Revision 8d0550e4
Added by Alexis Mousset over 6 years ago
rudder-agent/SOURCES/Makefile | ||
---|---|---|
RUDDER_VERSION_TO_PACKAGE = <put Rudder version or version-snapshot here>
|
||
RUDDER_MAJOR_VERSION := $(shell echo ${RUDDER_VERSION_TO_PACKAGE} | cut -d'.' -f 1-2)
|
||
|
||
CFENGINE_RELEASE = 3.10.0
|
||
CFENGINE_RELEASE = 3.10.2
|
||
FUSION_RELEASE = 2.3.19
|
||
LMDB_RELEASE = 0.9.18
|
||
OPENSSL_RELEASE = 1.0.2l
|
rudder-agent/SOURCES/patches/cfengine/31-fix-symlink-traversal.patch | ||
---|---|---|
diff -upr cfengine-a/libutils/file_lib.c cfengine-b/libutils/file_lib.c
|
||
--- cfengine-a/libutils/file_lib.c 2016-11-01 08:47:08.000000000 +0100
|
||
+++ cfengine-b/libutils/file_lib.c 2016-11-25 18:21:44.163553332 +0100
|
||
@@ -387,6 +387,7 @@ int safe_open(const char *pathname, int
|
||
bool trunc = false;
|
||
const int orig_flags = flags;
|
||
char *next_component = path;
|
||
+ bool p_uid;
|
||
|
||
if (*next_component == '/')
|
||
{
|
||
@@ -408,6 +409,9 @@ int safe_open(const char *pathname, int
|
||
return -1;
|
||
}
|
||
|
||
+ // current process user id
|
||
+ p_uid = geteuid();
|
||
+
|
||
size_t final_size = (size_t) -1;
|
||
while (next_component)
|
||
{
|
||
@@ -558,8 +562,13 @@ int safe_open(const char *pathname, int
|
||
close(currentfd);
|
||
return -1;
|
||
}
|
||
- if (stat_before.st_uid != stat_after.st_uid ||
|
||
- stat_before.st_gid != stat_after.st_gid)
|
||
+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition
|
||
+ // This attack is not useful if the symlink has been created by root
|
||
+ // This attack is not useful if the process's user is the owner of the symlink
|
||
+ // As everyone use symlink for server administration, we reenable those cases.
|
||
+ if ( stat_before.st_uid != 0 &&
|
||
+ stat_before.st_uid != p_uid &&
|
||
+ (stat_before.st_uid != stat_after.st_uid || stat_before.st_gid != stat_after.st_gid) )
|
||
{
|
||
close(currentfd);
|
||
// Return ENOLINK to signal that the link cannot be followed
|
||
@@ -736,6 +745,7 @@ static int safe_open_true_parent_dir(con
|
||
char *parent_dir = dirname(parent_dir_alloc);
|
||
char *leaf = basename(leaf_alloc);
|
||
struct stat statbuf;
|
||
+ uid_t p_uid = geteuid();
|
||
|
||
if ((dirfd = safe_open(parent_dir, O_RDONLY)) == -1)
|
||
{
|
||
@@ -747,7 +757,14 @@ static int safe_open_true_parent_dir(con
|
||
goto cleanup;
|
||
}
|
||
|
||
- if (traversed_link && (link_user != statbuf.st_uid || link_group != statbuf.st_gid))
|
||
+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition
|
||
+ // This attack is not useful if the symlink has been created by root
|
||
+ // This attack is not useful if the process's user is the owner of the symlink
|
||
+ // As everyone use symlink for server administration, we reenable those cases.
|
||
+ if ( traversed_link &&
|
||
+ link_user != 0 &&
|
||
+ link_user != p_uid &&
|
||
+ (link_user != statbuf.st_uid || link_group != statbuf.st_gid) )
|
||
{
|
||
errno = ENOLINK;
|
||
ret = -1;
|
rudder-agent/SOURCES/patches/cfengine/50-build-with-pcre.patch | ||
---|---|---|
diff -ruN cfengine-source/cf-key/Makefile.am cfengine-source.new/cf-key/Makefile.am
|
||
--- cfengine-source/cf-key/Makefile.am 2016-11-01 08:47:08.000000000 +0100
|
||
+++ cfengine-source.new/cf-key/Makefile.am 2016-12-01 16:24:37.521436465 +0100
|
||
@@ -28,10 +28,12 @@
|
||
-I$(srcdir)/../libutils \
|
||
-I$(srcdir)/../libcfnet \
|
||
-I$(srcdir)/../libpromises \
|
||
+ $(PCRE_CPPFLAGS) \
|
||
$(ENTERPRISE_CPPFLAGS)
|
||
|
||
AM_CFLAGS = \
|
||
$(OPENSSL_CFLAGS) \
|
||
+ $(PCRE_CFLAGS) \
|
||
$(ENTERPRISE_CFLAGS)
|
||
|
||
libcf_key_la_SOURCES = \
|
||
diff -ruN cfengine-source/cf-key/Makefile.in cfengine-source.new/cf-key/Makefile.in
|
||
--- cfengine-source/cf-key/Makefile.in 2016-11-01 08:47:50.000000000 +0100
|
||
+++ cfengine-source.new/cf-key/Makefile.in 2016-12-01 16:25:02.017436542 +0100
|
||
@@ -427,10 +427,12 @@
|
||
-I$(srcdir)/../libutils \
|
||
-I$(srcdir)/../libcfnet \
|
||
-I$(srcdir)/../libpromises \
|
||
+ $(PCRE_CPPFLAGS) \
|
||
$(ENTERPRISE_CPPFLAGS)
|
||
|
||
AM_CFLAGS = \
|
||
$(OPENSSL_CFLAGS) \
|
||
+ $(PCRE_CFLAGS) \
|
||
$(ENTERPRISE_CFLAGS)
|
||
|
||
libcf_key_la_SOURCES = \
|
Also available in: Unified diff
Fixes #11288: Upgrade agent to CFEngine 3.10.2