packages/rear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!13 Fix CVE-2024-23301

Browse Source 
From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2024-01-15 08:05:00 +00:00 committed by Gitee
commit af1bdded24
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
CVE-2024-23301.patch Normal file
View File

@ -0,0 +1,34 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
Origin: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

6
rear.spec
View File

@ -2,7 +2,7 @@
Name: rear
Version: 2.7
Release: 1
Release: 2
License: GPLv3
Summary: Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution
URL: http://relax-and-recover.org/
@ -11,6 +11,7 @@ Source0: https://github.com/rear/rear/archive/refs/tags/%{version}.tar.gz
Source1: rear.cron
Source2: rear.service
Source3: rear.timer
Patch0: CVE-2024-23301.patch
ExclusiveArch: x86_64 loongarch64
Requires: binutils ethtool gzip iputils parted tar openssl gawk attr bc crontabs iproute
Requires: genisoimage util-linux
@ -72,6 +73,9 @@ rm -rf %{buildroot}
%doc %{_mandir}/man8/rear.8*
%changelog
* Mon Jan 15 2024 wangkai <13474090681@163.com> - 2.7-2
- Fix CVE-2024-23301
* Thu Jan 04 2024 Paul Thomas <paulthomas100199@gmail.com> - 2.7-1
- update to version 2.7