Hi RAUC users, today a new RAUC release was published that you should pay attention to (even if it is right before Christmas). Besides some other minor bug fixes and enhancements its main purpose is to provide a fix for the vulnerability CVE-2020-25860 that was published today: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25860
Please read the advisory carefully to evaluate if this affectes your system and upgrade to RAUC v1.5 if necessary: https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv Beside the mitigation, the release also introduces the new "verity" bundle format (the old format is now called "plain"). The verity format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf. As the old plain format does not offer protection against modification during the installation process, RAUC now takes ownership of the bundle file, removes write permissions and checks for existing open file descriptors. This is intended as a mitigation to protect against a compromised update service running as a non-root user, which would otherwise be able to modify the bundle between signature check and actual bundle installation. You can find a complete list of all (other) changes since v1.4 below. After the integration, it is important to check that the new bundle access protection has no false positives with RAUC 1.5 on your system. Otherwise, after a successful update to 1.5, no further updates would be installable. We would appreciate your feedback on the new format and the mitigation fix. Please let us know if you encounter any problems during upgrading to v1.5. So far from our side, it was a lot of work in the last weeks, thus we now wish you all relaxing Holidays and a Happy New Year! Stay healthy and do not go outside if you can update remotely. ;) Best wishes from The RAUC Team --- CHANGES: Release 1.5 (released Dec 14, 2020) ============================================ Note: This version introduces the new ``verity`` bundle format (the old format is now called ``plain``). The ``verity`` format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf (see https://rauc.readthedocs.io/en/latest/reference.html#sec-ref-formats). As the old ``plain`` format does not offer protection against modification during the installation process, RAUC now takes ownership of the bundle file, removes write permissions and checks for existing open file descriptors. This is intended as a mitigation to protect against a compromised update service running as a non-root user, which would otherwise be able to modify the bundle between signature check and actual bundle installation. See https://rauc.readthedocs.io/en/latest/integration.html#bundle-format-migration for more details on how to switch to the ``verity`` format. Enhancements ------------ * Add support for the ``verity`` bundle format. See the https://rauc.readthedocs.io/en/latest/reference.html#verity-format for details. * Support resolving the `root=PARTLABEL=xxx` kernel command line option. (by Gaël PORTAY) * Disable the unneccessary SMIMECapabilities information in the bundle signature, saving ~100 bytes. * Remove redundant checksum verification for source images during installation. The RAUC bundle is already verified at this point, so there is no need to verify the checksum of each file individually. (by Bastian Krause) Security -------- * Take ownership of bundle files if they are not owned by root and remove write permissions. Then check that no writable file descriptors are open for the bundle file (using the ``F_SETLEASE`` fcntl). This fixes CVE-2020-25860. See the advisory for more details: https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv Note: The https://github.com/rauc/rauc-1.5-integration repository contains examples to simplify integrating the RAUC update into existing projects. You can subscribe to https://github.com/rauc/rauc-1.5-integration/issues/1 to receive notifications of important updates to this repository and of integration into the upstream build systems. Bug fixes --------- * Fix install handler selection for *.img files for boot-* slots when used with casync. (by Martin Schwan) * Fix checking for unknown keys in the slot configuration. * Fix some corner cases related to stopping the D-Bus daemon. * Propagate error if unable to save manifest. (by Stefan Wahren) * Apply `--handler-args` only during installation (and not during bundle creation). Testing ------- * Ship `test/minimal-test.conf` to fix testing when running as root. (by Uwe Kleine-König) * Increase usage of g_autofree/g_autoptr in the test suite. Code ---- * Remove unused code for signed manifests (outside of a bundle). * Add G_GNUC_WARN_UNUSED_RESULT to many functions. Documentation ------------- * Fix multiple smaller errors. (by Christoph Steiger, Christopher Obbard and Michael Heimpold) * Improve documentation related to u-boot scripting and environment storage. Contributions from: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König -- Pengutronix e.K. | Enrico Jörns | Embedded Linux Consulting & Support | https://www.pengutronix.de/ | Steuerwalder Str. 21 | Phone: +49-5121-206917-180 | 31137 Hildesheim, Germany | Fax: +49-5121-206917-9 | _______________________________________________ RAUC mailing list