From b8b9f40530e90580741eda2a21e99f304e99f4e0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 07 2023 09:23:50 +0000 Subject: import pesign-0.109-11.el7_9 --- diff --git a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch index c679215..e43d43e 100644 --- a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch +++ b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch @@ -1,7 +1,7 @@ -From c889e85273814fe0290d1fdd280e93214133d7c0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 24 Oct 2013 15:22:13 -0400 -Subject: [PATCH 01/15] Use the right signing method on the RHEL signing macro. +Subject: [PATCH] Use the right signing method on the RHEL signing macro. Signed-off-by: Peter Jones --- @@ -21,6 +21,3 @@ index 7f6e6ef..143ef8e 100644 %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ --certdir ${nss} -c signer %{-o} \ rm -rf ${sattrs} ${sattrs}.sig ${nss} \ --- -2.5.5 - diff --git a/SOURCES/0002-Fix-error-detected-by-coverity.patch b/SOURCES/0002-Fix-error-detected-by-coverity.patch index 1da2914..2674b98 100644 --- a/SOURCES/0002-Fix-error-detected-by-coverity.patch +++ b/SOURCES/0002-Fix-error-detected-by-coverity.patch @@ -1,7 +1,7 @@ -From cca5baa1797e5cee78a32ba444c0327bd316d7b1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 25 Oct 2013 10:08:32 -0400 -Subject: [PATCH 02/15] Fix error detected by coverity. +Subject: [PATCH] Fix error detected by coverity. Signed-off-by: Peter Jones --- @@ -21,6 +21,3 @@ index ca097e6..2080b98 100644 memcpy(&sd->SignatureOwner, &owner, sizeof (owner)); memcpy(sd->SignatureData, sig, sl->SignatureSize - sizeof (efi_guid_t)); --- -2.5.5 - diff --git a/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch index d85423f..92a91a2 100644 --- a/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch +++ b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch @@ -1,7 +1,7 @@ -From d895607d9575600e6bbc13724caa704982540f8d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 29 Oct 2013 11:27:31 -0400 -Subject: [PATCH 03/15] One more tweak for RHEL signing rules. +Subject: [PATCH] One more tweak for RHEL signing rules. It never ends. @@ -23,6 +23,3 @@ index 143ef8e..7faa4a1 100644 nss=$(mktemp -p $PWD -d) \ echo > ${nss}/pwfile \ certutil -N -d ${nss} -f ${nss}/pwfile \ --- -2.5.5 - diff --git a/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch index 4dcf54a..d70c7c4 100644 --- a/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch +++ b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch @@ -1,7 +1,7 @@ -From b328f6ede664d5c37ecbd957355a991862191ff9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Mar 2014 11:41:18 -0400 -Subject: [PATCH 04/15] Changes to make sure we inherit CFLAGS properly from +Subject: [PATCH] Changes to make sure we inherit CFLAGS properly from rpmbuild. This makes sure we build with -fstack-protector-strong when invoked @@ -9,15 +9,40 @@ correctly with it in CFLAGS="" from make. Signed-off-by: Peter Jones --- + libdpe/pe_allocspace.c | 1 + + src/efikeygen.c | 2 +- Make.defaults | 7 ++++--- Make.efirules | 6 +++--- Make.rules | 10 +++++----- - libdpe/pe_allocspace.c | 1 + src/Makefile | 2 +- - src/efikeygen.c | 2 +- util/Makefile | 2 +- 7 files changed, 16 insertions(+), 14 deletions(-) +diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c +index 716373c..1f0f44a 100644 +--- a/libdpe/pe_allocspace.c ++++ b/libdpe/pe_allocspace.c +@@ -19,6 +19,7 @@ + + #include "libdpe.h" + ++#include + #include + #include + #include +diff --git a/src/efikeygen.c b/src/efikeygen.c +index ac27acc..45ee5c5 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -333,7 +333,7 @@ populate_extensions(cms_context *cms, CERTCertificate *cert, + + oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST); + +- for (int i; crq->attributes[i]; i++) { ++ for (int i = 0 ; crq->attributes[i]; i++) { + attr = crq->attributes[i]; + if (attr->attrType.len != oid->oid.len) + continue; diff --git a/Make.defaults b/Make.defaults index e2c967b..0995e5b 100644 --- a/Make.defaults @@ -96,18 +121,6 @@ index 999d717..2749521 100644 + $(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -E $< -o $@ %.c : %.h -diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c -index 716373c..1f0f44a 100644 ---- a/libdpe/pe_allocspace.c -+++ b/libdpe/pe_allocspace.c -@@ -19,6 +19,7 @@ - - #include "libdpe.h" - -+#include - #include - #include - #include diff --git a/src/Makefile b/src/Makefile index f478aa6..e45d2a3 100644 --- a/src/Makefile @@ -121,19 +134,6 @@ index f478aa6..e45d2a3 100644 TARGETS = pesign authvar client efisiglist efikeygen peverify -diff --git a/src/efikeygen.c b/src/efikeygen.c -index ac27acc..45ee5c5 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -333,7 +333,7 @@ populate_extensions(cms_context *cms, CERTCertificate *cert, - - oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST); - -- for (int i; crq->attributes[i]; i++) { -+ for (int i = 0 ; crq->attributes[i]; i++) { - attr = crq->attributes[i]; - if (attr->attrType.len != oid->oid.len) - continue; diff --git a/util/Makefile b/util/Makefile index 1cf782c..ff11cb8 100644 --- a/util/Makefile @@ -147,6 +147,3 @@ index 1cf782c..ff11cb8 100644 TARGETS = setupsb.efi dumpsb.efi clearpk.efi --- -2.5.5 - diff --git a/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch index 07a09bb..0580939 100644 --- a/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch +++ b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch @@ -1,7 +1,7 @@ -From abc2125fad51b2a3889248412ecc654c38d2efbb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: "d.marlin" Date: Wed, 27 Aug 2014 16:26:45 -0400 -Subject: [PATCH 05/15] Allow aarch64 in the rhel build macros. +Subject: [PATCH] Allow aarch64 in the rhel build macros. Signed-off-by: Peter Jones --- @@ -23,6 +23,3 @@ index 7faa4a1..39374ce 100644 if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ nss=$(mktemp -p $PWD -d) \ echo > ${nss}/pwfile \ --- -2.5.5 - diff --git a/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch index 7e7bec8..86bf970 100644 --- a/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch +++ b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch @@ -1,7 +1,7 @@ -From 1d2859fa0e9cad7e0f36fef6ff17b91e10902777 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 2 Sep 2014 11:08:23 -0400 -Subject: [PATCH 06/15] Build as PIE+RELRO binaries. +Subject: [PATCH] Build as PIE+RELRO binaries. Resolves: rhbz#1092542 @@ -54,6 +54,3 @@ index e45d2a3..766ffe8 100644 TARGETS = pesign authvar client efisiglist efikeygen peverify --- -2.5.5 - diff --git a/SOURCES/0007-Fix-some-man-page-errors.patch b/SOURCES/0007-Fix-some-man-page-errors.patch index 69d5c74..0e4b968 100644 --- a/SOURCES/0007-Fix-some-man-page-errors.patch +++ b/SOURCES/0007-Fix-some-man-page-errors.patch @@ -1,7 +1,7 @@ -From 054279b3c15f28513e2d5eefb2035392ec811ca5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 2 Sep 2014 11:27:58 -0400 -Subject: [PATCH 07/15] Fix some man page errors. +Subject: [PATCH] Fix some man page errors. Resolves: rhbz#948850 @@ -79,17 +79,14 @@ index 0a62e36..03603ca 100644 .TP \fB-\-show-signature\fR -@@ -62,6 +69,10 @@ Show information about the signature of the input binary. +@@ -61,6 +68,10 @@ Show information about the signature of the input binary. + \fB-\-remove-signature\fR Remove the signature section from the binary. - .TP ++.TP +\fB-\-signature-number\fR=\fIsignum\fR +Specify which signature to operate on. This field is zero-indexed. + -+.TP + .TP \fB-\-export-pubkey\fR=\fIoutkey\fR Export the public key specified by --certificate to \fIoutkey\fR - --- -2.5.5 - diff --git a/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch index 09e2170..2feaa04 100644 --- a/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch +++ b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch @@ -1,7 +1,7 @@ -From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Fri, 12 Sep 2014 09:37:07 -0500 -Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign +Subject: [PATCH] A more plugable way of setting ACLs for pesign The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder. The systemd unit, however, does not. @@ -93,6 +93,3 @@ index ea37c58..6f20560 100644 } stop(){ --- -2.5.5 - diff --git a/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch