Fix CVE-2022-3560
(cherry picked from commit 083c7c618bc1115a86e77fab98c7f48e6cf66632)
This commit is contained in:
phluo
openeuler-sync-bot
parent
865615ccc3
commit
261093b9f6
61
Fix-CVE-2022-3560.patch
Normal file
61
Fix-CVE-2022-3560.patch
Normal file
@ -0,0 +1,61 @@
|
||||
--- a/src/pesign-authorize 2023-02-14 16:34:30.937317398 +0800
|
||||
+++ b/src/pesign-authorize 2023-02-14 16:36:55.343001392 +0800
|
||||
@@ -2,55 +2,11 @@
|
||||
set -e
|
||||
set -u
|
||||
|
||||
-#
|
||||
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||
-# acls for specific users is useful
|
||||
-#
|
||||
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||
-#
|
||||
-
|
||||
# License: GPLv2
|
||||
-declare -a fileusers=()
|
||||
-declare -a dirusers=()
|
||||
-for user in $(cat /etc/pesign/users); do
|
||||
- dirusers[${#dirusers[@]}]=-m
|
||||
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||
- fileusers[${#fileusers[@]}]=-m
|
||||
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||
-done
|
||||
-
|
||||
-declare -a filegroups=()
|
||||
-declare -a dirgroups=()
|
||||
-for group in $(cat /etc/pesign/groups); do
|
||||
- dirgroups[${#dirgroups[@]}]=-m
|
||||
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||
- filegroups[${#filegroups[@]}]=-m
|
||||
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||
-done
|
||||
-
|
||||
-update_subdir() {
|
||||
- subdir=$1 && shift
|
||||
|
||||
- setfacl -bk "${subdir}"
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||
- for x in "${subdir}"* ; do
|
||||
- if [ -d "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||
- update_subdir "${x}/"
|
||||
- elif [ -e "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||
- else
|
||||
- :;
|
||||
- fi
|
||||
- done
|
||||
-}
|
||||
+# This script is deprecated and will be removed in a future release.
|
||||
|
||||
for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||
- if [ -d "${x}" ]; then
|
||||
- update_subdir "${x}"
|
||||
- else
|
||||
- :;
|
||||
- fi
|
||||
+ chown -R pesign:pesign "${x}" || true
|
||||
+ chmod -R ug+rwX "${x}" || true
|
||||
done
|
||||
@ -2,7 +2,7 @@
|
||||
Name: pesign
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Version: 0.113
|
||||
Release: 4
|
||||
Release: 5
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
Source0: https://github.com/rhboot/pesign/archive/113.tar.gz
|
||||
@ -14,6 +14,7 @@ BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
|
||||
BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
|
||||
BuildRequires: python3-rpm-macros python3 systemd python3-devel
|
||||
Patch0001: Fix-the-build-with-nss-3.44.patch
|
||||
Patch0002: Fix-CVE-2022-3560.patch
|
||||
%description
|
||||
pesign is a command line tool for manipulating signatures and
|
||||
cryptographic digests of UEFI applications.
|
||||
@ -79,6 +80,9 @@ exit 0
|
||||
%{_mandir}/man*/*
|
||||
|
||||
%changelog
|
||||
* Wed Feb 15 2023 luopihui <luopihui@ncti-gba.cn> - 0.113-5
|
||||
- Fix CVE-2022-3560
|
||||
|
||||
* Sat Oct 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-4
|
||||
- Fix the build with nss 3.44
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user