rpms/util-linux
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-9: 2.37.3-1 (CVEs, uuidd)

Browse Source 
* upgrade to v2.37.3 (this is security update)
* rebase old patches (update subject lines, etc.)
* add uuidd bugfix

Resolves: #2040366 #2032274 #2032273
This commit is contained in:
Karel Zak 2022-01-25 13:09:16 +01:00
parent 891375934c
commit 9912060ab6
11 changed files with 145 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -83,3 +83,4 @@
/util-linux-2.37.tar.xz /util-linux-2.37.tar.xz
/util-linux-2.37.1.tar.xz /util-linux-2.37.1.tar.xz
/util-linux-2.37.2.tar.xz /util-linux-2.37.2.tar.xz
/util-linux-2.37.3.tar.xz

26
0000-login-create-var-log-lastlog.patch Normal file
View File

@ -0,0 +1,26 @@
From 579c49c9ebcea62127b5c3b4ccce82b543bbea21 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 20 Jun 2016 11:09:02 +0200
Subject: login: create /var/log/lastlog
Addresses: http://bugzilla.redhat.com/show_bug.cgi?id=151635
---
login-utils/login.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/login-utils/login.c b/login-utils/login.c
index c6cd340b6..3657f04cd 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -662,7 +662,7 @@ static void log_lastlog(struct login_context *cxt)
sa.sa_handler = SIG_IGN;
sigaction(SIGXFSZ, &sa, &oldsa_xfsz);
- fd = open(_PATH_LASTLOG, O_RDWR, 0);
+ fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0);
if (fd < 0)
goto done;
offset = cxt->pwd->pw_uid * sizeof(ll);
--
2.34.1

12
0000-login-lastlog-create.patch
View File

@ -1,12 +0,0 @@
diff -up util-linux-2.36/login-utils/login.c.kzak util-linux-2.36/login-utils/login.c
--- util-linux-2.36/login-utils/login.c.kzak 2020-07-23 14:13:26.777030764 +0200
+++ util-linux-2.36/login-utils/login.c 2020-07-23 14:11:22.793686983 +0200
@@ -585,7 +585,7 @@ static void log_lastlog(struct login_con
sa.sa_handler = SIG_IGN;
sigaction(SIGXFSZ, &sa, &oldsa_xfsz);
- fd = open(_PATH_LASTLOG, O_RDWR, 0);
+ fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0);
if (fd < 0)
goto done;
offset = cxt->pwd->pw_uid * sizeof(ll);

17
0001-login-default-motd-file.patch
View File

@ -1,5 +1,17 @@
From dbdd1f385f25da1e7de8ff6ed2481c70d1864b6e Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Tue, 24 Aug 2021 13:50:57 +0200
Subject: login: default motd file
Add `/run/motd.d` to the hardcoded MOTD_FILE
Addresses: https://github.com/coreos/console-login-helper-messages/issues/60
---
include/pathnames.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/pathnames.h b/include/pathnames.h diff --git a/include/pathnames.h b/include/pathnames.h
index 3845d4c33..fac3a0783 100644 index 9be2baa83..7e7d9053f 100644
--- a/include/pathnames.h --- a/include/pathnames.h
+++ b/include/pathnames.h +++ b/include/pathnames.h
@@ -41,7 +41,7 @@ @@ -41,7 +41,7 @@
@ -11,3 +23,6 @@ index 3845d4c33..fac3a0783 100644
#ifndef _PATH_NOLOGIN #ifndef _PATH_NOLOGIN
# define _PATH_NOLOGIN "/etc/nologin" # define _PATH_NOLOGIN "/etc/nologin"
#endif #endif
--
2.34.1

