!3 Fix CVE-2019-25058

From: @houyingchao Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-03-08 06:28:36 +00:00 · 2022-03-08 06:28:36 +00:00 · 0141e8d533
commit 0141e8d533
parent 9bce4ba19e 9c557063e6
8 changed files with 547 additions and 1 deletions
--- a/CVE-2019-25058-1.patch
+++ b/CVE-2019-25058-1.patch
@ -0,0 +1,32 @@
 From 0db713da6c44426902961b023a925563f40b6ec7 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sun, 6 Feb 2022 01:15:26 +0100
 Subject: [PATCH] dbus: Replace unsupported "auth_self_keep_session" by
 "auth_self_keep"
 ---
 src/DBus/org.usbguard.policy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
 index ce842393..f1bed538 100644
 --- a/src/DBus/org.usbguard.policy
 +++ b/src/DBus/org.usbguard.policy
@@ -11,7 +11,7 @@
     <message>Prevents from listing the USBGuard policy</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_self_keep_session</allow_active>
 +      <allow_active>auth_self_keep</allow_active>
     </defaults>
   </action>
@@ -38,7 +38,7 @@
     <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_self_keep_session</allow_active>
 +      <allow_active>auth_self_keep</allow_active>
     </defaults>
   </action>
--- a/CVE-2019-25058-2.patch
+++ b/CVE-2019-25058-2.patch
@ -0,0 +1,49 @@
 From d2839e8f6f9096c889c4fbd09b08dc6deff5eab2 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sat, 5 Feb 2022 21:40:17 +0100
 Subject: [PATCH] dbus: Drop policies of removed D-Bus methods
 ---
 src/DBus/org.usbguard.policy | 27 ---------------------------
 1 file changed, 27 deletions(-)
 diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
 index 7704583..b89c96e 100644
 --- a/src/DBus/org.usbguard.policy
 +++ b/src/DBus/org.usbguard.policy
@@ -41,32 +41,5 @@
       <allow_active>auth_self_keep</allow_active>
     </defaults>
   </action>
 -
 -  <action id="org.usbguard.Devices.allowDevice">
 -    <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
 -    <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
 -    <defaults>
 -      <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_admin</allow_active>
 -    </defaults>
 -  </action>
 -
 -  <action id="org.usbguard.Devices.blockDevice">
 -    <description>Deauthorize a USB device via the USBGuard daemon</description>
 -    <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
 -    <defaults>
 -      <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_admin</allow_active>
 -    </defaults>
 -  </action>
 -
 -  <action id="org.usbguard.Devices.rejectDevice">
 -    <description>Remove a USB device via the USBGuard daemon</description>
 -    <message>Prevents from removing USB devices via the USBGuard daemon</message>
 -    <defaults>
 -      <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_admin</allow_active>
 -    </defaults>
 -  </action>
 </policyconfig>
 -- 
 2.23.0
--- a/CVE-2019-25058-3.patch
+++ b/CVE-2019-25058-3.patch
@ -0,0 +1,43 @@
 From d8a1b1ff967864a6cd8531c57e027c903ee31c23 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sun, 6 Feb 2022 01:17:15 +0100
 Subject: [PATCH] dbus: Improve language in <message> tags
 ---
 src/DBus/org.usbguard.policy | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
 index b89c96e..28206bd 100644
 --- a/src/DBus/org.usbguard.policy
 +++ b/src/DBus/org.usbguard.policy
@@ -8,7 +8,7 @@
   <action id="org.usbguard.Policy.listRules">
     <description>List the rule set (policy) used by the USBGuard daemon</description>
 -    <message>Prevents from listing the USBGuard policy</message>
 +    <message>Prevents listing the USBGuard policy</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_self_keep</allow_active>
@@ -17,7 +17,7 @@
   <action id="org.usbguard.Policy.appendRule">
     <description>Append a new rule to the policy</description>
 -    <message>Prevents from appending rules to the USBGuard policy</message>
 +    <message>Prevents appending rules to the USBGuard policy</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_admin</allow_active>
@@ -35,7 +35,7 @@
   <action id="org.usbguard.Devices.listDevices">
     <description>List all USB devices recognized by the USBGuard deaemon</description>
 -    <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
 +    <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_self_keep</allow_active>
 -- 
 2.23.0
--- a/CVE-2019-25058-4.patch
+++ b/CVE-2019-25058-4.patch
@ -0,0 +1,22 @@
