packages/cifs-utils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix_capng_apply_for_libcap-ng-0.8.1

Browse Source 
(cherry picked from commit 4f1a54450022f0b9a03d4abe477a164c122055a1)
This commit is contained in:
konglidong 2021-11-23 14:02:22 +08:00 committed by openeuler-sync-bot
parent 40a8127454
commit b96453fd95
3 changed files with 108 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch Normal file
View File

@ -0,0 +1,50 @@
From 4205fdc411701ffc323769d41508e0875b9d63d4 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@archlinux.org>
Date: Sat, 21 Nov 2020 12:11:45 +0100
Subject: [PATCH] cifs.upcall: update the cap bounding set only when
CAP_SETPCAP is given
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
---
cifs.upcall.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 1559434..af1a0b0 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -88,6 +88,8 @@ typedef enum _sectype {
static int
trim_capabilities(bool need_environ)
{
+ capng_select_t set = CAPNG_SELECT_CAPS;
+
capng_clear(CAPNG_SELECT_BOTH);
/* SETUID and SETGID to change uid, gid, and grouplist */
@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ)
return 1;
}
- if (capng_apply(CAPNG_SELECT_BOTH)) {
+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+ set = CAPNG_SELECT_BOTH;
+ }
+ if (capng_apply(set)) {
syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
return 1;
}
--
2.27.0

50
1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch Normal file
View File

@ -0,0 +1,50 @@
From e406fb13e5b08b440100ec6215973060b7fdcff3 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@archlinux.org>
Date: Sat, 21 Nov 2020 12:11:44 +0100
Subject: [PATCH] mount.cifs: update the cap bounding set only when CAP_SETPCAP
is given
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
---
mount.cifs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 81bdbc8..2474e98 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -347,6 +347,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src)
static int
drop_capabilities(int parent)
{
+ capng_select_t set = CAPNG_SELECT_CAPS;
+
capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (parent) {
@@ -364,7 +366,10 @@ drop_capabilities(int parent)
return EX_SYSERR;
}
}
- if (capng_apply(CAPNG_SELECT_BOTH)) {
+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+ set = CAPNG_SELECT_BOTH;
+ }
+ if (capng_apply(set)) {
fprintf(stderr, "Unable to apply new capability set.\n");
return EX_SYSERR;
}
--
2.27.0

10
cifs-utils.spec
View File

@ -1,13 +1,16 @@
Name: cifs-utils
Version: 6.10
Release: 3
Release: 4
Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem
License: GPLv3+
URL: http://linux-cifs.samba.org/cifs-utils/
Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
Patch0: 0001-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch
Patch1: 0002-CVE-2021-20208.patch
Patch1: 0002-CVE-2021-20208.patch
Patch2: 1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch
Patch3: 1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch
BuildRequires: python3-docutils libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf
BuildRequires: automake libwbclient-devel pam-devel python3-samba pkg-config fdupes gcc
@ -80,6 +83,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
%{_mandir}/man8/*
%changelog
* Tue Nov 23 2021 konglidong <konglidong@uniontech.com> - 6.10-4
- sync patch from Upstream for fix capng apply for libcap-ng-0.8.1
* Tue Aug 17 2021 haowenchao <haowenchao@huawei.com> - 6.10-3
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git