Compare commits
No commits in common. 'c9' and 'i10c-beta' have entirely different histories.
@ -1,2 +1,2 @@
|
|||||||
SOURCES/certs.tar.xz
|
SOURCES/certs.tar.xz
|
||||||
SOURCES/pesign-115.tar.bz2
|
SOURCES/pesign-116.tar.bz2
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz
|
b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz
|
||||||
849099b74a8c54f3fe5090605d2a71c0511acd1a SOURCES/pesign-115.tar.bz2
|
f11d00d08b55d0e6ca209c81adabad799832cd00 SOURCES/pesign-116.tar.bz2
|
||||||
|
@ -0,0 +1,27 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
Date: Mon, 20 Feb 2023 15:26:20 +0100
|
||||||
|
Subject: [PATCH] cms_common: Fixed Segmentation fault
|
||||||
|
|
||||||
|
When running efikeygen, the binary crashes with a segfault due
|
||||||
|
to dereferencing a **ptr instead of a *ptr.
|
||||||
|
|
||||||
|
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
(cherry picked from commit 227435af461f38fc4abeafe02884675ad4b1feb4)
|
||||||
|
---
|
||||||
|
src/cms_common.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||||
|
index 24576f2..89d946a 100644
|
||||||
|
--- a/src/cms_common.c
|
||||||
|
+++ b/src/cms_common.c
|
||||||
|
@@ -956,7 +956,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
|
||||||
|
if (!ias)
|
||||||
|
cnreterr(-1, cms, "invalid issuer and serial number");
|
||||||
|
|
||||||
|
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
|
||||||
|
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
@ -1,24 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Tue, 8 Mar 2022 12:59:34 -0500
|
|
||||||
Subject: [PATCH] daemon: remove always-true comparison
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
src/daemon.c | 3 +--
|
|
||||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/daemon.c b/src/daemon.c
|
|
||||||
index 0a66deb..ff88210 100644
|
|
||||||
--- a/src/daemon.c
|
|
||||||
+++ b/src/daemon.c
|
|
||||||
@@ -221,8 +221,7 @@ malformed:
|
|
||||||
if (!ctx->cms->tokenname)
|
|
||||||
goto oom;
|
|
||||||
|
|
||||||
- if (!tp->value)
|
|
||||||
- pin = strndup((char *)tp->value, tp->size);
|
|
||||||
+ pin = strndup((char *)tp->value, tp->size);
|
|
||||||
if (!pin)
|
|
||||||
goto oom;
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Wed, 9 Feb 2022 14:42:24 -0500
|
|
||||||
Subject: [PATCH] Disable pragmas for warnings that are too old
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
src/daemon.c | 5 -----
|
|
||||||
1 file changed, 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/daemon.c b/src/daemon.c
|
|
||||||
index ff88210..d66dd50 100644
|
|
||||||
--- a/src/daemon.c
|
|
||||||
+++ b/src/daemon.c
|
|
||||||
@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
|
|
||||||
free(pollfds);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* GCC -fanalyzer has trouble with realloc
|
|
||||||
- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
|
|
||||||
-#pragma GCC diagnostic push
|
|
||||||
-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
|
|
||||||
static int
|
|
||||||
handle_events(context *ctx)
|
|
||||||
{
|
|
||||||
@@ -999,7 +995,6 @@ shutdown:
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-#pragma GCC diagnostic pop
|
|
||||||
|
|
||||||
static int
|
|
||||||
get_uid_and_gid(context *ctx, char **homedir)
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 1f9e2fa0b4d872fdd01ca3ba81b04dfb1211a187 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Fri, 2 Feb 2024 09:32:48 -0500
|
||||||
|
Subject: [PATCH] Fix reversed calloc() arguments
|
||||||
|
|
||||||
|
The prototype is "void *calloc(size_t nelem, size_t elsize);"
|
||||||
|
|
||||||
|
These two instances had them reversed, almost certainly leading to
|
||||||
|
buffer overflow issues. This was detected by
|
||||||
|
-Werror=calloc-transposed-args on gcc.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesigcheck.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||||
|
