From 84ac072b675a2668377805b731e59e097525352c Mon Sep 17 00:00:00 2001 From: Leo Date: Mon, 22 Jul 2019 13:30:43 -0300 Subject: community/libosinfo: fix CVE-2019-13313 --- community/libosinfo/APKBUILD | 15 ++- community/libosinfo/CVE-2019-13313.patch | 200 +++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+), 4 deletions(-) create mode 100644 community/libosinfo/CVE-2019-13313.patch (limited to 'community/libosinfo') diff --git a/community/libosinfo/APKBUILD b/community/libosinfo/APKBUILD index ba1bf0f80a..14f36ab2e8 100644 --- a/community/libosinfo/APKBUILD +++ b/community/libosinfo/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=libosinfo pkgver=1.5.0 -pkgrel=0 +pkgrel=1 pkgdesc="A library for managing OS information for virtualization" url="http://libosinfo.org/" arch="all" @@ -10,9 +10,15 @@ license="LGPL-2.0-or-later" depends="hwdata osinfo-db" makedepends="glib-dev libsoup-dev libxml2-dev libxslt-dev vala intltool gobject-introspection-dev check-dev perl-dev - automake autoconf libtool" + automake autoconf libtool xz" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://releases.pagure.org/$pkgname/$pkgname-$pkgver.tar.gz" +source="https://releases.pagure.org/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2019-13313.patch + " + +# secfixes: +# 1.5.0-r1: +# - CVE-2019-13313 prepare() { default_prepare @@ -43,4 +49,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="d5d5749eac1dbba0450fdff732c99c5c66b78b0889679cb9f3fd58e119fea4dd1c730013f4cad887b413abe21399143abb89b9d9554b906f117ba0cfc6685e5e libosinfo-1.5.0.tar.gz" +sha512sums="d5d5749eac1dbba0450fdff732c99c5c66b78b0889679cb9f3fd58e119fea4dd1c730013f4cad887b413abe21399143abb89b9d9554b906f117ba0cfc6685e5e libosinfo-1.5.0.tar.gz +f13e0f79609d210ecb3c9e88f59d4ab423bd5ebae04695c622da9ea21f0231c806625338e05460d6f7e733c2e2809b7fb3b1752b5aa6fe1e50177e40db3ca476 CVE-2019-13313.patch" diff --git a/community/libosinfo/CVE-2019-13313.patch b/community/libosinfo/CVE-2019-13313.patch new file mode 100644 index 0000000000..452ec0d581 --- /dev/null +++ b/community/libosinfo/CVE-2019-13313.patch @@ -0,0 +1,200 @@ +Let's add a new option so users can set their config from a file, +instead of directly passing the values via command-line. + +Signed-off-by: Fabiano FidĂȘncio +--- + tools/osinfo-install-script.c | 100 +++++++++++++++++++++++++++++++++- + 1 file changed, 97 insertions(+), 3 deletions(-) + +diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c +index 15af48d..efa96ee 100644 +--- a/tools/osinfo-install-script.c ++++ b/tools/osinfo-install-script.c +@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE; + static gboolean list_inj_method = FALSE; + static gboolean quiet = FALSE; + ++static const gchar *configs[] = { ++ OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD, ++ OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME, ++ OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN, ++ OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY, ++ OSINFO_INSTALL_CONFIG_PROP_HOSTNAME, ++ OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, ++ OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, ++ NULL ++}; ++ + static OsinfoInstallConfig *config; + + static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, +@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, + } + + ++static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED, ++ const gchar *value, ++ gpointer data G_GNUC_UNUSED, ++ GError **error) ++{ ++ GKeyFile *key_file = NULL; ++ gchar *val = NULL; ++ gsize i; ++ gboolean ret = FALSE; ++ ++ key_file = g_key_file_new(); ++ if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error)) ++ goto error; ++ ++ for (i = 0; configs[i] != NULL; i++) { ++ val = g_key_file_get_string(key_file, "install-script", configs[i], error); ++ if (val == NULL) { ++ if (g_error_matches(*error, G_KEY_FILE_ERROR, ++ G_KEY_FILE_ERROR_KEY_NOT_FOUND)) { ++ g_clear_error(error); ++ continue; ++ } ++ ++ goto error; ++ } ++ ++ osinfo_entity_set_param(OSINFO_ENTITY(config), ++ configs[i], ++ val); ++ g_free(val); ++ } ++ ++ ret = TRUE; ++ ++error: ++ g_key_file_unref(key_file); ++ ++ return ret; ++} ++ ++ + static GOptionEntry entries[] = + { + { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile, +@@ -78,6 +147,9 @@ static GOptionEntry entries[] = + { "config", 'c', 0, G_OPTION_ARG_CALLBACK, + handle_config, + N_("Set configuration parameter"), "key=value" }, ++ { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK, ++ handle_config_file, ++ N_("Set configuration parameters"), "file:///path/to/config/file" }, + { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config, + N_("List configuration parameters"), NULL }, + { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile, +@@ -448,6 +520,10 @@ script. Defaults to C, but can also be C. + + Set the configuration parameter C to C. + ++=item B<--config-file=config-file> ++ ++Set the configurations parameters according to the config-file passed. ++ + =back + + =head1 CONFIGURATION KEYS +@@ -510,18 +586,36 @@ The software registration user password + + =back + ++=head1 CONFIGURATION FILE FORMAT ++ ++The configuration file must consist in a file which contains a ++`install-script` group and, under this group, C=C ++pairs, as shown below: ++ ++[install-script] ++l10n-timezone=GMT ++l10n-keyboard=uk ++l10n-language=en_GB ++admin-password=123456 ++user-login=berrange ++user-password=123456 ++user-realname="Daniel P Berrange" ++ + =head1 EXAMPLE USAGE + +-The following usage generates a Fedora 16 kickstart script ++The following usages generates a Fedora 16 kickstart script ++ ++ # osinfo-install-script \ ++ --profile jeos \ ++ --config-file /path/to/the/config/file \ ++ fedora16 + + # osinfo-install-script \ + --profile jeos \ + --config l10n-timezone=GMT \ + --config l10n-keyboard=uk \ + --config l10n-language=en_GB \ +- --config admin-password=123456 \ + --config user-login=berrange \ +- --config user-password=123456 \ + --config user-realname="Daniel P Berrange" \ + fedora16 + +-- +2.21.0 + +As passing user & admin password via command line is a low impact CVE, +let's error out when it's done and advertise the users to use +--config-file instead. + +Signed-off-by: Fabiano FidĂȘncio +--- + tools/osinfo-install-script.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c +index efa96ee..3da4a69 100644 +--- a/tools/osinfo-install-script.c ++++ b/tools/osinfo-install-script.c +@@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, + val++; + key = g_strndup(value, len); + ++ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) || ++ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) { ++ g_set_error(error, OSINFO_ERROR, 0, ++ _("When setting user or admin password, use " ++ "--config-file instead.\n")); ++ g_free(key); ++ return FALSE; ++ } ++ + osinfo_entity_set_param(OSINFO_ENTITY(config), + key, + val); +@@ -520,6 +529,8 @@ script. Defaults to C, but can also be C. + + Set the configuration parameter C to C. + ++Note: this option has been deprecated, use B<--config-file=> instead. ++ + =item B<--config-file=config-file> + + Set the configurations parameters according to the config-file passed. +-- +2.21.0 + -- cgit v1.2.3