index 1a3fd99..41fbda9 100644 --- a/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch +++ b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch @@ -1,8 +1,8 @@ -From fc08bd9a51b4bf576f7d6c1df6fb3f3d8dba26c1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 9 Jun 2015 16:00:00 -0400 -Subject: [PATCH 09/15] Add "install" targets for 3c2374b and make the - filenames a little nicer. +Subject: [PATCH] Add "install" targets for 3c2374b and make the filenames a + little nicer. Related: rhbz#1141263 @@ -61,6 +61,3 @@ index 1993570..e500204 100644 setfacl -m u:${username}:rx /var/run/pesign setfacl -m u:${username}:rw /var/run/pesign/socket done --- -2.5.5 - diff --git a/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch index 5ea0513..9dd5b83 100644 --- a/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch +++ b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch @@ -1,8 +1,8 @@ -From 82cf315182deacdc488b465cb50d8c0d692f4dcc Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 19 Nov 2015 11:36:59 -0500 -Subject: [PATCH 10/15] setfacl the nss DBs to our authorized users, not just - the socket. +Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the + socket. Signed-off-by: Peter Jones (cherry picked from commit 1a9a8eefe8f9a9b21996151a5afd956df22921ea) @@ -35,6 +35,3 @@ index e500204..9c38a25 100644 + setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db done fi --- -2.5.5 - diff --git a/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch index b0b0ef9..55393dd 100644 --- a/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +++ b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch @@ -1,7 +1,7 @@ -From 4bf644cdc1908aaa04de304174d985665de5947d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 20 Nov 2015 19:19:49 -0500 -Subject: [PATCH 11/15] Don't setfacl when the socket or dir aren't there. +Subject: [PATCH] Don't setfacl when the socket or dir aren't there. Signed-off-by: Peter Jones (cherry picked from commit 4c70ae807156099bf027b57a94b7eae0a810b947) @@ -50,6 +50,3 @@ index 9c38a25..22bddec 100644 + fi done fi --- -2.5.5 - diff --git a/SOURCES/0012-setfacl-the-db-as-well.patch b/SOURCES/0012-setfacl-the-db-as-well.patch index f5e4c7d..8d59e50 100644 --- a/SOURCES/0012-setfacl-the-db-as-well.patch +++ b/SOURCES/0012-setfacl-the-db-as-well.patch @@ -1,7 +1,7 @@ -From cdca8c5dfeee969267dacc5846d8c11e84c2fcfe Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 20 Nov 2015 19:21:39 -0500 -Subject: [PATCH 12/15] setfacl the db as well +Subject: [PATCH] setfacl the db as well And also get all our "-m [ug]:${name}:$perm" arguments right. @@ -47,6 +47,3 @@ index 22bddec..a43ce44 100644 + fi done fi --- -2.5.5 - diff --git a/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch index c1fb088..6d1a2de 100644 --- a/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch +++ b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch @@ -1,7 +1,7 @@ -From 9cd3272fc54f7941f347c4ec9e15176c2ed7da36 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 20 Apr 2016 11:44:08 -0400 -Subject: [PATCH 13/15] Improve our setfacl scripts for database and socket +Subject: [PATCH] Improve our setfacl scripts for database and socket ownership. Signed-off-by: Peter Jones @@ -87,6 +87,3 @@ index a43ce44..8b9a885 100644 + done done fi --- -2.5.5 - diff --git a/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch index d6043f7..ee6825d 100644 --- a/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch +++ b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch @@ -1,7 +1,7 @@ -From 0c973c36bf25a863db868d518265b5e7ee722764 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 10 Jun 2015 14:56:38 -0400 -Subject: [PATCH 14/15] Make pesign-authorize-{users,groups} not be in sbin. +Subject: [PATCH] Make pesign-authorize-{users,groups} not be in sbin. If it's in sbin, it needs a man page. On fedora/rhel it should go in libexec, on debian probably /usr/share someplace. This change puts it @@ -119,6 +119,3 @@ index 6f20560..d8fffca 100644 } stop(){ --- -2.5.5 - diff --git a/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch index ba46426..0c499a7 