index 6dc67f76a81..8119cf10a7b 100644
|
||||||
|
--- a/src/pesigcheck.c
|
||||||
|
+++ b/src/pesigcheck.c
|
||||||
|
@@ -240,7 +240,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||||
|
|
||||||
|
cert_iter iter;
|
||||||
|
|
||||||
|
- reasonps = calloc(sizeof(struct reason), 512);
|
||||||
|
+ reasonps = calloc(512, sizeof(struct reason));
|
||||||
|
if (!reasonps)
|
||||||
|
err(1, "check_signature");
|
||||||
|
|
||||||
|
@@ -281,7 +281,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||||
|
|
||||||
|
num_reasons += 16;
|
||||||
|
|
||||||
|
- new_reasons = calloc(sizeof(struct reason), num_reasons);
|
||||||
|
+ new_reasons = calloc(num_reasons, sizeof(struct reason));
|
||||||
|
if (!new_reasons)
|
||||||
|
err(1, "check_signature");
|
||||||
|
reasonps = new_reasons;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,23 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Fri, 25 Mar 2022 15:01:54 -0400
|
|
||||||
Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
|
|
||||||
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
Make.defaults | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Make.defaults b/Make.defaults
|
|
||||||
index 130c1ee..4b0e77c 100644
|
|
||||||
--- a/Make.defaults
|
|
||||||
+++ b/Make.defaults
|
|
||||||
@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
|
|
||||||
$(call pkg-config-ccldflags)
|
|
||||||
efi_cflags = $(cflags)
|
|
||||||
ASFLAGS ?= $(ARCH3264)
|
|
||||||
-CPPFLAGS ?= -D_FORTIFY_SOURCE=2
|
|
||||||
+CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
|
|
||||||
RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D)
|
|
||||||
ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 10 Aug 2021 12:39:08 -0400
|
|
||||||
Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
(cherry picked from commit a1bc65c8b0fc20dbe9c9714ee3a31937184ba7f6)
|
|
||||||
(cherry picked from commit 83190f50505a0744dfb70d3b549914ae713e6713)
|
|
||||||
---
|
|
||||||
src/macros.pesign | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
||||||
index 34af57c..b7d6af1 100644
|
|
||||||
--- a/src/macros.pesign
|
|
||||||
+++ b/src/macros.pesign
|
|
||||||
@@ -34,7 +34,8 @@
|
|
||||||
%{?__pesign_cert:--cert %{__pesign_cert}} \\\
|
|
||||||
%{?_buildhost:--hostname "%{_buildhost}"} \\\
|
|
||||||
%{?vendor:--vendor "%{vendor}"} \\\
|
|
||||||
- %{?_rhel:--rhelver "%{_rhel}"} \\\
|
|
||||||
+ %{?rhel:--rhelver "%{rhel}"} \\\
|
|
||||||
+ %{?centos:--rhelver "%{centos}"} \\\
|
|
||||||
%{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
|
|
||||||
%{?-a:--rhelcafile "%{-a*}"} \\\
|
|
||||||
%{?-c:--rhelcertfile "%{-c*}"} \\\
|
|
@ -1,27 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 4 Apr 2022 14:45:29 -0400
|
|
||||||
Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
[rharwood: manually reapply to main]
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
(cherry picked from commit 17e5878cb087e0a766722d3c487f87c41b318f9a)
|
|
||||||
(cherry picked from commit a1cfd0b6ddb423571d430f3df46af7761c0797e3)
|
|
||||||
---
|
|
||||||
src/pesign-rpmbuild-helper.in | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
|
||||||
index 0a845d2..239605a 100644
|
|
||||||
--- a/src/pesign-rpmbuild-helper.in
|
|
||||||
+++ b/src/pesign-rpmbuild-helper.in
|
|
||||||
@@ -192,7 +192,7 @@ main() {
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
- if [[ "${rhelver}" -ge 7 ]] ; then
|
|
||||||
+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
|
|
||||||
nssdir="$(mktemp -p "${PWD}" -d)"
|
|
||||||
echo > "${nssdir}/pwfile"
|
|
||||||
certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
|
|
@ -1,80 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
|
||||||
Subject: [PATCH] Use normal file permissions instead of ACLs
|
|
||||||
|
|
||||||
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
|
||||||
|
|
||||||
pesign-authorize is now deprecated and will be removed in a future
|
|
||||||
release.