10
0002-tests-make-.-run.sh-more-robust.patch
View File

@ -1,8 +1,12 @@
From 331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6 Mon Sep 17 00:00:00 2001 From c3e366aea99399767d3e291be7d2adadc0080797 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com> From: Karel Zak <kzak@redhat.com>
Date: Mon, 23 Aug 2021 15:15:38 +0200 Date: Mon, 23 Aug 2021 15:15:38 +0200
Subject: [PATCH 1/2] tests: make ./run.sh more robust Subject: tests: make ./run.sh more robust
Let's make upstream tests more stable to be usable in RHEL
environment where we do not use ASAN and meson.
Upstream: http://github.com/karelzak/util-linux/commit/331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6
Signed-off-by: Karel Zak <kzak@redhat.com> Signed-off-by: Karel Zak <kzak@redhat.com>
--- ---
tests/run.sh | 2 +- tests/run.sh | 2 +-
@ -22,5 +26,5 @@ index 9d26406c4..d020bfe88 100755
fi fi
if [ -n "$asan" ]; then if [ -n "$asan" ]; then
-- --
2.31.1 2.34.1

7
0003-tests-make-mount-fstab-all-more-robust.patch
View File

@ -1,8 +1,9 @@
From 85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da Mon Sep 17 00:00:00 2001 From 03c5f9718b9c361985c9461700f93a7582a15c94 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com> From: Karel Zak <kzak@redhat.com>
Date: Mon, 23 Aug 2021 16:28:52 +0200 Date: Mon, 23 Aug 2021 16:28:52 +0200
Subject: [PATCH] tests: make mount/fstab-all more robust Subject: tests: make mount/fstab-all more robust
Upstream: http://github.com/karelzak/util-linux/commit/85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da
Signed-off-by: Karel Zak <kzak@redhat.com> Signed-off-by: Karel Zak <kzak@redhat.com>
--- ---
tests/ts/mount/fstab-all | 6 ++++++ tests/ts/mount/fstab-all | 6 ++++++
@ -61,5 +62,5 @@ index acc64e462..6b7018823 100755
[ $? == 0 ] || ts_log "umount failed" [ $? == 0 ] || ts_log "umount failed"
ts_finalize_subtest ts_finalize_subtest
-- --
2.31.1 2.34.1

15
0004-tests-make-eject-umount-tests-more-robust.patch
View File

@ -1,18 +1,19 @@
From abe16d0d34413555fbd621f90a0b93c2105116a2 Mon Sep 17 00:00:00 2001 From 9e9dc7d3ae9a5fdd59ccecf73b2066fe2cdaa3c3 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com> From: Karel Zak <kzak@redhat.com>
Date: Tue, 24 Aug 2021 10:49:32 +0200 Date: Tue, 24 Aug 2021 10:49:32 +0200
Subject: [PATCH] tests: make eject umount tests more robust Subject: tests: make eject umount tests more robust
Upstream: http://github.com/karelzak/util-linux/commit/abe16d0d34413555fbd621f90a0b93c2105116a2
Signed-off-by: Karel Zak <kzak@redhat.com> Signed-off-by: Karel Zak <kzak@redhat.com>
--- ---
tests/ts/eject/umount | 3 +++ tests/ts/eject/umount | 3 +++
1 file changed, 3 insertions(+) 1 file changed, 3 insertions(+)
diff --git a/tests/ts/eject/umount b/tests/ts/eject/umount diff --git a/tests/ts/eject/umount b/tests/ts/eject/umount
index 0a89b022e..a6d1f251d 100755 index 2be281ee3..04f53ed99 100755
--- a/tests/ts/eject/umount --- a/tests/ts/eject/umount
+++ b/tests/ts/eject/umount +++ b/tests/ts/eject/umount
@@ -84,6 +84,7 @@ mkfs.ext2 -q -F $TS_DEVICE @@ -83,6 +83,7 @@ mkfs.ext2 -q -F $TS_DEVICE
udevadm settle udevadm settle
mkdir -p $TS_MOUNTPOINT mkdir -p $TS_MOUNTPOINT
$TS_CMD_MOUNT $TS_DEVICE $TS_MOUNTPOINT $TS_CMD_MOUNT $TS_DEVICE $TS_MOUNTPOINT
@ -20,7 +21,7 @@ index 0a89b022e..a6d1f251d 100755
$TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success" $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success"
deinit_device deinit_device
ts_finalize_subtest ts_finalize_subtest
@@ -96,6 +97,7 @@ mkdir -p ${TS_MOUNTPOINT}1 @@ -95,6 +96,7 @@ mkdir -p ${TS_MOUNTPOINT}1
mkdir -p ${TS_MOUNTPOINT}2 mkdir -p ${TS_MOUNTPOINT}2
$TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1
$TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2
@ -28,7 +29,7 @@ index 0a89b022e..a6d1f251d 100755
$TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success" $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success"
deinit_device deinit_device
ts_finalize_subtest ts_finalize_subtest
@@ -116,6 +118,7 @@ mkdir -p ${TS_MOUNTPOINT}1 @@ -115,6 +117,7 @@ mkdir -p ${TS_MOUNTPOINT}1
mkdir -p ${TS_MOUNTPOINT}2 mkdir -p ${TS_MOUNTPOINT}2
$TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1
$TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2
@ -37,5 +38,5 @@ index 0a89b022e..a6d1f251d 100755
deinit_device deinit_device
ts_finalize_subtest ts_finalize_subtest
-- --
2.31.1 2.34.1