100644 --- a/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch +++ b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch @@ -1,7 +1,7 @@ -From 0df758bbb282f9d4a81818b6f7816eb0eb663519 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 16 May 2016 15:25:53 -0400 -Subject: [PATCH 15/15] Actually setfacl /each/ directory of our key storage. +Subject: [PATCH] Actually setfacl /each/ directory of our key storage. Signed-off-by: Peter Jones (cherry picked from commit f0c285fe74f00402acb72cb4ae91891006e9cfa4) @@ -46,6 +46,3 @@ index 8b9a885..940138e 100644 setfacl -m g:${username}:rw ${y} done fi --- -2.5.5 - diff --git a/SOURCES/0016-Backport-newer-deprecated-pesign-authorize.patch b/SOURCES/0016-Backport-newer-deprecated-pesign-authorize.patch new file mode 100644 index 0000000..e712f88 --- /dev/null +++ b/SOURCES/0016-Backport-newer-deprecated-pesign-authorize.patch @@ -0,0 +1,149 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 18 Jan 2023 15:14:55 -0500 +Subject: [PATCH] Backport newer, deprecated pesign-authorize + +Resolves: CVE-2022-3560 +Signed-off-by: Robbie Harwood +--- + src/Makefile | 3 +-- + src/pesign-authorize | 13 +++++++++++++ + src/pesign-authorize-groups | 30 ------------------------------ + src/pesign-authorize-users | 30 ------------------------------ + src/pesign.service.in | 3 +-- + src/pesign.sysvinit.in | 3 +-- + 6 files changed, 16 insertions(+), 66 deletions(-) + create mode 100644 src/pesign-authorize + delete mode 100644 src/pesign-authorize-groups + delete mode 100644 src/pesign-authorize-users + +diff --git a/src/Makefile b/src/Makefile +index 41a622f..4900905 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -77,8 +77,7 @@ install_systemd: pesign.service + $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/ + $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ +- $(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-users +- $(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-groups ++ $(INSTALL) -m 755 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users + $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups +diff --git a/src/pesign-authorize b/src/pesign-authorize +new file mode 100644 +index 0000000..aa8b110 +--- /dev/null ++++ b/src/pesign-authorize +@@ -0,0 +1,13 @@ ++#!/bin/bash ++set -e ++set -u ++ ++# License: GPLv2 ++ ++# This script is deprecated and will be removed in a future release. ++ ++sleep 3 ++for x in /var/run/pesign/ /etc/pki/pesign/ ; do ++ chown -R pesign:pesign "${x}" || true ++ chmod -R ug+rwX "${x}" || true ++done +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +deleted file mode 100644 +index cf51fb6..0000000 +--- a/src/pesign-authorize-groups ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-set -e +- +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific groups is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- +-# License: GPLv2 +- +-if [ -r /etc/pesign/groups ]; then +- for group in $(cat /etc/pesign/groups); do +- if [ -d /var/run/pesign ]; then +- setfacl -m g:${group}:rx /var/run/pesign +- if [ -e /var/run/pesign/socket ]; then +- setfacl -m g:${group}:rw /var/run/pesign/socket +- fi +- fi +- for x in /etc/pki/pesign*/ ; do +- if [ -d ${x} ]; then +- setfacl -m g:${group}:rx ${x} +- for y in ${x}{cert8,key3,secmod}.db ; do +- setfacl -m g:${group}:rw ${y} +- done +- fi +- done +- done +-fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +deleted file mode 100644 +index 940138e..0000000 +--- a/src/pesign-authorize-users ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-set -e +- +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific users is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- +-# License: GPLv2 +- +-if [ -r /etc/pesign/users ]; then +- for username in $(cat /etc/pesign/users); do +- if [ -d /var/run/pesign ]; then +- setfacl -m g:${username}:rx /var/run/pesign +- if [ -e /var/run/pesign/socket ]; then +- setfacl -m g:${username}:rw /var/run/pesign/socket +- fi +- fi +- for x in /etc/pki/pesign*/ ; do +- if [ -d ${x} ]; then +- setfacl -m g:${username}:rx ${x} +- for y in ${x}{cert8,key3,secmod}.db ; do +- setfacl -m g:${username}:rw ${y} +- done +- fi +- done +- done +-fi +diff --git a/src/pesign.service.in b/src/pesign.service.in +index aaa408e..c75a000 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -6,5 +6,4 @@ PrivateTmp=true + Type=forking + PIDFile=/var/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize +-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users +-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups ++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in +index d8fffca..9ab36d6 100644 +--- a/src/pesign.sysvinit.in ++++ b/src/pesign.sysvinit.in +@@ -24,8 +24,7 @@ start(){ + RETVAL=$? + echo + touch /var/lock/subsys/pesign +- @@LIBEXECDIR@@/pesign/pesign-authorize-users +- @@LIBEXECDIR@@/pesign/pesign-authorize-groups ++ @@LIBEXECDIR@@/pesign/pesign-authorize + } + + stop(){ diff --git a/SOURCES/pesign.patches b/SOURCES/pesign.patches new file mode 100644 index 0000000..f272269 --- /dev/null +++ b/SOURCES/pesign.patches @@ -0,0 +1,16 @@ +Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch +Patch0002: 0002-Fix-error-detected-by-coverity.patch +Patch0003: 0003-One-more-tweak-for-RHEL-signing-rules.patch +Patch0004: 0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch +Patch0005: 0005-Allow-aarch64-in-the-rhel-build-macros.patch +Patch0006: 0006-Build-as-PIE-RELRO-binaries.patch +Patch0007: 0007-Fix-some-man-page-errors.patch +Patch0008: 0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch +Patch0009: 0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch +Patch0010: 0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch +Patch0011: 0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +Patch0012: 0012-setfacl-the-db-as-well.patch +Patch0013: 0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch +Patch0014: 0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch +Patch0015: 0015-Actually-setfacl-each-directory-of-our-key-storage.patch +Patch0016: 0016-Backport-newer-deprecated-pesign-authorize.patch diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec index 0223bb4..19c395b 100644 --- a/SPECS/pesign.spec +++ b/SPECS/pesign.spec @@ -1,7 +1,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.109 -Release: 10%{?dist} +Release: 11%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -18,21 +18,9 @@ ExclusiveArch: x86_64 aarch64 # git checkout %%{version} Source0: pesign-%{version}.tar.bz2 Source1: rh-test-certs.tar.bz2 -Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch -Patch0002: 0002-Fix-error-detected-by-coverity.patch -Patch0003: 0003-One-more-tweak-for-RHEL-signing-rules.patch -Patch0004: 0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch -Patch0005: 0005-Allow-aarch64-in-the-rhel-build-macros.patch -Patch0006: 0006-Build-as-PIE-RELRO-binaries.patch -Patch0007: 0007-Fix-some-man-page-errors.patch -Patch0008: 0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch -Patch0009: 0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch -Patch0010: 0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch -Patch0011: 0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch -Patch0012: 0012-setfacl-the-db-as-well.patch -Patch0013: 0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch -Patch0014: 0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch -Patch0015: 0015-Actually-setfacl-each-directory-of-our-key-storage.patch +Source3: pesign.patches + +%include %{SOURCE3} %description This package contains the pesign utility for signing UEFI binaries as @@ -100,8 +88,7 @@ exit 0 %{_bindir}/efikeygen %{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/rpm/macros.pesign -%{_libexecdir}/pesign/pesign-authorize-users -%{_libexecdir}/pesign/pesign-authorize-groups +%{_libexecdir}/pesign/pesign-authorize %config(noreplace)/%{_sysconfdir}/pesign/users %config(noreplace)/%{_sysconfdir}/pesign/groups %{_mandir}/man*/* @@ -116,6 +103,10 @@ exit 0 %endif %changelog +* Wed Jan 18 2023 Robbie Harwood - 0.109-11 +- Backport newer, deprecated pesign-authorize +- Resolves: CVE-2022-3560 + * Mon May 16 2016 Peter Jones - - 0.109-10 - Add support for /etc/pesign/users and /etc/pesign/groups Resolves: rhbz#1141263