update version to 3.4
This commit is contained in:
zgzxx
parent
9d97f5ab49
commit
d9793abc88
@ -1,35 +0,0 @@
|
||||
From 1af808982460ec74a23820dcc4d582bb39e2b223 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 22 Feb 2022 14:51:42 +0100
|
||||
Subject: [PATCH] newrole: check for crypt(3) failure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Depending on the implementation crypt(3) can fail either by returning
|
||||
NULL, or returning a pointer to an invalid hash and setting errno.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
policycoreutils/newrole/newrole.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
|
||||
index c99898635..781f99b63 100644
|
||||
--- a/policycoreutils/newrole/newrole.c
|
||||
+++ b/policycoreutils/newrole/newrole.c
|
||||
@@ -368,9 +368,14 @@ static int authenticate_via_shadow_passwd(const char *uname)
|
||||
}
|
||||
|
||||
/* Use crypt() to encrypt user's input password. */
|
||||
+ errno = 0;
|
||||
encrypted_password_s = crypt(unencrypted_password_s,
|
||||
p_shadow_line->sp_pwdp);
|
||||
memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
|
||||
+ if (errno || !encrypted_password_s) {
|
||||
+ fprintf(stderr, _("Cannot encrypt password.\n"));
|
||||
+ return 0;
|
||||
+ }
|
||||
return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
|
||||
}
|
||||
#endif /* if/else USE_PAM */
|
||||
@ -1,63 +0,0 @@
|
||||
From c71d14e824e965e42493f5275d90272ab0c6825c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 22 Feb 2022 14:51:43 +0100
|
||||
Subject: [PATCH] newrole: ensure password memory erasure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Compiler can optimize calls to memset(3), due to the as-if rule, away if
|
||||
the object is not accessed later on. Use a wrapper using volatile
|
||||
pointers to ensure the memory is guaranteed to be erased. Also erase
|
||||
the encrypted password.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
policycoreutils/newrole/newrole.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
|
||||
index 781f99b63..ae37d7253 100644
|
||||
--- a/policycoreutils/newrole/newrole.c
|
||||
+++ b/policycoreutils/newrole/newrole.c
|
||||
@@ -333,6 +333,14 @@ static int read_pam_config(void)
|
||||
|
||||
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
|
||||
|
||||
+static void memzero(void *ptr, size_t size)
|
||||
+{
|
||||
+ volatile unsigned char * volatile p = ptr;
|
||||
+ while (size--) {
|
||||
+ *p++ = '\0';
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* authenticate_via_shadow_passwd()
|
||||
*
|
||||
* in: uname - the calling user's user name
|
||||
@@ -351,6 +359,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
|
||||
struct spwd *p_shadow_line;
|
||||
char *unencrypted_password_s;
|
||||
char *encrypted_password_s;
|
||||
+ int ret;
|
||||
|
||||
setspent();
|
||||
p_shadow_line = getspnam(uname);
|
||||
@@ -371,12 +380,15 @@ static int authenticate_via_shadow_passwd(const char *uname)
|
||||
errno = 0;
|
||||
encrypted_password_s = crypt(unencrypted_password_s,
|
||||
p_shadow_line->sp_pwdp);
|
||||
- memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
|
||||
+ memzero(unencrypted_password_s, strlen(unencrypted_password_s));
|
||||
if (errno || !encrypted_password_s) {
|
||||
fprintf(stderr, _("Cannot encrypt password.\n"));
|
||||
return 0;
|
||||
}
|
||||
- return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
|
||||
+
|
||||
+ ret = !strcmp(encrypted_password_s, p_shadow_line->sp_pwdp);
|
||||
+ memzero(encrypted_password_s, strlen(encrypted_password_s));
|
||||
+ return ret;
|
||||
}
|
||||
#endif /* if/else USE_PAM */
|
||||
|
||||
@ -1,24 +0,0 @@
|
||||
From ac16531b5ab6c40bdf5eae91c8cf7ae25355d61a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Fri, 1 Apr 2022 15:35:48 +0200
|
||||
Subject: [PATCH] semodule_package: Close leaking fd
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
semodule-utils/semodule_package/semodule_package.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
|
||||
index 3515234e..bc8584b5 100644
|
||||
--- a/semodule-utils/semodule_package/semodule_package.c
|
||||
+++ b/semodule-utils/semodule_package/semodule_package.c
|
||||
@@ -73,6 +73,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
|
||||
goto err;
|
||||
}
|
||||
if (!sb.st_size) {
|
||||
+ close(fd);
|
||||
*len = 0;
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.23.0
|
||||
@ -15,8 +15,8 @@ index 8f5926a..21a1152 100755
|
||||
shift
|
||||
LogReadOnly
|
||||
for m in `echo $FILESYSTEMSRW`; do
|
||||
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
|
||||
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
|
||||
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
|
||||
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
|
||||
done;
|
||||
}
|
||||
|
||||
|
||||
Binary file not shown.