 From 17f04c6088c1b05618db99733ff8152e43206004 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sun, 6 Feb 2022 00:00:11 +0100
 Subject: [PATCH] dbus: Fix whitespace in file "org.usbguard1.policy"
 ---
 src/DBus/org.usbguard.policy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
 index ff504b54..75119606 100644
 --- a/src/DBus/org.usbguard.policy
 +++ b/src/DBus/org.usbguard.policy
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
         "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
 -        
 +
 <policyconfig>
   <vendor>The USBGuard Project</vendor>
   <vendor_url>https://github.org/USBGuard/usbguard</vendor_url>
--- a/CVE-2019-25058-5.patch
+++ b/CVE-2019-25058-5.patch
@ -0,0 +1,56 @@
 From 23c44b90ff9a49eb6bc91210b6668519ad421865 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sun, 6 Feb 2022 01:19:08 +0100
 Subject: [PATCH] dbus: Add missing action policies
 ---
 src/DBus/org.usbguard.policy | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
 index e326c5a..4fc33c5 100644
 --- a/src/DBus/org.usbguard.policy
 +++ b/src/DBus/org.usbguard.policy
@@ -33,6 +33,15 @@
     </defaults>
   </action>
 +  <action id="org.usbguard.Devices.applyDevicePolicy"
 +    <description>Apply a policy to a device in USBGuard</description>
 +    <message>Prevents applying a policy to a device in USBGuard</message>
 +    <defaults>
 +      <allow_inactive>no</allow_inactive>
 +      <allow_active>auth_admin</allow_active>
 +    </defaults>
 +  </action>
 +
   <action id="org.usbguard.Devices.listDevices">
     <description>List all USB devices recognized by the USBGuard deaemon</description>
     <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
@@ -41,5 +50,23 @@
       <allow_active>auth_self_keep</allow_active>
     </defaults>
   </action>
 +
 +  <action id="org.usbguard1.getParameter">
 +    <description>Get the value of a runtime parameter</description>
 +    <message>Prevents getting values of runtime USBGuard parameters</message>
 +    <defaults>
 +      <allow_inactive>no</allow_inactive>
 +      <allow_active>auth_self_keep</allow_active>
 +    </defaults>
 +  </action>
 +
 +  <action id="org.usbguard1.setParameter">
 +    <description>Set the value of a runtime parameter</description>
 +    <message>Prevents setting values of runtime USBGuard parameters</message>
 +    <defaults>
 +      <allow_inactive>no</allow_inactive>
 +      <allow_active>auth_admin</allow_active>
 +    </defaults>
 +  </action>
 </policyconfig>
 -- 
 2.23.0
--- a/CVE-2019-25058-6.patch
+++ b/CVE-2019-25058-6.patch
@ -0,0 +1,84 @@
 From d3e7d6609a8e63c21e85abf135d237a3bdd30913 Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Tue, 8 Feb 2022 16:13:48 +0100
 Subject: [PATCH] polkit.yml: Make GitHub Actions detect Polkit policy parse
 error regressions
 ---
 .github/workflows/polkit.yml | 67 ++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/polkit.yml
 diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml
 new file mode 100644
 index 00000000..fc4b4fe3
 --- /dev/null
 +++ b/.github/workflows/polkit.yml
@@ -0,0 +1,67 @@
 +##
 +## Copyright (c) 2022 Sebastian Pipping <sebastian@pipping.org>
 +##
 +## This program is free software; you can redistribute it and/or modify
 +## it under the terms of the GNU General Public License as published by
 +## the Free Software Foundation; either version 2 of the License, or
 +## (at your option) any later version.
 +##
 +## This program is distributed in the hope that it will be useful,
 +## but WITHOUT ANY WARRANTY; without even the implied warranty of
 +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +## GNU General Public License for more details.
 +##
 +## You should have received a copy of the GNU General Public License
 +## along with this program.  If not, see <http://www.gnu.org/licenses/>.
 +
 +name: Check for Polkit policy parse errors
 +
 +on:
 +  push:
 +  pull_request:
 +
 +jobs:
 +  polkit_policies:
 +
 +    name: Check for Polkit policy parse errors
 +    runs-on: ubuntu-20.04
 +
 +    steps:
 +    - uses: actions/checkout@v2
 +
 +    - name: Install runtime dependencies
 +      run:  |
 +        set -x
 +        sudo apt-get update
 +        sudo apt-get install --no-install-recommends --yes -V expat
 +
 +    - name: Check for Polkit policy parse errors
 +      run:  |
 +        # This will work around pkaction exiting with unjustified(?)
