quagga: CVE-2021-44038 unsafe chown/chmod operations may lead to privileges escalation

Upstream-Status: Backport from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-07-10 11:20:29 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-07-14 07:08:54 -0400
commit: 2dd0c9db675b2abd546a3661ad65d27b03d61c71 (patch)
tree: 9222ae07008397391f02ef570e8347e52eca4a09
parent: 3e51eb35aea3c957a0ed7cce6228f746bec2931f (diff)
download: meta-openembedded-2dd0c9db675b2abd546a3661ad65d27b03d61c71.tar.gz
2 files changed, 118 insertions, 1 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch
new file mode 100644
index 0000000000..bdb48a3993
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch
@@ -0,0 +1,117 @@
+From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski <mt@suse.com>
+Date: Fri Nov 11 09:07:22 UTC 2022
+Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation
+Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890
+Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch
+CVE: CVE-2021-44038
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ redhat/bgpd.service   | 2 --
+ redhat/isisd.service  | 2 --
+ redhat/ospf6d.service | 2 --
+ redhat/ospfd.service  | 2 --
+ redhat/ripd.service   | 2 --
+ redhat/ripngd.service | 2 --
+ redhat/zebra.service  | 3 ---
+ 7 files changed, 15 deletions(-)
+diff --git a/redhat/bgpd.service b/redhat/bgpd.service
+index a50bfff..6f46a97 100644
+--- a/redhat/bgpd.service
+++ b/redhat/bgpd.service
+@@ -10,8 +10,6 @@ Documentation=man:bgpd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf
+ ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/isisd.service b/redhat/isisd.service
+index 93663aa..c1464c0 100644
+--- a/redhat/isisd.service
+++ b/redhat/isisd.service
+@@ -10,8 +10,6 @@ Documentation=man:isisd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf
+ ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service
+index 3c1c978..d493429 100644
+--- a/redhat/ospf6d.service
+++ b/redhat/ospf6d.service
+@@ -10,8 +10,6 @@ Documentation=man:ospf6d
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf
+ ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ospfd.service b/redhat/ospfd.service
+index 0084b6c..6c84580 100644
+--- a/redhat/ospfd.service
+++ b/redhat/ospfd.service
+@@ -10,8 +10,6 @@ Documentation=man:ospfd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf
+ ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ripd.service b/redhat/ripd.service
+index 103b5a9..be0f75c 100644
+--- a/redhat/ripd.service
+++ b/redhat/ripd.service
+@@ -10,8 +10,6 @@ Documentation=man:ripd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf
+ ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ripngd.service b/redhat/ripngd.service
+index 6fe6ba8..23447da 100644
+--- a/redhat/ripngd.service
+++ b/redhat/ripngd.service
+@@ -10,8 +10,6 @@ Documentation=man:ripngd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf
+ ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/zebra.service b/redhat/zebra.service
+index fa5a004..e3cf0ab 100644
+--- a/redhat/zebra.service
+++ b/redhat/zebra.service
+@@ -10,9 +10,6 @@ Documentation=man:zebra
+ Type=forking
+ EnvironmentFile=-/etc/sysconfig/quagga
+ ExecStartPre=/sbin/ip route flush proto zebra
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf
+-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf
+ ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
+ Restart=on-abort
+ 
+-- 
+2.25.1
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index 134a33d478..5ef3843b15 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \
           file://ripd.service \
           file://ripngd.service \
           file://zebra.service \
+           file://CVE-2021-44038.patch \
          "
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"
 PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-07-10 11:20:29 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-07-14 07:08:54 -0400
commit	2dd0c9db675b2abd546a3661ad65d27b03d61c71 (patch)
tree	9222ae07008397391f02ef570e8347e52eca4a09
parent	3e51eb35aea3c957a0ed7cce6228f746bec2931f (diff)
download	meta-openembedded-2dd0c9db675b2abd546a3661ad65d27b03d61c71.tar.gz

diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch new file mode 100644 index 0000000000..bdb48a3993 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch
@@ -0,0 +1,117 @@
		1	From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001
		2	From: Marius Tomaschewski <mt@suse.com>
		3	Date: Fri Nov 11 09:07:22 UTC 2022
		4	Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation
		5
		6	Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890
		7
		8	Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch
		9
		10	CVE: CVE-2021-44038
		11	Signed-off-by: Marius Tomaschewski <mt@suse.com>
		12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	---
		14	redhat/bgpd.service \| 2 --
		15	redhat/isisd.service \| 2 --
		16	redhat/ospf6d.service \| 2 --
		17	redhat/ospfd.service \| 2 --
		18	redhat/ripd.service \| 2 --
		19	redhat/ripngd.service \| 2 --
		20	redhat/zebra.service \| 3 ---
		21	7 files changed, 15 deletions(-)
		22
		23	diff --git a/redhat/bgpd.service b/redhat/bgpd.service
		24	index a50bfff..6f46a97 100644
		25	--- a/redhat/bgpd.service
		26	+++ b/redhat/bgpd.service
		27	@@ -10,8 +10,6 @@ Documentation=man:bgpd
		28	[Service]
		29	Type=forking
		30	EnvironmentFile=/etc/sysconfig/quagga
		31	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf
		32	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf
		33	ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
		34	Restart=on-abort
		35
		36	diff --git a/redhat/isisd.service b/redhat/isisd.service
		37	index 93663aa..c1464c0 100644
		38	--- a/redhat/isisd.service
		39	+++ b/redhat/isisd.service
		40	@@ -10,8 +10,6 @@ Documentation=man:isisd
		41	[Service]
		42	Type=forking
		43	EnvironmentFile=/etc/sysconfig/quagga
		44	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf
		45	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf
		46	ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
		47	Restart=on-abort
		48
		49	diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service
		50	index 3c1c978..d493429 100644
		51	--- a/redhat/ospf6d.service
		52	+++ b/redhat/ospf6d.service
		53	@@ -10,8 +10,6 @@ Documentation=man:ospf6d
		54	[Service]
		55	Type=forking
		56	EnvironmentFile=/etc/sysconfig/quagga
		57	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf
		58	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf
		59	ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
		60	Restart=on-abort
		61
		62	diff --git a/redhat/ospfd.service b/redhat/ospfd.service
		63	index 0084b6c..6c84580 100644
		64	--- a/redhat/ospfd.service
		65	+++ b/redhat/ospfd.service
		66	@@ -10,8 +10,6 @@ Documentation=man:ospfd
		67	[Service]
		68	Type=forking
		69	EnvironmentFile=/etc/sysconfig/quagga
		70	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf
		71	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf
		72	ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
		73	Restart=on-abort
		74
		75	diff --git a/redhat/ripd.service b/redhat/ripd.service
		76	index 103b5a9..be0f75c 100644
		77	--- a/redhat/ripd.service
		78	+++ b/redhat/ripd.service
		79	@@ -10,8 +10,6 @@ Documentation=man:ripd
		80	[Service]
		81	Type=forking
		82	EnvironmentFile=/etc/sysconfig/quagga
		83	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf
		84	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf
		85	ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
		86	Restart=on-abort
		87
		88	diff --git a/redhat/ripngd.service b/redhat/ripngd.service
		89	index 6fe6ba8..23447da 100644
		90	--- a/redhat/ripngd.service
		91	+++ b/redhat/ripngd.service
		92	@@ -10,8 +10,6 @@ Documentation=man:ripngd
		93	[Service]
		94	Type=forking
		95	EnvironmentFile=/etc/sysconfig/quagga
		96	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf
		97	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf
		98	ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
		99	Restart=on-abort
		100
		101	diff --git a/redhat/zebra.service b/redhat/zebra.service
		102	index fa5a004..e3cf0ab 100644
		103	--- a/redhat/zebra.service
		104	+++ b/redhat/zebra.service
		105	@@ -10,9 +10,6 @@ Documentation=man:zebra
		106	Type=forking
		107	EnvironmentFile=-/etc/sysconfig/quagga
		108	ExecStartPre=/sbin/ip route flush proto zebra
		109	-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
		110	-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf
		111	-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf
		112	ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
		113	Restart=on-abort
		114
		115	--
		116	2.25.1
		117


diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 134a33d478..5ef3843b15 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \
34	file://ripd.service \	34	file://ripd.service \
35	file://ripngd.service \	35	file://ripngd.service \
36	file://zebra.service \	36	file://zebra.service \
		37	file://CVE-2021-44038.patch \
37	"	38	"
38
39	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"	39	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
40	PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"	40	PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"
41	PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam"	41	PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam"