packages/pesign
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!35 [sync] PR-34: CVE-2022-3560

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-02-15 13:27:40 +00:00 committed by Gitee
commit 6a77d3896d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Fix-CVE-2022-3560.patch Normal file
View File

@ -0,0 +1,61 @@
--- a/src/pesign-authorize 2023-02-14 16:34:30.937317398 +0800
+++ b/src/pesign-authorize 2023-02-14 16:36:55.343001392 +0800
@@ -2,55 +2,11 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done
-
-declare -a filegroups=()
-declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done
-
-update_subdir() {
- subdir=$1 && shift
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
done

6
pesign.spec
View File

@ -2,7 +2,7 @@
Name: pesign Name: pesign
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Version: 0.113 Version: 0.113
Release: 4 Release: 5
License: GPLv2 License: GPLv2
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
Source0: https://github.com/rhboot/pesign/archive/113.tar.gz Source0: https://github.com/rhboot/pesign/archive/113.tar.gz
@ -14,6 +14,7 @@ BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
BuildRequires: python3-rpm-macros python3 systemd python3-devel BuildRequires: python3-rpm-macros python3 systemd python3-devel
Patch0001: Fix-the-build-with-nss-3.44.patch Patch0001: Fix-the-build-with-nss-3.44.patch
Patch0002: Fix-CVE-2022-3560.patch
%description %description
pesign is a command line tool for manipulating signatures and pesign is a command line tool for manipulating signatures and
cryptographic digests of UEFI applications. cryptographic digests of UEFI applications.
@ -79,6 +80,9 @@ exit 0
%{_mandir}/man*/* %{_mandir}/man*/*
%changelog %changelog
* Wed Feb 15 2023 luopihui <luopihui@ncti-gba.cn> - 0.113-5
- Fix CVE-2022-3560
* Sat Oct 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-4 * Sat Oct 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-4
- Fix the build with nss 3.44 - Fix the build with nss 3.44