 +        # code 1 on Ubuntu 20.04
 +        check_polkit_action() { pkaction -v -a "$1" | tee /dev/stderr | fgrep -q 'implicit any' ; }
 +
 +        set -x
 +        actions=(
 +            org.usbguard.Devices.listDevices
 +            org.usbguard.Devices.applyDevicePolicy
 +            org.usbguard.Policy.appendRule
 +            org.usbguard.Policy.listRules
 +            org.usbguard.Policy.removeRule
 +            org.usbguard.getParameter
 +            org.usbguard.setParameter
 +        )
 +
 +        # Self-test: Assert that prior to installation, our Polkit "actions"
 +        # are unknown to PolKit.
 +        ! check_polkit_action "${actions[0]}"
 +
 +        # Install the policy so that polkin can find it
 +        xmlwf      src/DBus/org.usbguard.policy
 +        sudo cp -v src/DBus/org.usbguard.policy /usr/share/polkit-1/actions/
 +
 +        # Assert that after installation, all of our Polkit "actions" are known.
 +        # This detects parse error regressions.
 +        for action in "${actions[@]}"; do
 +            check_polkit_action "${action}"
 +        done
--- a/CVE-2019-25058-7.patch
+++ b/CVE-2019-25058-7.patch
@ -0,0 +1,250 @@
 From df5f01c6ed0c20d269f7239901d21883cc871bbb Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Wed, 9 Feb 2022 02:10:40 +0100
 Subject: [PATCH] dbus: Add missing checks for authorization using Polkit
 ---
 configure.ac            |   2 +-
 src/DBus/DBusBridge.cpp | 137 ++++++++++++++++++++++++++++++++++++++++
 src/DBus/DBusBridge.hpp |   2 +
 3 files changed, 140 insertions(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index f565b87..a45174a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -405,7 +405,7 @@ if test "x$with_dbus" = xyes; then
   #
   # Check for required D-Bus modules 
   #
 -  PKG_CHECK_MODULES([dbus], [dbus-1 dbus-glib-1 >= 0.100 gio-2.0],
 +  PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
   [AC_DEFINE([HAVE_DBUS], [1], [Required GLib DBus API available])
   dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
   [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, dbus-glib-1, gio-2.0) not found!])]
 diff --git a/src/DBus/DBusBridge.cpp b/src/DBus/DBusBridge.cpp
 index f9209f7..696d906 100644
 --- a/src/DBus/DBusBridge.cpp
 +++ b/src/DBus/DBusBridge.cpp
@@ -15,12 +15,14 @@
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 //
 // Authors: Daniel Kopecek <dkopecek@redhat.com>
 +// Authors: Sebastian Pipping <sebastian@pipping.org>
 //
 #ifdef HAVE_BUILD_CONFIG_H
   #include <build-config.h>
 #endif
 #include "DBusBridge.hpp"
 +#include <polkit/polkit.h>
 namespace usbguard
 {
@@ -78,6 +80,10 @@ namespace usbguard
   void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
   {
     if (method_name == "getParameter") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       const char* name_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &name_cstr);
       std::string name(name_cstr);
@@ -87,6 +93,10 @@ namespace usbguard
     }
     if (method_name == "setParameter") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       const char* name_cstr = nullptr;
       const char* value_cstr = nullptr;
       g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
@@ -105,6 +115,10 @@ namespace usbguard
   void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
   {
     if (method_name == "listRules") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       const char* query_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &query_cstr);
       std::string query(query_cstr);
@@ -138,6 +152,10 @@ namespace usbguard
     }
     if (method_name == "appendRule") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       const char* rule_spec_cstr = nullptr;
       uint32_t parent_id = 0;
       g_variant_get(parameters, "(&su)", &rule_spec_cstr, &parent_id);
@@ -148,6 +166,10 @@ namespace usbguard
     }
     if (method_name == "removeRule") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       uint32_t rule_id = 0;
       g_variant_get(parameters, "(u)", &rule_id);
       removeRule(rule_id);
@@ -164,6 +186,10 @@ namespace usbguard
     GDBusMethodInvocation* invocation)
   {
     if (method_name == "listDevices") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       const char* query_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &query_cstr);
       std::string query(query_cstr);
@@ -196,6 +222,10 @@ namespace usbguard
     }
     if (method_name == "applyDevicePolicy") {
 +      if (! isAuthorizedByPolkit(invocation)) {
 +	return;
 +      }
 +
       uint32_t device_id = 0;
       uint32_t target_integer = 0;
       gboolean permanent = false;
@@ -327,6 +357,113 @@ namespace usbguard
       with_interface_string.c_str());
