance for forked child in su and login Patch5: 0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch +# 2040366 - uuidd can't access lock/status file +Patch6: 0006-uuidd-fix-open-lock-state-issue.patch %description @@ -949,6 +951,10 @@ fi %{_libdir}/python*/site-packages/libmount/ %changelog +* Tue Jan 25 2022 Karel Zak 2.37.3-1 +- upgrade to v2.37.3 (fix CVE-2021-3996, CVE-2021-3995) +- fix #2040366 - uuidd can't access lock/status file + * Thu Jan 06 2022 Karel Zak 2.37.2-3 - fix #2037212 - Complete Linux-PAM compliance for forked child in su and login