7
0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch
View File

@ -1,8 +1,7 @@
From 962d3779ef1502ed234baea309cd75b2c1e2353a Mon Sep 17 00:00:00 2001 From 88da20ee56491fc6c38c26810c95e199f51fb71d Mon Sep 17 00:00:00 2001
From: "Andrew G. Morgan" <morgan@kernel.org> From: "Andrew G. Morgan" <morgan@kernel.org>
Date: Sat, 27 Nov 2021 21:00:22 -0800 Date: Sat, 27 Nov 2021 21:00:22 -0800
Subject: [PATCH] Complete Linux-PAM compliance for forked child in su and Subject: Complete Linux-PAM compliance for forked child in su and login.
login.
As documented here: As documented here:
@ -49,5 +48,5 @@ index afd0ea8ad..7d4826bbc 100644
run_shell(su, shell, command, argv + optind, max(0, argc - optind)); run_shell(su, shell, command, argv + optind, max(0, argc - optind));
-- --
2.31.1 2.34.1

70
0006-uuidd-fix-open-lock-state-issue.patch Normal file
View File

@ -0,0 +1,70 @@
From e2cfe37333d14d1d317d4f22b5e47ce9b86e3347 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 24 Jan 2022 14:08:08 +0100
Subject: uuidd: fix open/lock state issue
* warn on open/lock state issue
* enable access to /var/lib/libuuid/, because ProtectSystem=strict make it read-only
openat(AT_FDCWD, "/var/lib/libuuid/clock.txt",
O_RDWR|O_CREAT|O_CLOEXEC, 0660) = -1 EROFS (Read-only file system)
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2040366
Upstream: http://github.com/util-linux/util-linux/commit/f27876f9c1056bf41fd940d5c4990b4277e0024f
Upstream: http://github.com/util-linux/util-linux/commit/417982d0236a12756923d88e627f5e4facf8951c
Signed-off-by: Karel Zak <kzak@redhat.com>
---
misc-utils/uuidd.c | 9 ++++++---
misc-utils/uuidd.service.in | 1 +
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/misc-utils/uuidd.c b/misc-utils/uuidd.c
index fa8db173b..78a37d2e8 100644
--- a/misc-utils/uuidd.c
+++ b/misc-utils/uuidd.c
@@ -494,7 +494,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
break;
case UUIDD_OP_TIME_UUID:
num = 1;
- __uuid_generate_time(uu, &num);
+ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+ warnx(_("failed to open/lock clock counter"));
if (uuidd_cxt->debug) {
uuid_unparse(uu, str);
fprintf(stderr, _("Generated time UUID: %s\n"), str);
@@ -504,7 +505,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
break;
case UUIDD_OP_RANDOM_UUID:
num = 1;
- __uuid_generate_random(uu, &num);
+ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+ warnx(_("failed to open/lock clock counter"));
if (uuidd_cxt->debug) {
uuid_unparse(uu, str);
fprintf(stderr, _("Generated random UUID: %s\n"), str);
@@ -513,7 +515,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
reply_len = sizeof(uu);
break;
case UUIDD_OP_BULK_TIME_UUID:
- __uuid_generate_time(uu, &num);
+ if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+ warnx(_("failed to open/lock clock counter"));
if (uuidd_cxt->debug) {
uuid_unparse(uu, str);
fprintf(stderr, P_("Generated time UUID %s "
diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index b4c9c4635..e64ca59b5 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -18,6 +18,7 @@ ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
MemoryDenyWriteExecute=yes
+ReadWritePaths=/var/lib/libuuid/
SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
[Install]
--
2.34.1

