RHEL-9: 2.37.3-1 (CVEs, uuidd)

* upgrade to v2.37.3 (this is security update) * rebase old patches (update subject lines, etc.) * add uuidd bugfix Resolves: #2040366 #2032274 #2032273
2022-01-25 13:09:16 +01:00 · 2022-01-25 13:09:16 +01:00 · 9912060ab6
commit 9912060ab6
parent 891375934c
11 changed files with 145 additions and 34 deletions
--- a/.gitignore
+++ b/.gitignore
@ -83,3 +83,4 @@
 /util-linux-2.37.tar.xz
 /util-linux-2.37.1.tar.xz
 /util-linux-2.37.2.tar.xz
+/util-linux-2.37.3.tar.xz
--- a/0000-login-create-var-log-lastlog.patch
+++ b/0000-login-create-var-log-lastlog.patch
@ -0,0 +1,26 @@
+From 579c49c9ebcea62127b5c3b4ccce82b543bbea21 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 20 Jun 2016 11:09:02 +0200
+Subject: login: create /var/log/lastlog
+
+Addresses: http://bugzilla.redhat.com/show_bug.cgi?id=151635
+---
+ login-utils/login.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/login-utils/login.c b/login-utils/login.c
+index c6cd340b6..3657f04cd 100644
+--- a/login-utils/login.c
+++ b/login-utils/login.c
+@@ -662,7 +662,7 @@ static void log_lastlog(struct login_context *cxt)
+ 	sa.sa_handler = SIG_IGN;
+ 	sigaction(SIGXFSZ, &sa, &oldsa_xfsz);
+ 
+-	fd = open(_PATH_LASTLOG, O_RDWR, 0);
+	fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0);
+ 	if (fd < 0)
+ 		goto done;
+ 	offset = cxt->pwd->pw_uid * sizeof(ll);
+-- 
+2.34.1
+
--- a/0000-login-lastlog-create.patch
+++ b/0000-login-lastlog-create.patch
@ -1,12 +0,0 @@
-diff -up util-linux-2.36/login-utils/login.c.kzak util-linux-2.36/login-utils/login.c
--- util-linux-2.36/login-utils/login.c.kzak	2020-07-23 14:13:26.777030764 +0200
-+++ util-linux-2.36/login-utils/login.c	2020-07-23 14:11:22.793686983 +0200
-@@ -585,7 +585,7 @@ static void log_lastlog(struct login_con
- 	sa.sa_handler = SIG_IGN;
- 	sigaction(SIGXFSZ, &sa, &oldsa_xfsz);
- 
-	fd = open(_PATH_LASTLOG, O_RDWR, 0);
-+	fd = open(_PATH_LASTLOG, O_RDWR | O_CREAT, 0);
- 	if (fd < 0)
- 		goto done;
- 	offset = cxt->pwd->pw_uid * sizeof(ll);
--- a/0001-login-default-motd-file.patch
+++ b/0001-login-default-motd-file.patch
@ -1,5 +1,17 @@
+From dbdd1f385f25da1e7de8ff6ed2481c70d1864b6e Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 24 Aug 2021 13:50:57 +0200
+Subject: login: default motd file
+
+Add `/run/motd.d` to the hardcoded MOTD_FILE
+
+Addresses: https://github.com/coreos/console-login-helper-messages/issues/60
+---
+ include/pathnames.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 diff --git a/include/pathnames.h b/include/pathnames.h
-index 3845d4c33..fac3a0783 100644
+index 9be2baa83..7e7d9053f 100644
 --- a/include/pathnames.h
 +++ b/include/pathnames.h
@@ -41,7 +41,7 @@
@ -11,3 +23,6 @@ index 3845d4c33..fac3a0783 100644
 #ifndef _PATH_NOLOGIN
 # define _PATH_NOLOGIN		"/etc/nologin"
 #endif
+-- 
+2.34.1
+
--- a/0002-tests-make-.-run.sh-more-robust.patch
+++ b/0002-tests-make-.-run.sh-more-robust.patch
@ -1,8 +1,12 @@
-From 331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6 Mon Sep 17 00:00:00 2001
+From c3e366aea99399767d3e291be7d2adadc0080797 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Mon, 23 Aug 2021 15:15:38 +0200
-Subject: [PATCH 1/2] tests: make ./run.sh more robust
+Subject: tests: make ./run.sh more robust

+Let's make upstream tests more stable to be usable in RHEL
+environment where we do not use ASAN and meson.
+
+Upstream: http://github.com/karelzak/util-linux/commit/331c5e0c54d9cb6f67dc3e825eec2d78c67d8ce6
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 tests/run.sh | 2 +-
@ -22,5 +26,5 @@ index 9d26406c4..d020bfe88 100755
         fi
 	if [ -n "$asan" ]; then
 -- 
-2.31.1
+2.34.1