|
|
||||||
|
|
||||||
Resolves: CVE-2022-3560
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
src/pesign-authorize.in | 50 +++----------------------------------------------
|
|
||||||
1 file changed, 3 insertions(+), 47 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
|
|
||||||
index 69797d5..b4e89e0 100644
|
|
||||||
--- a/src/pesign-authorize.in
|
|
||||||
+++ b/src/pesign-authorize.in
|
|
||||||
@@ -2,56 +2,12 @@
|
|
||||||
set -e
|
|
||||||
set -u
|
|
||||||
|
|
||||||
-#
|
|
||||||
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
||||||
-# acls for specific users is useful
|
|
||||||
-#
|
|
||||||
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
||||||
-#
|
|
||||||
-
|
|
||||||
# License: GPLv2
|
|
||||||
-declare -a fileusers=()
|
|
||||||
-declare -a dirusers=()
|
|
||||||
-while read -r user ; do
|
|
||||||
- dirusers[${#dirusers[@]}]=-m
|
|
||||||
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
||||||
- fileusers[${#fileusers[@]}]=-m
|
|
||||||
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
||||||
-done </etc/pesign/users
|
|
||||||
|
|
||||||
-declare -a filegroups=()
|
|
||||||
-declare -a dirgroups=()
|
|
||||||
-while read -r group ; do
|
|
||||||
- dirgroups[${#dirgroups[@]}]=-m
|
|
||||||
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
||||||
- filegroups[${#filegroups[@]}]=-m
|
|
||||||
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
||||||
-done </etc/pesign/groups
|
|
||||||
-
|
|
||||||
-update_subdir() {
|
|
||||||
- subdir=$1 && shift
|
|
||||||
-
|
|
||||||
- setfacl -bk "${subdir}"
|
|
||||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
||||||
- for x in "${subdir}"* ; do
|
|
||||||
- if [ -d "${x}" ]; then
|
|
||||||
- setfacl -bk "${x}"
|
|
||||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
|
|
||||||
- update_subdir "${x}/"
|
|
||||||
- elif [ -e "${x}" ]; then
|
|
||||||
- setfacl -bk "${x}"
|
|
||||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
|
|
||||||
- else
|
|
||||||
- :;
|
|
||||||
- fi
|
|
||||||
- done
|
|
||||||
-}
|
|
||||||
+# This script is deprecated and will be removed in a future release.
|
|
||||||
|
|
||||||
sleep 3
|
|
||||||
for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
|
|
||||||
- if [ -d "${x}" ]; then
|
|
||||||
- update_subdir "${x}"
|
|
||||||
- else
|
|
||||||
- :;
|
|
||||||
- fi
|
|
||||||
+ chown -R pesign:pesign "${x}" || true
|
|
||||||
+ chmod -R ug+rwX "${x}" || true
|
|
||||||
done
|
|
@ -1,6 +1,2 @@
|
|||||||
Patch0001: 0001-daemon-remove-always-true-comparison.patch
|
Patch0001: 0001-cms_common-Fixed-Segmentation-fault.patch
|
||||||
Patch0002: 0002-Disable-pragmas-for-warnings-that-are-too-old.patch
|
Patch0002: 0002-Fix-reversed-calloc-arguments.patch
|
||||||
Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
|
|
||||||
Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
|
|
||||||
Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
|
|
||||||
Patch0006: 0006-Use-normal-file-permissions-instead-of-ACLs.patch
|
|
||||||
|
Loading…
Reference in new issue