2
sources
View File

@ -1 +1 @@
SHA512 (util-linux-2.37.2.tar.xz) = 38f0fe820445e3bfa79550e6581c230f98c7661566ccc4daa51c7208a5f972c61b4e57dfc86bed074fdbc7c40bc79f856be8f6a05a8860c1c0cecc4208e8b81d SHA512 (util-linux-2.37.3.tar.xz) = 2303b5c55b1fd932c73b0a079d37e56e10b6a20270b72d0b7e81ec7a6b715b42ebaa336714c3e1722d05e5aa4499f8be17ceaf61bb1341532bf9697c9a2174e9

12
util-linux.spec
View File

@ -1,8 +1,8 @@
### Header ### Header
Summary: A collection of basic system utilities Summary: A collection of basic system utilities
Name: util-linux Name: util-linux
Version: 2.37.2 Version: 2.37.3
Release: 3%{?dist} Release: 1%{?dist}
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
URL: http://en.wikipedia.org/wiki/Util-linux URL: http://en.wikipedia.org/wiki/Util-linux
@ -89,7 +89,7 @@ Requires: libfdisk = %{version}-%{release}
Requires: util-linux-core = %{version}-%{release} Requires: util-linux-core = %{version}-%{release}
# 151635 - makeing /var/log/lastlog # 151635 - makeing /var/log/lastlog
Patch0: 0000-login-lastlog-create.patch Patch0: 0000-login-create-var-log-lastlog.patch
# Add `/run/motd.d` to the hardcoded MOTD_FILE # Add `/run/motd.d` to the hardcoded MOTD_FILE
# https://github.com/coreos/console-login-helper-messages/issues/60 # https://github.com/coreos/console-login-helper-messages/issues/60
Patch1: 0001-login-default-motd-file.patch Patch1: 0001-login-default-motd-file.patch
@ -99,6 +99,8 @@ Patch3: 0003-tests-make-mount-fstab-all-more-robust.patch
Patch4: 0004-tests-make-eject-umount-tests-more-robust.patch Patch4: 0004-tests-make-eject-umount-tests-more-robust.patch
# 2037212 - Complete Linux-PAM compliance for forked child in su and login # 2037212 - Complete Linux-PAM compliance for forked child in su and login
Patch5: 0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch Patch5: 0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch
# 2040366 - uuidd can't access lock/status file
Patch6: 0006-uuidd-fix-open-lock-state-issue.patch
%description %description
@ -949,6 +951,10 @@ fi
%{_libdir}/python*/site-packages/libmount/ %{_libdir}/python*/site-packages/libmount/
%changelog %changelog
* Tue Jan 25 2022 Karel Zak <kzak@redhat.com> 2.37.3-1
- upgrade to v2.37.3 (fix CVE-2021-3996, CVE-2021-3995)
- fix #2040366 - uuidd can't access lock/status file
* Thu Jan 06 2022 Karel Zak <kzak@redhat.com> 2.37.2-3 * Thu Jan 06 2022 Karel Zak <kzak@redhat.com> 2.37.2-3
- fix #2037212 - Complete Linux-PAM compliance for forked child in su and login - fix #2037212 - Complete Linux-PAM compliance for forked child in su and login