Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 37aa18aa68 |
@ -1 +0,0 @@
|
||||
1
|
||||
11
.gitignore
vendored
11
.gitignore
vendored
@ -1,10 +1 @@
|
||||
/yggdrasil-ffb580f55ae91beff78156fdb6a41be8bc049117.tar.gz
|
||||
/yggdrasil-0.3.1.tar.gz
|
||||
/yggdrasil-0.3.2.tar.gz
|
||||
/yggdrasil-0.3.2.tar.xz
|
||||
/yggdrasil-0.4.1.tar.xz
|
||||
/yggdrasil-0.4.2.tar.xz
|
||||
/yggdrasil-0.4.4.tar.xz
|
||||
/yggdrasil-0.4.5.tar.xz
|
||||
/yggdrasil-0.4.6.tar.xz
|
||||
/yggdrasil-0.4.7.tar.xz
|
||||
SOURCES/yggdrasil-0.4.5.tar.xz
|
||||
|
||||
1
.yggdrasil.metadata
Normal file
1
.yggdrasil.metadata
Normal file
@ -0,0 +1 @@
|
||||
61c8ea524a5d18abab770e35394a7a1b548a409a SOURCES/yggdrasil-0.4.5.tar.xz
|
||||
@ -0,0 +1,37 @@
|
||||
From 5291b3a84b1b251d27ce0f9aebca4ac56c620dc2 Mon Sep 17 00:00:00 2001
|
||||
From: Jiri Hnidek <jhnidek@redhat.com>
|
||||
Date: Wed, 30 Apr 2025 13:33:17 +0200
|
||||
Subject: [PATCH] fix: Only root user can call use com.redhat.Yggdrasil1
|
||||
|
||||
* Card ID: RHEL-88585
|
||||
* CVE: CVE-2025-3931
|
||||
* Local user was able to dispatch content for any
|
||||
yggdrasil worker using D-Bus method Dispatch().
|
||||
If there was any worker installed and the worker
|
||||
used root user instead some system user, then
|
||||
it could lead to a local privilege escalation
|
||||
* Only root user should be able to call methods in
|
||||
com.redhat.Yggdrasil1 destination
|
||||
* No local user needs to call methods in this destination
|
||||
---
|
||||
data/dbus/yggd.conf.in | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/data/dbus/yggd.conf.in b/data/dbus/yggd.conf.in
|
||||
index 26b2d46..695da5c 100644
|
||||
--- a/data/dbus/yggd.conf.in
|
||||
+++ b/data/dbus/yggd.conf.in
|
||||
@@ -15,8 +15,8 @@
|
||||
<allow send_destination="com.redhat.Yggdrasil1.Dispatcher1" />
|
||||
</policy>
|
||||
|
||||
- <policy context="default">
|
||||
- <!-- Anyone can send messages to the Yggdrasil1 destination. -->
|
||||
+ <policy user="root">
|
||||
+ <!-- Only root can send messages to the Yggdrasil1 destination. -->
|
||||
<allow send_destination="com.redhat.Yggdrasil1" />
|
||||
</policy>
|
||||
</busconfig>
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -1,8 +1,18 @@
|
||||
## START: Set by rpmautospec
|
||||
## (rpmautospec version 0.6.5)
|
||||
## RPMAUTOSPEC: autorelease, autochangelog
|
||||
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||
release_number = 3;
|
||||
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||
print(release_number + base_release_number - 1);
|
||||
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||
## END: Set by rpmautospec
|
||||
|
||||
%bcond_without check
|
||||
|
||||
# https://github.com/redhatinsights/yggdrasil
|
||||
%global goipath github.com/redhatinsights/yggdrasil
|
||||
Version: 0.4.7
|
||||
Version: 0.4.5
|
||||
%global tag v%{version}
|
||||
|
||||
%gometa -f
|
||||
@ -32,6 +42,8 @@ BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: pkgconfig(bash-completion)
|
||||
%{?sysusers_requires_compat}
|
||||
|
||||
Patch0: 0001-fix-Only-root-user-can-call-use-com.redhat.Yggdrasil.patch
|
||||
|
||||
%description %{common_description}
|
||||
|
||||
%package devel
|
||||
@ -136,4 +148,88 @@ rm -f %{_unitdir}/rhcd.service
|
||||
%{_unitdir}/com.redhat.Yggdrasil1.Worker1.echo.service
|
||||
|
||||
%changelog
|
||||
%autochangelog
|
||||
## START: Generated by rpmautospec
|
||||
* Thu Jun 26 2025 Alex Burmashev <alexander.burmashev@oracle.com> - 0.4.5-3
|
||||
- Fix CVE-2025-3931
|
||||
|
||||
* Tue Mar 11 2025 Joe VLcek <jvlcek@redhat.com> - 0.4.5-2
|
||||
- Create rhcd.service sym link to yggdrasil.service
|
||||
|
||||
* Mon Feb 03 2025 Link Dupont <link@sub-pop.net> - 0.4.5-1
|
||||
- Update to 0.4.5 (RHEL-77619)
|
||||
|
||||
* Mon Feb 03 2025 Link Dupont <link@sub-pop.net> - 0.4.4-8
|
||||
- Include examples subpackage
|
||||
|
||||
* Thu Nov 07 2024 Link Dupont <link@sub-pop.net> - 0.4.4-7
|
||||
- Include local state dir (RHEL-66427)
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.4.4-6
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
|
||||
* Tue Oct 08 2024 Link Dupont <link@sub-pop.net> - 0.4.4-4
|
||||
- Add yggdrasil user to rhsm group (RHEL-61735)
|
||||
|
||||
* Tue Sep 24 2024 Link Dupont <link@sub-pop.net> - 0.4.4-3
|
||||
- Use sysusers_create_compat to create users in pre
|
||||
|
||||
* Mon Sep 16 2024 Link Dupont <link@sub-pop.net> - 0.4.4-2
|
||||
- Bump release to rebuild
|
||||
|
||||
* Fri Sep 13 2024 Link Dupont <link@sub-pop.net> - 0.4.4-1
|
||||
- Update to version 0.4.4 (RHEL-56788)
|
||||
|
||||
* Mon Aug 19 2024 Link Dupont <link@sub-pop.net> - 0.4.1-8
|
||||
- Bump release to rebuild package.
|
||||
|
||||
* Tue Aug 06 2024 Link Dupont <link@sub-pop.net> - 0.4.1-7
|
||||
- Don't build gopkg subpackages
|
||||
|
||||
* Tue Aug 06 2024 Link Dupont <link@sub-pop.net> - 0.4.1-6
|
||||
- Rebuild to mitigate CVE-2024-24791 risk (RHEL-47186)
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.4.1-5
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Fri Jun 07 2024 Link Dupont <link@sub-pop.net> - 0.4.1-4
|
||||
- add gating.yaml
|
||||
|
||||
* Sun Feb 11 2024 Maxwell G <maxwell@gtmx.me> - 0.4.1-3
|
||||
- Rebuild for golang 1.22.0
|
||||
|
||||
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Mon Sep 18 2023 Link Dupont <link@sub-pop.net> - 0.4.1-1
|
||||
- Update to version 0.4.1 (RHBZ#2239102)
|
||||
|
||||
* Wed Aug 09 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.3.2-2
|
||||
- Use vendored dependencies in RHEL builds
|
||||
|
||||
* Mon Jul 24 2023 Link Dupont <link@sub-pop.net> - 0.3.2-1
|
||||
- Update to version 0.3.2 (RHBZ#2225230)
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Tue Mar 07 2023 Link Dupont <link@sub-pop.net> - 0.3.1-2
|
||||
- Include D-Bus interface files in devel package
|
||||
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 0.2.98^1.ffb580f-0.3
|
||||
- Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
|
||||
golang
|
||||
|
||||
* Sat Jun 18 2022 Robert-André Mauchin <zebob.m@gmail.com> - 0.2.98^1.ffb580f-0.2
|
||||
- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
|
||||
CVE-2022-29526, CVE-2022-30629
|
||||
|
||||
* Tue Aug 10 2021 Link Dupont <linkdupont@fedoraproject.org> - 0.2.98^1.ffb580f-0.1.20210728gitffb580f
|
||||
- Initial package
|
||||
|
||||
## END: Generated by rpmautospec
|
||||
16
changelog
16
changelog
@ -1,16 +0,0 @@
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 0.2.98^1.ffb580f-0.3
|
||||
- Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
|
||||
golang
|
||||
|
||||
* Sat Jun 18 2022 Robert-André Mauchin <zebob.m@gmail.com> - 0.2.98^1.ffb580f-0.2
|
||||
- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
|
||||
CVE-2022-29526, CVE-2022-30629
|
||||
|
||||
* Tue Aug 10 2021 Link Dupont <linkdupont@fedoraproject.org> - 0.2.98^1.ffb580f-0.1.20210728gitffb580f
|
||||
- Initial package
|
||||
10
gating.yaml
10
gating.yaml
@ -1,10 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
# Disabling until tier 0 tests are added: https://issues.redhat.com/browse/CCT-98
|
||||
# - !PassingTestCaseRule { test_case_name: osci.brew-build.tier0.functional }
|
||||
- !PassingTestCaseRule {test_case_name: rhsmci.brew-build.tier1.functional}
|
||||
|
||||
|
||||
@ -1,5 +0,0 @@
|
||||
summary: Basic smoke test
|
||||
discover:
|
||||
how: fmf
|
||||
execute:
|
||||
how: tmt
|
||||
1
sources
1
sources
@ -1 +0,0 @@
|
||||
SHA512 (yggdrasil-0.4.7.tar.xz) = 7d9de9a4cbdaf108a923794f2ea222f6db57bf185eb4281b1486b56e4c843ca1199c0bb2a2ebb270c5ec86661346148fd0c8dd3448e5d7b78d0bc8e32a99156a
|
||||
@ -1,3 +0,0 @@
|
||||
summary: Run yggd --help
|
||||
test: /usr/bin/yggd --help
|
||||
duration: 5m
|
||||
Loading…
Reference in New Issue
Block a user