rpms
/
rear
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import rear-2.6-11.el8_9

Browse Source
i8c changed/i8c/rear-2.6-11.el8_9
MSVSphere Packaging Team 11 months ago
parent 567188da21
commit 125b56b830
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File

32
SOURCES/rear-CVE-2024-23301.patch
Unescape View File

@ -0,0 +1,32 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

10
SPECS/rear.spec
Unescape View File

@ -3,7 +3,7 @@
Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
Name: rear Name: rear
Version: 2.6 Version: 2.6
Release: 10%{?dist} Release: 11%{?dist}
License: GPLv3 License: GPLv3
Group: Applications/File Group: Applications/File
URL: http://relax-and-recover.org/ URL: http://relax-and-recover.org/
@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch
Patch61: rear-uefi-usb-secureboot-bz2196445.patch Patch61: rear-uefi-usb-secureboot-bz2196445.patch
Patch62: rear-vg-command-not-found-bz2121476.patch Patch62: rear-vg-command-not-found-bz2121476.patch
# make initrd accessible only by root
# https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
Patch111: rear-CVE-2024-23301.patch
### Dependencies on all distributions ### Dependencies on all distributions
BuildRequires: asciidoc BuildRequires: asciidoc
Requires: binutils Requires: binutils
@ -171,6 +175,7 @@ fi
%patch60 -p1 %patch60 -p1
%patch61 -p1 %patch61 -p1
%patch62 -p1 %patch62 -p1
%patch111 -p1
echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron
@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc
%{_sbindir}/rear %{_sbindir}/rear
%changelog %changelog
* Wed Feb 21 2024 Pavel Cahyna <pcahyna@redhat.com> - 2.6-11
- make initrd accessible only by root (CVE-2024-23301), PR 3123
* Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10 * Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10
- Apply PR 3027 to ensure correct creation of the rescue environment - Apply PR 3027 to ensure correct creation of the rescue environment
when a file is shrinking while being read when a file is shrinking while being read

Write Preview
Loading…
Cancel
Save