rpms
/
rear
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import rear-2.6-11.el8_9

Browse Source
c8 imports/c8/rear-2.6-11.el8_9
MSVSphere Packaging Team 11 months ago
parent 74b2705559
commit e3a9147173
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File

32
SOURCES/rear-CVE-2024-23301.patch
Unescape View File

@ -0,0 +1,32 @@
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Fri, 12 Jan 2024 08:04:40 +0100
Subject: [PATCH] Make initrd accessible only by root (#3123)
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see https://github.com/rear/rear/issues/3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039..12be718ed 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null

10
SPECS/rear.spec
Unescape View File

@ -3,7 +3,7 @@
Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
Name: rear
Version: 2.6
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv3
Group: Applications/File
URL: http://relax-and-recover.org/
@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch
Patch61: rear-uefi-usb-secureboot-bz2196445.patch
Patch62: rear-vg-command-not-found-bz2121476.patch
# make initrd accessible only by root
# https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
Patch111: rear-CVE-2024-23301.patch
### Dependencies on all distributions
BuildRequires: asciidoc
Requires: binutils
@ -171,6 +175,7 @@ fi
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch111 -p1
echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron
@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc
%{_sbindir}/rear
%changelog
* Wed Feb 21 2024 Pavel Cahyna <pcahyna@redhat.com> - 2.6-11
- make initrd accessible only by root (CVE-2024-23301), PR 3123
* Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10
- Apply PR 3027 to ensure correct creation of the rescue environment
when a file is shrinking while being read

Write Preview
Loading…
Cancel
Save