RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Ralf S. Engelschall
Root: /v/rpm/cvs Email: [EMAIL PROTECTED]
Module: rpm Date: 02-Jan-2008 20:10:14
Branch: HEAD Handle: 2008010219101301
Modified files:
rpm VENDOR
rpm/lib poptALL.c
rpm/rpmio librpmio.vers macro.c rpmmacro.h
Log:
Add one small additional OpenPKG-scoped extra functionality in order to
not open a security hole when using flexible "rpmpopt" and "rpmmacros"
file loading.
In OpenPKG we want to use "local" ".openpkg/{rpmpopt,rpmmacros}
files in order to support flexible and path-independent build
environments for package development. For this we build RPM with
--with-path-rpmpopt="$RPMPOPT" and --with-path-macros="$RPMMACROS" and
calculate the paths as following:
RPMPOPT="%{l_prefix}/lib/openpkg/rpmpopt"
RPMPOPT="$RPMPOPT:%{l_prefix}/etc/openpkg/rpmpopt"
RPMPOPT="$RPMPOPT:%{l_prefix}/etc/openpkg/rpmpopt.d/*"
RPMPOPT="$RPMPOPT:~/.openpkg/rpmpopt"
RPMPOPT="$RPMPOPT:@../../.openpkg/rpmpopt"
RPMPOPT="$RPMPOPT:@../.openpkg/rpmpopt"
RPMPOPT="$RPMPOPT:@./.openpkg/rpmpopt"
RPMMACROS="%{l_prefix}/lib/openpkg/macros"
RPMMACROS="$RPMMACROS:%{l_prefix}/etc/openpkg/rpmmacros"
RPMMACROS="$RPMMACROS:%{l_prefix}/etc/openpkg/rpmmacros.d/*"
RPMMACROS="$RPMMACROS:~/.openpkg/rpmmacros"
RPMMACROS="$RPMMACROS:@../../.openpkg/rpmmacros"
RPMMACROS="$RPMMACROS:@../.openpkg/rpmmacros"
RPMMACROS="$RPMMACROS:@./.openpkg/rpmmacros"
This means that the files from relative paths (which we do not control)
should be only loaded if they pass an explicitly requested (via prefix
"@" for "attention") security check.
Summary:
Revision Changes Path
2.27 +30 -0 rpm/VENDOR
2.72 +10 -0 rpm/lib/poptALL.c
2.32 +1 -0 rpm/rpmio/librpmio.vers
2.167 +29 -0 rpm/rpmio/macro.c
2.46 +8 -0 rpm/rpmio/rpmmacro.h
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: rpm/VENDOR
============================================================================
$ cvs diff -u -r2.26 -r2.27 VENDOR
--- rpm/VENDOR 2 Jan 2008 16:57:36 -0000 2.26
+++ rpm/VENDOR 2 Jan 2008 19:10:13 -0000 2.27
@@ -375,6 +375,36 @@
Reason: [see scripts/integrity.txt for detailed documentation]
________________________________________________________________________
+ Change: security-sanity-check-rpmpopt-and-rpmmacros
+ Purpose: Support secure loading of "rpmpopt" and "rpmmacros"
+ from relative paths.
+ Reason: In OpenPKG we want to use "local"
+ ".openpkg/{rpmpopt,rpmmacros} files in order
+ to support flexible and path-independent build
+ environments for package development. For this we
+ build RPM with --with-path-rpmpopt="$RPMPOPT" and
+ --with-path-macros="$RPMMACROS" and calculate the
+ paths as following:
+ RPMPOPT="%{l_prefix}/lib/openpkg/rpmpopt"
+ RPMPOPT="$RPMPOPT:%{l_prefix}/etc/openpkg/rpmpopt"
+ RPMPOPT="$RPMPOPT:%{l_prefix}/etc/openpkg/rpmpopt.d/*"
+ RPMPOPT="$RPMPOPT:~/.openpkg/rpmpopt"
+ RPMPOPT="$RPMPOPT:@../../.openpkg/rpmpopt"
+ RPMPOPT="$RPMPOPT:@../.openpkg/rpmpopt"
+ RPMPOPT="$RPMPOPT:@./.openpkg/rpmpopt"
+ RPMMACROS="%{l_prefix}/lib/openpkg/macros"
+
RPMMACROS="$RPMMACROS:%{l_prefix}/etc/openpkg/rpmmacros"
+
RPMMACROS="$RPMMACROS:%{l_prefix}/etc/openpkg/rpmmacros.d/*"
+ RPMMACROS="$RPMMACROS:~/.openpkg/rpmmacros"
+ RPMMACROS="$RPMMACROS:@../../.openpkg/rpmmacros"
+ RPMMACROS="$RPMMACROS:@../.openpkg/rpmmacros"
+ RPMMACROS="$RPMMACROS:@./.openpkg/rpmmacros"
+ This means that the files from relative paths
+ (which we do not control) should be only loaded if
+ they pass an explicitly requested (via prefix "@"
+ for "attention") security check.
+ ________________________________________________________________________
+
o Name: RPM4DARWIN
Vendor: RPM for Darwin (Mac OS X)
<http://rpm4darwin.sourceforge.net/>
Representative: Anders F. Bjorklund <[EMAIL PROTECTED]> <[EMAIL
PROTECTED]>
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/poptALL.c
============================================================================
$ cvs diff -u -r2.71 -r2.72 poptALL.c
--- rpm/lib/poptALL.c 30 Dec 2007 16:47:41 -0000 2.71
+++ rpm/lib/poptALL.c 2 Jan 2008 19:10:13 -0000 2.72
@@ -663,6 +663,16 @@
else
path_next = path + strlen(path);
+#if defined(RPM_VENDOR_OPENPKG) /*
security-sanity-check-rpmpopt-and-rpmmacros */
+ if (path[0] == '@' /* attention */) {
+ path++;
+ if (!rpmSecuritySaneFile(path)) {
+ rpmlog(RPMLOG_WARNING, "existing POPT configuration file
\"%s\" considered INSECURE -- not loaded\n", path);
+ continue;
+ }
+ }
+#endif
+
/* glob-expand the path element */
ac = 0;
av = NULL;
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/librpmio.vers
============================================================================
$ cvs diff -u -r2.31 -r2.32 librpmio.vers
--- rpm/rpmio/librpmio.vers 1 Jan 2008 20:27:52 -0000 2.31
+++ rpm/rpmio/librpmio.vers 2 Jan 2008 19:10:14 -0000 2.32
@@ -282,6 +282,7 @@
rpmluavSetValue;
rpmluavSetValueNum;
rpmluavValueIsNum;
+ rpmSecuritySaneFile;
rpmMacrofiles;
_rpmmg_debug;
rpmmgFree;
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/macro.c
============================================================================
$ cvs diff -u -r2.166 -r2.167 macro.c
--- rpm/rpmio/macro.c 28 Dec 2007 11:26:50 -0000 2.166
+++ rpm/rpmio/macro.c 2 Jan 2008 19:10:14 -0000 2.167
@@ -1729,6 +1729,25 @@
return rc;
}
+#if defined(RPM_VENDOR_OPENPKG) /*
security-sanity-check-rpmpopt-and-rpmmacros */
+int rpmSecuritySaneFile(const char *filename)
+{
+ struct stat sb;
+ uid_t uid;
+
+ if (stat(filename, &sb) == -1)
+ return (errno == ENOENT ? 1 : 0);
+ uid = getuid();
+ if (sb.st_uid != uid)
+ return 0;
+ if (!S_ISREG(sb.st_mode))
+ return 0;
+ if (sb.st_mode & (S_IWGRP|S_IWOTH))
+ return 0;
+ return 1;
+}
+#endif
+
#if !defined(DEBUG_MACROS)
/* =============================================================== */
/* XXX dupe'd to avoid change in linkage conventions. */
@@ -2205,6 +2224,16 @@
else
me = m + strlen(m);
+#if defined(RPM_VENDOR_OPENPKG) /*
security-sanity-check-rpmpopt-and-rpmmacros */
+ if (m[0] == '@' /* attention */) {
+ m++;
+ if (!rpmSecuritySaneFile(m)) {
+ rpmlog(RPMLOG_WARNING, "existing macros file \"%s\"
considered INSECURE -- not loaded\n", m);
+ continue;
+ }
+ }
+#endif
+
/* Glob expand the macro file path element, expanding ~ to $HOME. */
ac = 0;
av = NULL;
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/rpmmacro.h
============================================================================
$ cvs diff -u -r2.45 -r2.46 rpmmacro.h
--- rpm/rpmio/rpmmacro.h 24 Dec 2007 09:00:07 -0000 2.45
+++ rpm/rpmio/rpmmacro.h 2 Jan 2008 19:10:14 -0000 2.46
@@ -87,6 +87,14 @@
/[EMAIL PROTECTED] mire, *avp @*/;
/**
+ * Check whether configuration file is moderately secure to load.
+ * @param filename filename to check
+ * @return 1 on success, 0 on failure
+ */
+int rpmSecuritySaneFile(const char *filename)
+ /[EMAIL PROTECTED] fileSystem, internalState @*/;
+
+/**
* Return URL path(s) from a (URL prefixed) pattern glob.
* @param patterns glob pattern
* @retval *argcPtr no. of paths
@@ .
______________________________________________________________________
RPM Package Manager http://rpm5.org
CVS Sources Repository rpm-cvs@rpm5.org
