rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0023-build-randomize-temp-file-names-in-pretrans-scriptle.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   e7a34616d8f042f97c5999c00914e42280c54fde
  2.   SOURCES
  3.   0023-build-randomize-temp-file-names-in-pretrans-scriptle.patch
Blob History Raw
e7a346 
From fdf4475ea3598b4287803001932f426f2c58f3b1 Mon Sep 17 00:00:00 2001
e7a346 
From: Milind Changire <mchangir@redhat.com>
e7a346 
Date: Fri, 14 Oct 2016 12:53:27 +0530
e7a346 
Subject: [PATCH 23/74] build: randomize temp file names in pretrans scriptlets
e7a346
e7a346 
Security issue CVE-2015-1795 mentions about possibility of file name
e7a346 
spoof attack for the %pretrans server scriptlet.
e7a346 
Since %pretrans scriptlets are executed only for server builds, we can
e7a346 
use os.tmpname() to randomize temporary file names for all %pretrans
e7a346 
scriptlets using this mechanism.
e7a346
e7a346 
Label: DOWNSTREAM ONLY
e7a346
e7a346 
Change-Id: Ic82433897432794b6d311d836355aa4bad886369
e7a346 
Signed-off-by: Milind Changire <mchangir@redhat.com>
e7a346 
Reviewed-on: https://code.engineering.redhat.com/gerrit/86187
e7a346 
Reviewed-by: Siddharth Sharma <siddharth@redhat.com>
e7a346 
Reviewed-by: Niels de Vos <ndevos@redhat.com>
e7a346 
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
e7a346 
---
e7a346 
 glusterfs.spec.in | 106 ++++++++++++++++++++++++++++++++----------------------
e7a346 
 1 file changed, 64 insertions(+), 42 deletions(-)
e7a346
e7a346 
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
e7a346 
index 8f30020..ab61688 100644
e7a346 
--- a/glusterfs.spec.in
e7a346 
+++ b/glusterfs.spec.in
e7a346 
@@ -1579,9 +1579,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1620,9 +1621,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-api_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1661,9 +1663,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-api-devel_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1702,9 +1705,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-cli_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1743,9 +1747,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-client-xlators_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1784,9 +1789,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-devel_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1825,9 +1831,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-fuse_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1866,9 +1873,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-ganesha_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1908,9 +1916,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-geo-replication_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1950,9 +1959,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-libs_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -1991,9 +2001,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/python-gluster_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -2033,9 +2044,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-rdma_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -2076,9 +2088,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-resource-agents_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -2118,9 +2131,10 @@ if [ $? -eq 0 ]; then
e7a346 
 fi
e7a346 
 ]]
e7a346
e7a346 
--- rpm in RHEL5 does not have os.tmpname()
e7a346 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
e7a346 
-tmpname = "/tmp/glusterfs-server_pretrans_" .. os.date("%s")
e7a346 
+-- Since we run pretrans scripts only for RPMs built for a server build,
e7a346 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
e7a346 
+-- platforms which are server platforms.
e7a346 
+tmpname = os.tmpname()
e7a346 
 tmpfile = io.open(tmpname, "w")
e7a346 
 tmpfile:write(script)
e7a346 
 tmpfile:close()
e7a346 
@@ -2211,6 +2225,13 @@ end
e7a346 
 * Thu Nov 24 2016 Jiffin Tony Thottan <jhottan@redhat.com>
e7a346 
 - remove S31ganesha-reset.sh from hooks (#1397795)
e7a346
e7a346 
+* Fri Oct 14 2016 Milind Changire <mchangir@redhat.com>
e7a346 
+- Changed pretrans scripts to use os.tmpname() for enhanced security
e7a346 
+  for server builds only (#1362044)
e7a346 
+
e7a346 
+* Tue Sep 27 2016 Milind Changire <mchangir@redhat.com>
e7a346 
+- Added systemd requirement to glusterfs-server and glusterfs-events packages
e7a346 
+
e7a346 
 * Thu Sep 22 2016 Kaleb S. KEITHLEY <kkeithle@redhat.com>
e7a346 
 - python-ctypes no long exists, now in python stdlib (#1378436)
e7a346
e7a346 
@@ -2330,6 +2351,7 @@ end
e7a346
e7a346 
 * Mon May 18 2015 Milind Changire <mchangir@redhat.com>
e7a346 
 - Move file peer_add_secret_pub to the server RPM to support glusterfind (#1221544)
e7a346 
+
e7a346 
 * Sun May 17 2015 Niels de Vos <ndevos@redhat.com>
e7a346 
 - Fix building on RHEL-5 based distributions (#1222317)
e7a346
e7a346 
--
e7a346 
1.8.3.1
e7a346

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation