From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Fri Nov 11 09:07:22 UTC 2022 Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890 Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch CVE: CVE-2021-44038 Signed-off-by: Marius Tomaschewski Signed-off-by: Hitendra Prajapati --- redhat/bgpd.service | 2 -- redhat/isisd.service | 2 -- redhat/ospf6d.service | 2 -- redhat/ospfd.service | 2 -- redhat/ripd.service | 2 -- redhat/ripngd.service | 2 -- redhat/zebra.service | 3 --- 7 files changed, 15 deletions(-) diff --git a/redhat/bgpd.service b/redhat/bgpd.service index a50bfff..6f46a97 100644 --- a/redhat/bgpd.service +++ b/redhat/bgpd.service @@ -10,8 +10,6 @@ Documentation=man:bgpd [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf Restart=on-abort diff --git a/redhat/isisd.service b/redhat/isisd.service index 93663aa..c1464c0 100644 --- a/redhat/isisd.service +++ b/redhat/isisd.service @@ -10,8 +10,6 @@ Documentation=man:isisd [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf Restart=on-abort diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service index 3c1c978..d493429 100644 --- a/redhat/ospf6d.service +++ b/redhat/ospf6d.service @@ -10,8 +10,6 @@ Documentation=man:ospf6d [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf Restart=on-abort diff --git a/redhat/ospfd.service b/redhat/ospfd.service index 0084b6c..6c84580 100644 --- a/redhat/ospfd.service +++ b/redhat/ospfd.service @@ -10,8 +10,6 @@ Documentation=man:ospfd [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf Restart=on-abort diff --git a/redhat/ripd.service b/redhat/ripd.service index 103b5a9..be0f75c 100644 --- a/redhat/ripd.service +++ b/redhat/ripd.service @@ -10,8 +10,6 @@ Documentation=man:ripd [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf Restart=on-abort diff --git a/redhat/ripngd.service b/redhat/ripngd.service index 6fe6ba8..23447da 100644 --- a/redhat/ripngd.service +++ b/redhat/ripngd.service @@ -10,8 +10,6 @@ Documentation=man:ripngd [Service] Type=forking EnvironmentFile=/etc/sysconfig/quagga -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf Restart=on-abort diff --git a/redhat/zebra.service b/redhat/zebra.service index fa5a004..e3cf0ab 100644 --- a/redhat/zebra.service +++ b/redhat/zebra.service @@ -10,9 +10,6 @@ Documentation=man:zebra Type=forking EnvironmentFile=-/etc/sysconfig/quagga ExecStartPre=/sbin/ip route flush proto zebra -ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf -ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf -ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf Restart=on-abort -- 2.25.1