Added fix for CVE-2018-7169.
Change-Id: Ibf255a1305ec6538615b078bd09e2f6a99dc6637
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5428
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,135 @@ |
0 |
+--- a/src/newgidmap.c 2018-07-31 05:56:46.642785135 +0530 |
|
1 |
+@@ -46,32 +46,36 @@ |
|
2 |
+ */ |
|
3 |
+ const char *Prog; |
|
4 |
+ |
|
5 |
+-static bool verify_range(struct passwd *pw, struct map_range *range) |
|
6 |
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) |
|
7 |
+ { |
|
8 |
+ /* An empty range is invalid */ |
|
9 |
+ if (range->count == 0) |
|
10 |
+ return false; |
|
11 |
+ |
|
12 |
+- /* Test /etc/subgid */ |
|
13 |
+- if (have_sub_gids(pw->pw_name, range->lower, range->count)) |
|
14 |
++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ |
|
15 |
++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { |
|
16 |
++ *allow_setgroups = true; |
|
17 |
+ return true; |
|
18 |
++ } |
|
19 |
+ |
|
20 |
+ /* Allow a process to map it's own gid */ |
|
21 |
+- if ((range->count == 1) && (pw->pw_gid == range->lower)) |
|
22 |
++ if ((range->count == 1) && (pw->pw_gid == range->lower)) { |
|
23 |
++ /* noop -- if setgroups is enabled already we won't disable it. */ |
|
24 |
+ return true; |
|
25 |
++ } |
|
26 |
+ |
|
27 |
+ return false; |
|
28 |
+ } |
|
29 |
+ |
|
30 |
+ static void verify_ranges(struct passwd *pw, int ranges, |
|
31 |
+- struct map_range *mappings) |
|
32 |
++ struct map_range *mappings, bool *allow_setgroups) |
|
33 |
+ { |
|
34 |
+ struct map_range *mapping; |
|
35 |
+ int idx; |
|
36 |
+ |
|
37 |
+ mapping = mappings; |
|
38 |
+ for (idx = 0; idx < ranges; idx++, mapping++) { |
|
39 |
+- if (!verify_range(pw, mapping)) { |
|
40 |
++ if (!verify_range(pw, mapping, allow_setgroups)) { |
|
41 |
+ fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), |
|
42 |
+ Prog, |
|
43 |
+ mapping->upper, |
|
44 |
+@@ -83,6 +87,70 @@ static void verify_ranges(struct passwd |
|
45 |
+ } |
|
46 |
+ } |
|
47 |
+ |
|
48 |
++void write_setgroups(int proc_dir_fd, bool allow_setgroups) |
|
49 |
++{ |
|
50 |
++ int setgroups_fd; |
|
51 |
++ char *policy, policy_buffer[4096]; |
|
52 |
++ |
|
53 |
++ /* |
|
54 |
++ * Default is "deny", and any "allow" will out-rank a "deny". We don't |
|
55 |
++ * forcefully write an "allow" here because the process we are writing |
|
56 |
++ * mappings for may have already set themselves to "deny" (and "allow" |
|
57 |
++ * is the default anyway). So allow_setgroups == true is a noop. |
|
58 |
++ */ |
|
59 |
++ policy = "deny\n"; |
|
60 |
++ if (allow_setgroups) |
|
61 |
++ return; |
|
62 |
++ |
|
63 |
++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); |
|
64 |
++ if (setgroups_fd < 0) { |
|
65 |
++ /* |
|
66 |
++ * If it's an ENOENT then we are on too old a kernel for the setgroups |
|
67 |
++ * code to exist. Emit a warning and bail on this. |
|
68 |
++ */ |
|
69 |
++ if (ENOENT == errno) { |
|
70 |
++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); |
|
71 |
++ goto out; |
|
72 |
++ } |
|
73 |
++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), |
|
74 |
++ Prog, |
|
75 |
++ strerror(errno)); |
|
76 |
++ exit(EXIT_FAILURE); |
|
77 |
++ } |
|
78 |
++ |
|
79 |
++ /* |
|
80 |
++ * Check whether the policy is already what we want. /proc/self/setgroups |
|
81 |
++ * is write-once, so attempting to write after it's already written to will |