     return builder;
   }
 +
 +  std::string DBusBridge::formatGError(GError* error)
 +  {
 +    if (error) {
 +      std::stringstream formatGError;
 +      formatGError << error->message << " (code " << error->code << ")";
 +      return formatGError.str();
 +    }
 +    else {
 +      return "unknown error";
 +    }
 +  }
 +
 +  bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation)
 +  {
 +    GError* error = NULL;
 +    USBGUARD_LOG(Trace) << "Extracting bus name...";
 +    const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
 +
 +    if (! bus_name) {
 +      USBGUARD_LOG(Trace) << "Failed to extract bus name.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
 +    USBGUARD_LOG(Trace) << "Extracting interface name...";
 +    const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
 +
 +    if (! interfaceName) {
 +      USBGUARD_LOG(Trace) << "Failed to extract interface name.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
 +    USBGUARD_LOG(Trace) << "Extracting method name...";
 +    const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
 +
 +    if (! methodName) {
 +      USBGUARD_LOG(Trace) << "Failed to extract method name.";
 +      return false;
 +    }
 +
 +    std::stringstream action_id;
 +    action_id << interfaceName << "." << methodName;
 +    USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
 +    USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
 +    PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
 +
 +    if (! subject) {
 +      USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Created.";
 +    USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
 +    PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
 +
 +    if (! authority || error) {
 +      USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
 +      g_error_free(error);
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Connected.";
 +    USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
 +    PolkitDetails* const details = polkit_details_new();
 +
 +    if (! details) {
 +      USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
 +    USBGUARD_LOG(Trace) << "Customized.";
 +    USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
 +    const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
 +    PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
 +      (authority,
 +        subject,
 +	action_id.str().c_str(),
 +	details,
 +	flags,
 +	/*cancellable=*/ NULL,
 +	&error);
 +
 +    if (! result || error) {
 +      USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
 +      g_error_free(error);
 +      g_object_unref(result);
 +      g_object_unref(details);
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
 +    USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
 +    g_object_unref(result);
 +    g_object_unref(details);
 +    g_object_unref(authority);
 +    g_object_unref(subject);
 +    return isAuthorized;
 +  }
 } /* namespace usbguard */
 /* vim: set ts=2 sw=2 et */
 diff --git a/src/DBus/DBusBridge.hpp b/src/DBus/DBusBridge.hpp
 index bb9d96a..838ab34 100644
 --- a/src/DBus/DBusBridge.hpp
 +++ b/src/DBus/DBusBridge.hpp
@@ -71,6 +71,8 @@ namespace usbguard
       bool rule_match,
       uint32_t rule_id);
 +    static std::string formatGError(GError* error);
 +    static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation);
     GDBusConnection* const p_gdbus_connection;
     void(*p_ipc_callback)(bool);
 -- 
 2.23.0
--- a/usbguard.spec
+++ b/usbguard.spec
@ -2,13 +2,20 @@
 Name:          usbguard
 Version:       0.7.2
-Release:       6
+Release:       7
 Summary:       A tool for computer usb guard
 License:       GPLv2+
 URL:           https://usbguard.github.io/
 Source0:       https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz
 Source1:       usbguard-daemon.conf
 Patch0000:     0001-Update-to-latest-PEGTL-API.patch
 Patch0001:     CVE-2019-25058-1.patch
 Patch0002:     CVE-2019-25058-2.patch
 Patch0003:     CVE-2019-25058-3.patch
 Patch0004:     CVE-2019-25058-4.patch
 Patch0005:     CVE-2019-25058-5.patch
 Patch0006:     CVE-2019-25058-6.patch
 Patch0007:     CVE-2019-25058-7.patch
 BuildRequires: libqb-devel libgcrypt-devel libstdc++-devel protobuf-devel protobuf-compiler PEGTL-static
 BuildRequires: catch1-devel autoconf automake libtool bash-completion asciidoctor audit-libs-devel systemd
 BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist dbus-glib-devel dbus-devel glib2-devel
@ -138,5 +145,8 @@ chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
 %{_mandir}/*/*
 %changelog
 * Mon Mar 07 2022 houyingchao <houyingchao@huawei.com> - 0.7.2-7
 - Fix CVE-2019-25058
 * Mon Apr 27 2020 lizhenhua <lizhenhua21@huawei.com> - 0.7.2-6
 - Package init