--- a/0003-tests-make-mount-fstab-all-more-robust.patch
+++ b/0003-tests-make-mount-fstab-all-more-robust.patch
@ -1,8 +1,9 @@
-From 85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da Mon Sep 17 00:00:00 2001
+From 03c5f9718b9c361985c9461700f93a7582a15c94 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Mon, 23 Aug 2021 16:28:52 +0200
-Subject: [PATCH] tests: make mount/fstab-all more robust
+Subject: tests: make mount/fstab-all more robust

+Upstream: http://github.com/karelzak/util-linux/commit/85ae61dd6d956e7c9fe2b22b8c46bb1d0bfd13da
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 tests/ts/mount/fstab-all | 6 ++++++
@ -61,5 +62,5 @@ index acc64e462..6b7018823 100755
 [ $? == 0 ] || ts_log "umount failed"
 ts_finalize_subtest
 -- 
-2.31.1
+2.34.1

--- a/0004-tests-make-eject-umount-tests-more-robust.patch
+++ b/0004-tests-make-eject-umount-tests-more-robust.patch
@ -1,18 +1,19 @@
-From abe16d0d34413555fbd621f90a0b93c2105116a2 Mon Sep 17 00:00:00 2001
+From 9e9dc7d3ae9a5fdd59ccecf73b2066fe2cdaa3c3 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Tue, 24 Aug 2021 10:49:32 +0200
-Subject: [PATCH] tests: make eject umount tests more robust
+Subject: tests: make eject umount tests more robust

+Upstream: http://github.com/karelzak/util-linux/commit/abe16d0d34413555fbd621f90a0b93c2105116a2
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 tests/ts/eject/umount | 3 +++
 1 file changed, 3 insertions(+)

 diff --git a/tests/ts/eject/umount b/tests/ts/eject/umount
-index 0a89b022e..a6d1f251d 100755
+index 2be281ee3..04f53ed99 100755
 --- a/tests/ts/eject/umount
 +++ b/tests/ts/eject/umount
-@@ -84,6 +84,7 @@ mkfs.ext2 -q -F $TS_DEVICE
+@@ -83,6 +83,7 @@ mkfs.ext2 -q -F $TS_DEVICE
 udevadm settle
 mkdir -p $TS_MOUNTPOINT
 $TS_CMD_MOUNT $TS_DEVICE $TS_MOUNTPOINT
@ -20,7 +21,7 @@ index 0a89b022e..a6d1f251d 100755
 $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success"
 deinit_device
 ts_finalize_subtest
-@@ -96,6 +97,7 @@ mkdir -p ${TS_MOUNTPOINT}1
+@@ -95,6 +96,7 @@ mkdir -p ${TS_MOUNTPOINT}1
 mkdir -p ${TS_MOUNTPOINT}2
 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1
 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2
@ -28,7 +29,7 @@ index 0a89b022e..a6d1f251d 100755
 $TS_CMD_EJECT --force $TS_DEVICE && ts_log "Success"
 deinit_device
 ts_finalize_subtest
-@@ -116,6 +118,7 @@ mkdir -p ${TS_MOUNTPOINT}1
+@@ -115,6 +117,7 @@ mkdir -p ${TS_MOUNTPOINT}1
 mkdir -p ${TS_MOUNTPOINT}2
 $TS_CMD_MOUNT ${TS_DEVICE}1 ${TS_MOUNTPOINT}1
 $TS_CMD_MOUNT ${TS_DEVICE}2 ${TS_MOUNTPOINT}2
@ -37,5 +38,5 @@ index 0a89b022e..a6d1f251d 100755
 deinit_device
 ts_finalize_subtest
 -- 
-2.31.1
+2.34.1

--- a/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch
+++ b/0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch
@ -1,8 +1,7 @@
-From 962d3779ef1502ed234baea309cd75b2c1e2353a Mon Sep 17 00:00:00 2001
+From 88da20ee56491fc6c38c26810c95e199f51fb71d Mon Sep 17 00:00:00 2001
 From: "Andrew G. Morgan" <morgan@kernel.org>
 Date: Sat, 27 Nov 2021 21:00:22 -0800
-Subject: [PATCH] Complete Linux-PAM compliance for forked child in su and
- login.
+Subject: Complete Linux-PAM compliance for forked child in su and login.

