[OE-core][kirkstone][PATCH v2] rpm: fix CVE-2021-35938 races with chown/chmod/capabilities calls during installation

[OE-core][kirkstone][PATCH v2] rpm: fix CVE-2021-35938 races with chown/chmod/capabilities calls during installation

[Vivek Kumbhar]

Set file metadata via fd-based ops for everything but symlinks

Regular file ops are fd-based already, for the rest we need to open them
manually. Files with temporary suffix must never be followed, for
directories (and pre-existing FA_TOUCHed files) use the rpm symlink
"root or target owner allowed" rule wrt following.

This mostly fixes CVE-2021-35938, but as we're not yet using dirfd-based
operatiosn for everything there are corner cases left undone. And then
there's the plugin API which needs updating for all this.

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 .../rpm/files/CVE-2021-35938.patch            | 36 +++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_4.17.1.bb       |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-35938.patch

diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch
new file mode 100644
index 0000000000..9b2e7ee91f
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch
@@ -0,0 +1,36 @@
+From 25a435e90844ea98fe5eb7bef22c1aecf3a9c033 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 14 Feb 2022 14:29:33 +0200
+Subject: [PATCH] Set file metadata via fd-based ops for everything but
+ symlinks
+ 
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033]
+CVE: CVE-2023-25193
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/fsm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 935a0a5c6..50c431d2a 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -1000,6 +1000,15 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+                 if (!IS_DEV_LOG(fp->fpath))
+                     rc = RPMERR_UNKNOWN_FILETYPE;
+             }
++            
++            if (!rc && fd == -1 && !S_ISLNK(fp->sb.st_mode)) {
++		/* Only follow safe symlinks, and never on temporary files */
++		fd = fsmOpenat(di.dirfd, fp->fpath,
++				fp->suffix ? AT_SYMLINK_NOFOLLOW : 0);
++		if (fd < 0)
++		    rc = RPMERR_OPEN_FAILED;
++	    }
++
+ 	} else if (firstlink && rpmfiArchiveHasContent(fi)) {
+ 	    /*
+ 	     * Tricksy case: this file is a being skipped, but it's part of
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb b/meta/recipes-devtools/rpm/rpm_4.17.1.bb
index 9b6446f265..e12d10c1e9 100644
--- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.17.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc
            file://0001-docs-do-not-build-manpages-requires-pandoc.patch \
            file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \
            file://0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch \
+           file://CVE-2021-35938.patch \
            "
 
 PE = "1"
-- 
2.25.1

Re: [OE-core][kirkstone][PATCH v2] rpm: fix CVE-2021-35938 races with chown/chmod/capabilities calls during installation

[Steve Sakoman]

On Wed, Mar 1, 2023 at 9:48 PM vkumbhar <vkumbhar@mvista.com> wrote:
>
> Set file metadata via fd-based ops for everything but symlinks
>
> Regular file ops are fd-based already, for the rest we need to open them
> manually. Files with temporary suffix must never be followed, for
> directories (and pre-existing FA_TOUCHed files) use the rpm symlink
> "root or target owner allowed" rule wrt following.
>
> This mostly fixes CVE-2021-35938, but as we're not yet using dirfd-based
> operatiosn for everything there are corner cases left undone. And then
> there's the plugin API which needs updating for all this.

If it only "mostly" fixes the CVE should we be claiming that this
issue is fixed with this patch?

Seems like we would be giving people a false sense of security.

Would appreciate feedback from others on this!

Steve

> Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ---
>  .../rpm/files/CVE-2021-35938.patch            | 36 +++++++++++++++++++
>  meta/recipes-devtools/rpm/rpm_4.17.1.bb       |  1 +
>  2 files changed, 37 insertions(+)
>  create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-35938.patch
>
> diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch
> new file mode 100644
> index 0000000000..9b2e7ee91f
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch
> @@ -0,0 +1,36 @@
> +From 25a435e90844ea98fe5eb7bef22c1aecf3a9c033 Mon Sep 17 00:00:00 2001
> +From: Panu Matilainen <pmatilai@redhat.com>
> +Date: Mon, 14 Feb 2022 14:29:33 +0200
> +Subject: [PATCH] Set file metadata via fd-based ops for everything but
> + symlinks
> +
> +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033]
> +CVE: CVE-2023-25193
> +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> +---
> + lib/fsm.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/lib/fsm.c b/lib/fsm.c
> +index 935a0a5c6..50c431d2a 100644
> +--- a/lib/fsm.c
> ++++ b/lib/fsm.c
> +@@ -1000,6 +1000,15 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
> +                 if (!IS_DEV_LOG(fp->fpath))
> +                     rc = RPMERR_UNKNOWN_FILETYPE;
> +             }
> ++
> ++            if (!rc && fd == -1 && !S_ISLNK(fp->sb.st_mode)) {
> ++              /* Only follow safe symlinks, and never on temporary files */
> ++              fd = fsmOpenat(di.dirfd, fp->fpath,
> ++                              fp->suffix ? AT_SYMLINK_NOFOLLOW : 0);
> ++              if (fd < 0)
> ++                  rc = RPMERR_OPEN_FAILED;
> ++          }
> ++
> +       } else if (firstlink && rpmfiArchiveHasContent(fi)) {
> +           /*
> +            * Tricksy case: this file is a being skipped, but it's part of
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb b/meta/recipes-devtools/rpm/rpm_4.17.1.bb
> index 9b6446f265..e12d10c1e9 100644
> --- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb
> +++ b/meta/recipes-devtools/rpm/rpm_4.17.1.bb
> @@ -40,6 +40,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc
>             file://0001-docs-do-not-build-manpages-requires-pandoc.patch \
>             file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \
>             file://0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch \
> +           file://CVE-2021-35938.patch \
>             "
>
>  PE = "1"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177957): https://lists.openembedded.org/g/openembedded-core/message/177957
> Mute This Topic: https://lists.openembedded.org/mt/97334710/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [kirkstone][PATCH v2] rpm: fix CVE-2021-35938 races with chown/chmod/capabilities calls during installation

[vkumbhar]

[-- Attachment #1: Type: text/plain, Size: 64 bytes --]

Hi Steve,

Any update on this patch?

Kind Regards,
Vivek

[-- Attachment #2: Type: text/html, Size: 84 bytes --]