!33 CVE-2022-3560

From: @phluo Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-02-15 10:04:34 +00:00 · 2023-02-15 10:04:34 +00:00 · 0bfe93394f
commit 0bfe93394f
parent cb2e1c01f3 b2bb5c1ac7
2 changed files with 85 additions and 1 deletions
--- a/Fix-CVE-2022-3560.patch
+++ b/Fix-CVE-2022-3560.patch
@ -0,0 +1,80 @@
 From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 18 Jan 2023 14:00:22 -0500
 Subject: [PATCH] Use normal file permissions instead of ACLs
 Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
 pesign-authorize is now deprecated and will be removed in a future
 release.
 Resolves: CVE-2022-3560
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/pesign-authorize.in | 50 +++--------------------------------------
 1 file changed, 3 insertions(+), 47 deletions(-)
 diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
 index 69797d5..b4e89e0 100644
 --- a/src/pesign-authorize.in
 +++ b/src/pesign-authorize.in
@@ -2,56 +2,12 @@
 set -e
 set -u
 -#
 -# With /run/pesign/socket on tmpfs, a simple way of restoring the
 -# acls for specific users is useful
 -#
 -#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 -#
 -
 # License: GPLv2
 -declare -a fileusers=()
 -declare -a dirusers=()
 -while read -r user ; do
 -	dirusers[${#dirusers[@]}]=-m
 -	dirusers[${#dirusers[@]}]="u:$user:rwx"
 -	fileusers[${#fileusers[@]}]=-m
 -	fileusers[${#fileusers[@]}]="u:$user:rw"
 -done </etc/pesign/users
 -
 -declare -a filegroups=()
 -declare -a dirgroups=()
 -while read -r group ; do
 -	dirgroups[${#dirgroups[@]}]=-m
 -	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
 -	filegroups[${#filegroups[@]}]=-m
 -	filegroups[${#filegroups[@]}]="g:$group:rw"
 -done </etc/pesign/groups
 -
 -update_subdir() {
 -	subdir=$1 && shift
 -	setfacl -bk "${subdir}"
 -	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
 -	for x in "${subdir}"* ; do
 -		if [ -d "${x}" ]; then
 -			setfacl -bk "${x}"
 -			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
 -			update_subdir "${x}/"
 -		elif [ -e "${x}" ]; then
 -			setfacl -bk "${x}"
 -			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
 -		else
 -			:;
 -		fi
 -	done
 -}
 +# This script is deprecated and will be removed in a future release.
 sleep 3
 for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
 -	if [ -d "${x}" ]; then
 -		update_subdir "${x}"
 -	else
 -		:;
 -	fi
 +	chown -R pesign:pesign "${x}" || true
 +	chmod -R ug+rwX "${x}" || true
 done
--- a/pesign.spec
+++ b/pesign.spec
@ -2,7 +2,7 @@
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
 Version:       115
-Release:       3
+Release:       4
 License:       GPLv2
 URL:           https://github.com/rhboot/pesign
 Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
@ -23,6 +23,7 @@ Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
 Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
 Patch9002:     Fix-build-error-of-gcc-version-too-low.patch
 Patch9003:     Fix-CVE-2022-3560.patch
 %description
 pesign is a command line tool for manipulating signatures and
@ -99,6 +100,9 @@ exit 0
 %{_mandir}/man*/*
 %changelog
 * Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
 - Fix CVE-2022-3560
 * Mon Dec 19 2022 Chenxi Mao <chenxi.mao@suse.com> - 115-3
 - Free resources if certification cannot be found.