|
|
e3c68b |
From 3d0e09400dc21dbb5f76fd9ca4bfce3edad0d626 Mon Sep 17 00:00:00 2001
|
|
|
e3c68b |
From: Milind Changire <mchangir@redhat.com>
|
|
|
e3c68b |
Date: Fri, 14 Oct 2016 12:53:27 +0530
|
|
|
e3c68b |
Subject: [PATCH 15/52] build: randomize temp file names in pretrans scriptlets
|
|
|
e3c68b |
|
|
|
e3c68b |
Security issue CVE-2015-1795 mentions about possibility of file name
|
|
|
e3c68b |
spoof attack for the %pretrans server scriptlet.
|
|
|
e3c68b |
Since %pretrans scriptlets are executed only for server builds, we can
|
|
|
e3c68b |
use os.tmpname() to randomize temporary file names for all %pretrans
|
|
|
e3c68b |
scriptlets using this mechanism.
|
|
|
e3c68b |
|
|
|
e3c68b |
Label: DOWNSTREAM ONLY
|
|
|
e3c68b |
|
|
|
e3c68b |
Change-Id: Ic82433897432794b6d311d836355aa4bad886369
|
|
|
e3c68b |
Signed-off-by: Milind Changire <mchangir@redhat.com>
|
|
|
e3c68b |
Reviewed-on: https://code.engineering.redhat.com/gerrit/86187
|
|
|
e3c68b |
Reviewed-by: Siddharth Sharma <siddharth@redhat.com>
|
|
|
e3c68b |
Reviewed-by: Niels de Vos <ndevos@redhat.com>
|
|
|
e3c68b |
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
e3c68b |
---
|
|
|
e3c68b |
glusterfs.spec.in | 84 +++++++++++++++++++++++++++++++------------------------
|
|
|
e3c68b |
1 file changed, 48 insertions(+), 36 deletions(-)
|
|
|
e3c68b |
|
|
|
e3c68b |
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
|
|
e3c68b |
index 8c57f57..3a98822 100644
|
|
|
e3c68b |
--- a/glusterfs.spec.in
|
|
|
e3c68b |
+++ b/glusterfs.spec.in
|
|
|
e3c68b |
@@ -1549,9 +1549,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1590,9 +1591,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-api_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1631,9 +1633,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-api-devel_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1672,9 +1675,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-cli_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1712,9 +1716,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-client-xlators_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1752,9 +1757,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-devel_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1793,9 +1799,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-fuse_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1835,9 +1842,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-geo-replication_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1877,9 +1885,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-libs_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1919,9 +1928,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-rdma_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -1962,9 +1972,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-resource-agents_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
@@ -2004,9 +2015,10 @@ if [ $? -eq 0 ]; then
|
|
|
e3c68b |
fi
|
|
|
e3c68b |
]]
|
|
|
e3c68b |
|
|
|
e3c68b |
--- rpm in RHEL5 does not have os.tmpname()
|
|
|
e3c68b |
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
|
|
|
e3c68b |
-tmpname = "/tmp/glusterfs-server_pretrans_" .. os.date("%s")
|
|
|
e3c68b |
+-- Since we run pretrans scripts only for RPMs built for a server build,
|
|
|
e3c68b |
+-- we can now use os.tmpname() since it is available on RHEL6 and later
|
|
|
e3c68b |
+-- platforms which are server platforms.
|
|
|
e3c68b |
+tmpname = os.tmpname()
|
|
|
e3c68b |
tmpfile = io.open(tmpname, "w")
|
|
|
e3c68b |
tmpfile:write(script)
|
|
|
e3c68b |
tmpfile:close()
|
|
|
e3c68b |
--
|
|
|
e3c68b |
1.8.3.1
|
|
|
e3c68b |
|