libcap-ng: CVE-2014-3215

seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges. Pick a patch from below link to address the CVE-2014-3215. https://bugzilla.redhat.com/attachment.cgi?id=829864 Signed-off-by: Shan Hai <shan.hai@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
author: Shan Hai <shan.hai@windriver.com> 2014-07-23 02:56:36 -0400
committer: Xin Ouyang <xin.ouyang@windriver.com> 2014-08-28 18:16:46 +0800
commit: 15df2a84d263960bf44e5af1f24738795f7265fc (patch)
tree: 5cc60a0db33ddbca4566d26571b2b84486d4de27 /recipes-security/libcap-ng
parent: 5166fda6e8dda98fa97ed849250f87e616dca874 (diff)
download: meta-selinux-15df2a84d263960bf44e5af1f24738795f7265fc.tar.gz
2 files changed, 82 insertions, 1 deletions
diff --git a/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
new file mode 100644
index 0000000..d7a868d
--- /dev/null
+++ b/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
@@ -0,0 +1,79 @@
+Upstream-Status: Pending
+diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
+index 7683119..a070c1e 100644
+--- a/docs/capng_lock.3
+++ b/docs/capng_lock.3
+@@ -8,12 +8,13 @@ int capng_lock(void);
+ 
+ .SH "DESCRIPTION"
+ 
+-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs.  This should be called while possessing the CAP_SETPCAP capability in the kernel.
+ 
+This function will do the following if permitted by the kernel:  If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it.  Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.  If both fail, it will return an error.
+ 
+ .SH "RETURN VALUE"
+ 
+-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
+ 
+ .SH "SEE ALSO"
+ 
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index bd105ba..422f2bc 100644
+--- a/src/cap-ng.c
+++ b/src/cap-ng.c
+@@ -45,6 +45,7 @@
+  * 2.6.24 kernel       XATTR_NAME_CAPS
+  * 2.6.25 kernel       PR_CAPBSET_DROP, CAPABILITY_VERSION_2
+  * 2.6.26 kernel       PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
+ * 3.5    kernel       PR_SET_NO_NEW_PRIVS
+  */
+ 
+ /* External syscall prototypes */
+@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
+ #define SECURE_NO_SETUID_FIXUP_LOCKED   3  /* make bit-2 immutable */
+ #endif
+ 
+/* prctl values that we use */
+#ifndef PR_SET_SECUREBITS
+#define PR_SET_SECUREBITS              28
+#endif
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS            38
+#endif
+
+ // States: new, allocated, initted, updated, applied
+ typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
+        CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
+@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
+ 
+ int capng_lock(void)
+ {
+-#ifdef PR_SET_SECUREBITS
+-       int rc = prctl(PR_SET_SECUREBITS,
+-                       1 << SECURE_NOROOT |
+-                       1 << SECURE_NOROOT_LOCKED |
+-                       1 << SECURE_NO_SETUID_FIXUP |
+-                       1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+       int rc;
+
+       // On Linux 3.5 and up, we can directly prevent ourselves and
+       // our descendents from gaining privileges.
+       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
+               return 0;
+
+       // This kernel is too old or otherwise doesn't support
+       // PR_SET_NO_NEW_PRIVS.  Fall back to using securebits.
+       rc = prctl(PR_SET_SECUREBITS,
+                  1 << SECURE_NOROOT |
+                  1 << SECURE_NOROOT_LOCKED |
+                  1 << SECURE_NO_SETUID_FIXUP |
+                  1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+        if (rc)
+                return -1;
+-#endif
+ 
+        return 0;
+ }
diff --git a/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
index 3f225ba..e729518 100644
--- a/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
+++ b/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
                    file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
 SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
-           file://python.patch"
+           file://python.patch \
+           file://CVE-2014-3215.patch \
+          "
 inherit lib_package autotools pythonnative
author	Shan Hai <shan.hai@windriver.com>	2014-07-23 02:56:36 -0400
committer	Xin Ouyang <xin.ouyang@windriver.com>	2014-08-28 18:16:46 +0800
commit	15df2a84d263960bf44e5af1f24738795f7265fc (patch)
tree	5cc60a0db33ddbca4566d26571b2b84486d4de27 /recipes-security/libcap-ng
parent	5166fda6e8dda98fa97ed849250f87e616dca874 (diff)
download	meta-selinux-15df2a84d263960bf44e5af1f24738795f7265fc.tar.gz

diff --git a/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch new file mode 100644 index 0000000..d7a868d --- /dev/null +++ b/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
@@ -0,0 +1,79 @@
		1	Upstream-Status: Pending
		2
		3	diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
		4	index 7683119..a070c1e 100644
		5	--- a/docs/capng_lock.3
		6	+++ b/docs/capng_lock.3
		7	@@ -8,12 +8,13 @@ int capng_lock(void);
		8
		9	.SH "DESCRIPTION"
		10
		11	-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
		12	+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
		13
		14	+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
		15
		16	.SH "RETURN VALUE"
		17
		18	-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
		19	+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
		20
		21	.SH "SEE ALSO"
		22
		23	diff --git a/src/cap-ng.c b/src/cap-ng.c
		24	index bd105ba..422f2bc 100644
		25	--- a/src/cap-ng.c
		26	+++ b/src/cap-ng.c
		27	@@ -45,6 +45,7 @@
		28	* 2.6.24 kernel XATTR_NAME_CAPS
		29	* 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
		30	* 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
		31	+ * 3.5 kernel PR_SET_NO_NEW_PRIVS
		32	*/
		33
		34	/* External syscall prototypes */
		35	@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
		36	#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
		37	#endif
		38
		39	+/* prctl values that we use */
		40	+#ifndef PR_SET_SECUREBITS
		41	+#define PR_SET_SECUREBITS 28
		42	+#endif
		43	+#ifndef PR_SET_NO_NEW_PRIVS
		44	+#define PR_SET_NO_NEW_PRIVS 38
		45	+#endif
		46	+
		47	// States: new, allocated, initted, updated, applied
		48	typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
		49	CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
		50	@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
		51
		52	int capng_lock(void)
		53	{
		54	-#ifdef PR_SET_SECUREBITS
		55	- int rc = prctl(PR_SET_SECUREBITS,
		56	- 1 << SECURE_NOROOT \|
		57	- 1 << SECURE_NOROOT_LOCKED \|
		58	- 1 << SECURE_NO_SETUID_FIXUP \|
		59	- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
		60	+ int rc;
		61	+
		62	+ // On Linux 3.5 and up, we can directly prevent ourselves and
		63	+ // our descendents from gaining privileges.
		64	+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
		65	+ return 0;
		66	+
		67	+ // This kernel is too old or otherwise doesn't support
		68	+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
		69	+ rc = prctl(PR_SET_SECUREBITS,
		70	+ 1 << SECURE_NOROOT \|
		71	+ 1 << SECURE_NOROOT_LOCKED \|
		72	+ 1 << SECURE_NO_SETUID_FIXUP \|
		73	+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
		74	if (rc)
		75	return -1;
		76	-#endif
		77
		78	return 0;
		79	}


diff --git a/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/recipes-security/libcap-ng/libcap-ng_0.7.3.bb index 3f225ba..e729518 100644 --- a/recipes-security/libcap-ng/libcap-ng_0.7.3.bb +++ b/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
8	file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"	8	file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
9		9
10	SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \	10	SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
11	file://python.patch"	11	file://python.patch \
		12	file://CVE-2014-3215.patch \
		13	"
12		14
13	inherit lib_package autotools pythonnative	15	inherit lib_package autotools pythonnative
14		16