diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-06-18 08:49:51 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-06-18 08:49:51 +0000 |
| commit | 09667d2fb33c78602017b0cb73c895e27459f76b (patch) | |
| tree | 6f1a4d73bf37b3c27da47f531447aa282af778d1 | |
| parent | 883b411c85593d30f2296a157a733aa799c32828 (diff) | |
| download | aports-09667d2fb33c78602017b0cb73c895e27459f76b.tar.bz2 aports-09667d2fb33c78602017b0cb73c895e27459f76b.tar.xz | |
Security fix (CVE-2013-3215). Fixes #3029
| -rw-r--r-- | main/libcap-ng/APKBUILD | 11 | ||||
| -rw-r--r-- | main/libcap-ng/CVE-2014-3215.patch | 77 |
2 files changed, 86 insertions, 2 deletions
diff --git a/main/libcap-ng/APKBUILD b/main/libcap-ng/APKBUILD index 8f6fd85ed8..35b5844ecf 100644 --- a/main/libcap-ng/APKBUILD +++ b/main/libcap-ng/APKBUILD @@ -10,7 +10,9 @@ depends= makedepends="python" install= subpackages="$pkgname-dev $pkgname-doc $pkgname-utils" -source="http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz" +source="http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz + CVE-2014-3215.patch + " _builddir="$srcdir"/$pkgname-$pkgver @@ -40,4 +42,9 @@ utils() { mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/ } -md5sums="610afb774f80a8032b711281df126283 libcap-ng-0.7.3.tar.gz" +md5sums="610afb774f80a8032b711281df126283 libcap-ng-0.7.3.tar.gz +ae4866fe611b3d7656233c03244871de CVE-2014-3215.patch" +sha256sums="5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1 libcap-ng-0.7.3.tar.gz +c43d8705e5f79e69e9f7914b7b282f2a2cda4e28c70464e82583b568083d9d5f CVE-2014-3215.patch" +sha512sums="f03a35c54b5998ef2e712540caa1f4ade37f9abe60992a1e727142b26815a4b8a7ce86ea94466fe692e4798c7297e5e1bbd338e5afe05689905ee9e0c0f16ef2 libcap-ng-0.7.3.tar.gz +adb564a66b6fb160671e1e169b67fa34f93478fb3c3d0358f82993e3eeb4cb8b772e3177d2ddfc29ecaa38ee5e1e9dbb84a000e3e63b6820dcf99dd46c8316b8 CVE-2014-3215.patch" diff --git a/main/libcap-ng/CVE-2014-3215.patch b/main/libcap-ng/CVE-2014-3215.patch new file mode 100644 index 0000000000..e1e8afe45d --- /dev/null +++ b/main/libcap-ng/CVE-2014-3215.patch @@ -0,0 +1,77 @@ +Index: docs/capng_lock.3 +=================================================================== +--- a/docs/capng_lock.3 (revision 55) ++++ b/docs/capng_lock.3 (working copy) +@@ -8,12 +8,13 @@ + + .SH "DESCRIPTION" + +-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. ++capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. + ++This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. + + .SH "RETURN VALUE" + +-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. ++This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. + + .SH "SEE ALSO" + +Index: src/cap-ng.c +=================================================================== +--- a/src/cap-ng.c (revision 55) ++++ b/src/cap-ng.c (working copy) +@@ -49,6 +49,7 @@ + * 2.6.24 kernel XATTR_NAME_CAPS + * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 + * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 ++ * 3.5 kernel PR_SET_NO_NEW_PRIVS + */ + + /* External syscall prototypes */ +@@ -126,6 +127,14 @@ + #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ + #endif + ++/* prctl values that we use */ ++#ifndef PR_SET_SECUREBITS ++#define PR_SET_SECUREBITS 28 ++#endif ++#ifndef PR_SET_NO_NEW_PRIVS ++#define PR_SET_NO_NEW_PRIVS 38 ++#endif ++ + // States: new, allocated, initted, updated, applied + typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, + CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; +@@ -703,15 +712,22 @@ + + int capng_lock(void) + { +-#ifdef PR_SET_SECUREBITS +- int rc = prctl(PR_SET_SECUREBITS, +- 1 << SECURE_NOROOT | +- 1 << SECURE_NOROOT_LOCKED | +- 1 << SECURE_NO_SETUID_FIXUP | +- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); ++ int rc; ++ ++ // On Linux 3.5 and up, we can directly prevent ourselves and ++ // our descendents from gaining privileges. ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) ++ return 0; ++ ++ // This kernel is too old or otherwise doesn't support ++ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. ++ rc = prctl(PR_SET_SECUREBITS, ++ 1 << SECURE_NOROOT | ++ 1 << SECURE_NOROOT_LOCKED | ++ 1 << SECURE_NO_SETUID_FIXUP | ++ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); + if (rc) + return -1; +-#endif + + return 0; + } |