BIN
policycoreutils-3.4.tar.gz
Normal file
BIN
policycoreutils-3.4.tar.gz
Normal file
Binary file not shown.
@ -2,8 +2,8 @@
|
||||
%bcond_with sandbox
|
||||
|
||||
Name: policycoreutils
|
||||
Version: 3.3
|
||||
Release: 3
|
||||
Version: 3.4
|
||||
Release: 1
|
||||
Summary: Policy core utilities of selinux
|
||||
License: GPLv2
|
||||
URL: https://github.com/SELinuxProject
|
||||
@ -16,15 +16,12 @@ Source11: selinux-autorelabel-generator.sh
|
||||
|
||||
Patch0: fix-fixfiles-N-date-function.patch
|
||||
Patch1: fix-fixfiles-N-date-function-two.patch
|
||||
Patch2: backport-newrole-check-for-crypt-3-failure.patch
|
||||
Patch3: backport-newrole-ensure-password-memory-erasure.patch
|
||||
Patch4: backport-semodule_package-Close-leaking-fd.patch
|
||||
Patch5: backport-python-Split-semanage-import-into-two-transactions.patch
|
||||
Patch6: backport-python-audit2allow-close-file-stream-on-error.patch
|
||||
Patch7: backport-semodule-avoid-toctou-on-output-module.patch
|
||||
Patch2: backport-python-Split-semanage-import-into-two-transactions.patch
|
||||
Patch3: backport-python-audit2allow-close-file-stream-on-error.patch
|
||||
Patch4: backport-semodule-avoid-toctou-on-output-module.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3 libcap-devel audit-libs-devel gettext
|
||||
BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext
|
||||
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
|
||||
BuildRequires: systemd systemd-units
|
||||
Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
|
||||
@ -44,7 +41,7 @@ It contains the selinux policy core utilities
|
||||
Summary: python3 utilities for seLinux policy core
|
||||
%{?python_provide:%python_provide python3-policycoreutils}
|
||||
Requires: policycoreutils = %{version}-%{release}
|
||||
Requires: python3-libselinux python3-libsemanage >= 3.3
|
||||
Requires: python3-libselinux python3-libsemanage >= %{version}
|
||||
Requires: audit-libs-python3 >= 2.8.5
|
||||
Requires: python3-IPy
|
||||
Requires: checkpolicy
|
||||
@ -164,6 +161,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
|
||||
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
|
||||
|
||||
%find_lang policycoreutils
|
||||
%find_lang selinux-python
|
||||
|
||||
%post
|
||||
%systemd_post selinux-autorelabel-mark.service restorecond.service
|
||||
@ -223,7 +221,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
|
||||
%dir %{_datadir}/system-config-selinux/__pycache__
|
||||
%{_datadir}/system-config-selinux/__pycache__/selinux_server.*
|
||||
|
||||
%files -n python3-policycoreutils
|
||||
%files -f selinux-python.lang -n python3-policycoreutils
|
||||
%{python3_sitelib}/__pycache__
|
||||
%{python3_sitelib}/sepolgen
|
||||
%dir %{python3_sitelib}/sepolicy
|
||||
@ -262,7 +260,10 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
|
||||
%{_mandir}/*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-3
|
||||
* Thu Feb 2 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
|
||||
- update version to 3.4
|
||||
|
||||
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-4
|
||||
- backport patches from upstream
|
||||
|
||||
* Tue Nov 15 2022 shenxiangwei <shenxiangwei1@huawei.com> - 3.3-3
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user