|
82 |
++ * fail. |
|
83 |
++ */ |
|
84 |
++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { |
|
85 |
++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), |
|
86 |
++ Prog, |
|
87 |
++ strerror(errno)); |
|
88 |
++ exit(EXIT_FAILURE); |
|
89 |
++ } |
|
90 |
++ if (!strncmp(policy_buffer, policy, strlen(policy))) |
|
91 |
++ goto out; |
|
92 |
++ |
|
93 |
++ /* Write the policy. */ |
|
94 |
++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { |
|
95 |
++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), |
|
96 |
++ Prog, |
|
97 |
++ strerror(errno)); |
|
98 |
++ exit(EXIT_FAILURE); |
|
99 |
++ } |
|
100 |
++ if (dprintf(setgroups_fd, "%s", policy) < 0) { |
|
101 |
++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), |
|
102 |
++ Prog, |
|
103 |
++ policy, |
|
104 |
++ strerror(errno)); |
|
105 |
++ exit(EXIT_FAILURE); |
|
106 |
++ } |
|
107 |
++ |
|
108 |
++out: |
|
109 |
++ close(setgroups_fd); |
|
110 |
++} |
|
111 |
++ |
|
112 |
+ static void usage(void) |
|
113 |
+ { |
|
114 |
+ fprintf(stderr, _("usage: %s <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog); |
|
115 |
+@@ -103,6 +171,7 @@ int main(int argc, char **argv) |
|
116 |
+ struct stat st; |
|
117 |
+ struct passwd *pw; |
|
118 |
+ int written; |
|
119 |
++ bool allow_setgroups = false; |
|
120 |
+ |
|
121 |
+ Prog = Basename (argv[0]); |
|
122 |
+ |
|
123 |
+@@ -174,8 +243,9 @@ int main(int argc, char **argv) |
|
124 |
+ if (!mappings) |
|
125 |
+ usage(); |
|
126 |
+ |
|
127 |
+- verify_ranges(pw, ranges, mappings); |
|
128 |
++ verify_ranges(pw, ranges, mappings, &allow_setgroups); |
|
129 |
+ |
|
130 |
++ write_setgroups(proc_dir_fd, allow_setgroups); |
|
131 |
+ write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); |
|
132 |
+ sub_gid_close(); |
|
133 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Programs for handling passwords in a secure way |
2 | 2 |
Name: shadow |
3 | 3 |
Version: 4.2.1 |
4 |
-Release: 15%{?dist} |
|
4 |
+Release: 16%{?dist} |
|
5 | 5 |
URL: http://pkg-shadow.alioth.debian.org/ |
6 | 6 |
License: BSD |
7 | 7 |
Group: Applications/System |
... | ... |
@@ -23,6 +23,7 @@ Source11: system-session |
23 | 23 |
Patch0: chkname-allowcase.patch |
24 | 24 |
Patch1: shadow-4.2.1-CVE-2016-6252-fix.patch |
25 | 25 |
Patch2: shadow-4.2.1-CVE-2017-12424.patch |
26 |
+Patch3: shadow-4.2.1-CVE-2018-7169.patch |
|
26 | 27 |
BuildRequires: cracklib |
27 | 28 |
BuildRequires: cracklib-devel |
28 | 29 |
Requires: cracklib |
... | ... |
@@ -53,6 +54,7 @@ These are the additional language files of shadow. |
53 | 53 |
%patch0 -p1 |
54 | 54 |
%patch1 -p1 |
55 | 55 |
%patch2 -p1 |
56 |
+%patch3 -p1 |
|
56 | 57 |
sed -i 's/groups$(EXEEXT) //' src/Makefile.in |
57 | 58 |
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; |
58 | 59 |
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ |
... | ... |
@@ -169,6 +171,8 @@ make %{?_smp_mflags} check |
169 | 169 |
%defattr(-,root,root) |
170 | 170 |
|
171 | 171 |
%changelog |
172 |
+* Mon Jul 30 2018 Tapas Kundu <tkundu@vmware.com> 4.2.1-16 |
|
173 |
+- Added fix for CVE-2018-7169 |
|
172 | 174 |
* Fri Apr 20 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-15 |
173 | 175 |
- Move pam.d config file to here for better tracking. |
174 | 176 |
- Add pam_loginuid module as optional in a session. |