packages/rear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-23301

Browse Source
This commit is contained in:
wk333 2024-01-15 14:48:59 +08:00
parent 7ddd69488a
commit 7fd1501e7e
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
CVE-2024-23301.patch Normal file
View File

@ -0,0 +1,34 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
Origin: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

6
rear.spec
View File

@ -2,7 +2,7 @@
Name: rear Name: rear
Version: 2.7 Version: 2.7
Release: 1 Release: 2
License: GPLv3 License: GPLv3
Summary: Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution Summary: Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution
URL: http://relax-and-recover.org/ URL: http://relax-and-recover.org/
@ -11,6 +11,7 @@ Source0: https://github.com/rear/rear/archive/refs/tags/%{version}.tar.gz
Source1: rear.cron Source1: rear.cron
Source2: rear.service Source2: rear.service
Source3: rear.timer Source3: rear.timer
Patch0: CVE-2024-23301.patch
ExclusiveArch: x86_64 loongarch64 ExclusiveArch: x86_64 loongarch64
Requires: binutils ethtool gzip iputils parted tar openssl gawk attr bc crontabs iproute Requires: binutils ethtool gzip iputils parted tar openssl gawk attr bc crontabs iproute
Requires: genisoimage util-linux Requires: genisoimage util-linux
@ -72,6 +73,9 @@ rm -rf %{buildroot}
%doc %{_mandir}/man8/rear.8* %doc %{_mandir}/man8/rear.8*
%changelog %changelog
* Mon Jan 15 2024 wangkai <13474090681@163.com> - 2.7-2
- Fix CVE-2024-23301
* Thu Jan 04 2024 Paul Thomas <paulthomas100199@gmail.com> - 2.7-1 * Thu Jan 04 2024 Paul Thomas <paulthomas100199@gmail.com> - 2.7-1
- update to version 2.7 - update to version 2.7