 As documented here:

@ -49,5 +48,5 @@ index afd0ea8ad..7d4826bbc 100644
 		run_shell(su, shell, command, argv + optind, max(0, argc - optind));
 
 -- 
-2.31.1
+2.34.1

--- a/0006-uuidd-fix-open-lock-state-issue.patch
+++ b/0006-uuidd-fix-open-lock-state-issue.patch
@ -0,0 +1,70 @@
+From e2cfe37333d14d1d317d4f22b5e47ce9b86e3347 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 24 Jan 2022 14:08:08 +0100
+Subject: uuidd: fix open/lock state issue
+
+* warn on open/lock state issue
+
+* enable access to /var/lib/libuuid/, because ProtectSystem=strict make it read-only
+
+  openat(AT_FDCWD, "/var/lib/libuuid/clock.txt",
+     O_RDWR|O_CREAT|O_CLOEXEC, 0660) = -1 EROFS (Read-only file system)
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2040366
+Upstream: http://github.com/util-linux/util-linux/commit/f27876f9c1056bf41fd940d5c4990b4277e0024f
+Upstream: http://github.com/util-linux/util-linux/commit/417982d0236a12756923d88e627f5e4facf8951c
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ misc-utils/uuidd.c          | 9 ++++++---
+ misc-utils/uuidd.service.in | 1 +
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/misc-utils/uuidd.c b/misc-utils/uuidd.c
+index fa8db173b..78a37d2e8 100644
+--- a/misc-utils/uuidd.c
+++ b/misc-utils/uuidd.c
+@@ -494,7 +494,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
+ 			break;
+ 		case UUIDD_OP_TIME_UUID:
+ 			num = 1;
+-			__uuid_generate_time(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
+ 			if (uuidd_cxt->debug) {
+ 				uuid_unparse(uu, str);
+ 				fprintf(stderr, _("Generated time UUID: %s\n"), str);
+@@ -504,7 +505,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
+ 			break;
+ 		case UUIDD_OP_RANDOM_UUID:
+ 			num = 1;
+-			__uuid_generate_random(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
+ 			if (uuidd_cxt->debug) {
+ 				uuid_unparse(uu, str);
+ 				fprintf(stderr, _("Generated random UUID: %s\n"), str);
+@@ -513,7 +515,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
+ 			reply_len = sizeof(uu);
+ 			break;
+ 		case UUIDD_OP_BULK_TIME_UUID:
+-			__uuid_generate_time(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
+ 			if (uuidd_cxt->debug) {
+ 				uuid_unparse(uu, str);
+ 				fprintf(stderr, P_("Generated time UUID %s "
+diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
+index b4c9c4635..e64ca59b5 100644
+--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
+@@ -18,6 +18,7 @@ ProtectKernelModules=yes
+ ProtectControlGroups=yes
+ RestrictAddressFamilies=AF_UNIX
+ MemoryDenyWriteExecute=yes
+ReadWritePaths=/var/lib/libuuid/
+ SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
+ 
+ [Install]
+-- 
+2.34.1
+
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (util-linux-2.37.2.tar.xz) = 38f0fe820445e3bfa79550e6581c230f98c7661566ccc4daa51c7208a5f972c61b4e57dfc86bed074fdbc7c40bc79f856be8f6a05a8860c1c0cecc4208e8b81d
+SHA512 (util-linux-2.37.3.tar.xz) = 2303b5c55b1fd932c73b0a079d37e56e10b6a20270b72d0b7e81ec7a6b715b42ebaa336714c3e1722d05e5aa4499f8be17ceaf61bb1341532bf9697c9a2174e9
--- a/util-linux.spec
+++ b/util-linux.spec
@ -1,8 +1,8 @@
 ### Header
 Summary: A collection of basic system utilities
 Name: util-linux
-Version: 2.37.2
-Release: 3%{?dist}
+Version: 2.37.3
+Release: 1%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 URL: http://en.wikipedia.org/wiki/Util-linux

@ -89,7 +89,7 @@ Requires: libfdisk = %{version}-%{release}
 Requires: util-linux-core = %{version}-%{release}

 # 151635 - makeing /var/log/lastlog
-Patch0: 0000-login-lastlog-create.patch
+Patch0: 0000-login-create-var-log-lastlog.patch
 # Add `/run/motd.d` to the hardcoded MOTD_FILE
 # https://github.com/coreos/console-login-helper-messages/issues/60
 Patch1: 0001-login-default-motd-file.patch
@ -99,6 +99,8 @@ Patch3: 0003-tests-make-mount-fstab-all-more-robust.patch
 Patch4: 0004-tests-make-eject-umount-tests-more-robust.patch
 # 2037212 - Complete Linux-PAM compliance for forked child in su and login
 Patch5: 0005-Complete-Linux-PAM-compliance-for-forked-child-in-su.patch
+# 2040366 - uuidd can't access lock/status file
+Patch6: 0006-uuidd-fix-open-lock-state-issue.patch


 %description
@ -949,6 +951,10 @@ fi
 %{_libdir}/python*/site-packages/libmount/

 %changelog
+* Tue Jan 25 2022 Karel Zak <kzak@redhat.com> 2.37.3-1
+- upgrade to v2.37.3 (fix CVE-2021-3996, CVE-2021-3995)
+- fix #2040366 - uuidd can't access lock/status file
+
 * Thu Jan 06 2022 Karel Zak <kzak@redhat.com> 2.37.2-3
 - fix #2037212 - Complete Linux-PAM compliance for forked child in su and login