rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0104-build-randomize-temp-file-names-in-pretrans-scriptle.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   7c2869f26cdcee2cbe099e4f80fce4d1b8bad4bb
  2.   SOURCES
  3.   0104-build-randomize-temp-file-names-in-pretrans-scriptle.patch
Blob History Raw
3604df 
From 5ca46d69e48211eb829c640b0dd3eda287a9933b Mon Sep 17 00:00:00 2001
3604df 
From: Milind Changire <mchangir@redhat.com>
3604df 
Date: Fri, 14 Oct 2016 12:53:27 +0530
3604df 
Subject: [PATCH 104/141] build: randomize temp file names in pretrans scriptlets
3604df
3604df 
Security issue CVE-2015-1795 mentions about possibility of file name
3604df 
spoof attack for the %pretrans server scriptlet.
3604df 
Since %pretrans scriptlets are executed only for server builds, we can
3604df 
use os.tmpname() to randomize temporary file names for all %pretrans
3604df 
scriptlets using this mechanism.
3604df
3604df 
Label: DOWNSTREAM ONLY
3604df
3604df 
Change-Id: Ic82433897432794b6d311d836355aa4bad886369
3604df 
BUG: 1362044
3604df 
Signed-off-by: Milind Changire <mchangir@redhat.com>
3604df 
Reviewed-on: https://code.engineering.redhat.com/gerrit/86187
3604df 
Reviewed-by: Siddharth Sharma <siddharth@redhat.com>
3604df 
Reviewed-by: Niels de Vos <ndevos@redhat.com>
3604df 
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
3604df 
---
3604df 
 glusterfs.spec.in |  103 +++++++++++++++++++++++++++++++---------------------
3604df 
 1 files changed, 61 insertions(+), 42 deletions(-)
3604df
3604df 
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
3604df 
index 2bcb1ff..9501c05 100644
3604df 
--- a/glusterfs.spec.in
3604df 
+++ b/glusterfs.spec.in
3604df 
@@ -1461,9 +1461,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1502,9 +1503,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-api_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1543,9 +1545,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-api-devel_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1584,9 +1587,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-cli_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1625,9 +1629,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-client-xlators_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1666,9 +1671,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-devel_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1707,9 +1713,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-fuse_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1748,9 +1755,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-ganesha_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1790,9 +1798,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-geo-replication_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1832,9 +1841,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-libs_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1873,9 +1883,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/python-gluster_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1915,9 +1926,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-rdma_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -1958,9 +1970,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-resource-agents_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -2000,9 +2013,10 @@ if [ $? -eq 0 ]; then
3604df 
 fi
3604df 
 ]]
3604df
3604df 
--- rpm in RHEL5 does not have os.tmpname()
3604df 
--- io.tmpfile() can not be resolved to a filename to pass to bash :-/
3604df 
-tmpname = "/tmp/glusterfs-server_pretrans_" .. os.date("%s")
3604df 
+-- Since we run pretrans scripts only for RPMs built for a server build,
3604df 
+-- we can now use os.tmpname() since it is available on RHEL6 and later
3604df 
+-- platforms which are server platforms.
3604df 
+tmpname = os.tmpname()
3604df 
 tmpfile = io.open(tmpname, "w")
3604df 
 tmpfile:write(script)
3604df 
 tmpfile:close()
3604df 
@@ -2014,6 +2028,10 @@ end
3604df 
 %endif
3604df
3604df 
 %changelog
3604df 
+* Fri Oct 14 2016 Milind Changire <mchangir@redhat.com>
3604df 
+- Changed pretrans scripts to use os.tmpname() for enhanced security
3604df 
+  for server builds only (#1362044)
3604df 
+
3604df 
 * Tue Sep 27 2016 Milind Changire <mchangir@redhat.com>
3604df 
 - Added systemd requirement to glusterfs-server and glusterfs-events packages
3604df
3604df 
@@ -2120,6 +2138,7 @@ end
3604df
3604df 
 * Mon May 18 2015 Milind Changire <mchangir@redhat.com>
3604df 
 - Move file peer_add_secret_pub to the server RPM to support glusterfind (#1221544)
3604df 
+
3604df 
 * Sun May 17 2015 Niels de Vos <ndevos@redhat.com>
3604df 
 - Fix building on RHEL-5 based distributions (#1222317)
3604df
3604df 
--
3604df 
1.7.1
3604df

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation