From unknown Wed Sep 10 15:50:32 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30826] [PATCH] gnu: shadow: Fix CVE-2018-7169. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 15 Mar 2018 16:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 30826 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 30826@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15211308126459 (code B ref -1); Thu, 15 Mar 2018 16:21:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Mar 2018 16:20:12 +0000 Received: from localhost ([127.0.0.1]:35325 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewVbq-0001g1-6W for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:20:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48819) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewVbm-0001fS-HK for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:20:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewVbf-0006Or-4M for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:19:57 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:40833) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewVbf-0006On-0y for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:19:55 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39765) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewVbc-0005Xn-S1 for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewVbY-0006MK-MD for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:52 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:38837) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewVbY-0006M9-Cn for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:48 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D84A020D18; Thu, 15 Mar 2018 12:19:47 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 15 Mar 2018 12:19:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=fX5THHFCb4ELNGvhsxi66niDa7iawD2LBHdC44 mgjIM=; b=0U0SOMOiTdBH6KYz8wozrTK7HACUZ3FADihtPmoHjnV3M2J/Ttdpfu uphtwdRIRJsbueBHdRpYnCu40Wp3UdUdp6lU3smR5GR63238dDrwqhpmtyRNNUQZ fvTWSsySxCjpBPFTQVxl1gFfTdU4lqsEic+27LWRGh6PmQXZJ0bdc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=fX5THHFCb4ELNGvhs xi66niDa7iawD2LBHdC44mgjIM=; b=EoXuCFR3qN07wuZ9MvwCKN9XSb382vGQb M17dTp0ViypIgOYT1Q69TNicmKTpzoMgvZ2pu3KPUJ3c/f+m8bAKsq5dnDqWM0iV hSTlz+i9mCSs8SSs1JvkAHC2I+73/RiEm1E6L1Ms/StBIeexRvGnx48RtBocxMHW md8/3/Mhl1pwiEZ6qbFvhTfhEehfTGLC8CrE1unZs4CHygzKFENhW/WeZbjrghLQ zpXNzBKr52SVymGg5BNvQ7HjD28/07CUMhAsUChuFqdbfDKpLtAq0pEivyNmMxlC HBszaXw5C0S21GUuLCzRKRnyKInRWWLlYaJim4feFLrOzPCGdymww== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 7E28F2413F for ; Thu, 15 Mar 2018 12:19:47 -0400 (EDT) From: Leo Famulari Date: Thu, 15 Mar 2018 12:19:43 -0400 Message-Id: X-Mailer: git-send-email 2.16.2 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/shadow-CVE-2018-7169.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (shadow)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 1 + gnu/packages/patches/shadow-CVE-2018-7169.patch | 191 ++++++++++++++++++++++++ 3 files changed, 193 insertions(+) create mode 100644 gnu/packages/patches/shadow-CVE-2018-7169.patch diff --git a/gnu/local.mk b/gnu/local.mk index 165b83067..69e4d2b7b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1082,6 +1082,7 @@ dist_patch_DATA = \ %D%/packages/patches/scotch-test-threading.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ + %D%/packages/patches/shadow-CVE-2018-7169.patch \ %D%/packages/patches/shepherd-close-fds.patch \ %D%/packages/patches/shepherd-herd-status-sorted.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index ad31bc498..d6f4a5fab 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -360,6 +360,7 @@ hostname.") (uri (string-append "https://github.com/shadow-maint/shadow/releases/" "download/" version "/shadow-" version ".tar.xz")) + (patches (search-patches "shadow-CVE-2018-7169.patch")) (sha256 (base32 "0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w")))) diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch new file mode 100644 index 000000000..eeae5b9b7 --- /dev/null +++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch @@ -0,0 +1,191 @@ +Fix CVE-2018-7169: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169 + +Patch copied from upstream source repository: + +https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 + +From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 15 Feb 2018 23:49:40 +1100 +Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group + +This is necessary to match the kernel-side policy of "self-mapping in a +user namespace is fine, but you cannot drop groups" -- a policy that was +created in order to stop user namespaces from allowing trivial privilege +escalation by dropping supplementary groups that were "blacklisted" from +certain paths. + +This is the simplest fix for the underlying issue, and effectively makes +it so that unless a user has a valid mapping set in /etc/subgid (which +only administrators can modify) -- and they are currently trying to use +that mapping -- then /proc/$pid/setgroups will be set to deny. This +workaround is only partial, because ideally it should be possible to set +an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow +administrators to further restrict newgidmap(1). + +We also don't write anything in the "allow" case because "allow" is the +default, and users may have already written "deny" even if they +technically are allowed to use setgroups. And we don't write anything if +the setgroups policy is already "deny". + +Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 +Fixes: CVE-2018-7169 +Reported-by: Craig Furman +Signed-off-by: Aleksa Sarai +--- + src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 80 insertions(+), 9 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index b1e33513..59a2e75c 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -46,32 +46,37 @@ + */ + const char *Prog; + +-static bool verify_range(struct passwd *pw, struct map_range *range) ++ ++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) + { + /* An empty range is invalid */ + if (range->count == 0) + return false; + +- /* Test /etc/subgid */ +- if (have_sub_gids(pw->pw_name, range->lower, range->count)) ++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ ++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { ++ *allow_setgroups = true; + return true; ++ } + +- /* Allow a process to map its own gid */ +- if ((range->count == 1) && (pw->pw_gid == range->lower)) ++ /* Allow a process to map its own gid. */ ++ if ((range->count == 1) && (pw->pw_gid == range->lower)) { ++ /* noop -- if setgroups is enabled already we won't disable it. */ + return true; ++ } + + return false; + } + + static void verify_ranges(struct passwd *pw, int ranges, +- struct map_range *mappings) ++ struct map_range *mappings, bool *allow_setgroups) + { + struct map_range *mapping; + int idx; + + mapping = mappings; + for (idx = 0; idx < ranges; idx++, mapping++) { +- if (!verify_range(pw, mapping)) { ++ if (!verify_range(pw, mapping, allow_setgroups)) { + fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), + Prog, + mapping->upper, +@@ -89,6 +94,70 @@ static void usage(void) + exit(EXIT_FAILURE); + } + ++void write_setgroups(int proc_dir_fd, bool allow_setgroups) ++{ ++ int setgroups_fd; ++ char *policy, policy_buffer[4096]; ++ ++ /* ++ * Default is "deny", and any "allow" will out-rank a "deny". We don't ++ * forcefully write an "allow" here because the process we are writing ++ * mappings for may have already set themselves to "deny" (and "allow" ++ * is the default anyway). So allow_setgroups == true is a noop. ++ */ ++ policy = "deny\n"; ++ if (allow_setgroups) ++ return; ++ ++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); ++ if (setgroups_fd < 0) { ++ /* ++ * If it's an ENOENT then we are on too old a kernel for the setgroups ++ * code to exist. Emit a warning and bail on this. ++ */ ++ if (ENOENT == errno) { ++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); ++ goto out; ++ } ++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* ++ * Check whether the policy is already what we want. /proc/self/setgroups ++ * is write-once, so attempting to write after it's already written to will ++ * fail. ++ */ ++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { ++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (!strncmp(policy_buffer, policy, strlen(policy))) ++ goto out; ++ ++ /* Write the policy. */ ++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { ++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (dprintf(setgroups_fd, "%s", policy) < 0) { ++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), ++ Prog, ++ policy, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++out: ++ close(setgroups_fd); ++} ++ + /* + * newgidmap - Set the gid_map for the specified process + */ +@@ -103,6 +172,7 @@ int main(int argc, char **argv) + struct stat st; + struct passwd *pw; + int written; ++ bool allow_setgroups = false; + + Prog = Basename (argv[0]); + +@@ -145,7 +215,7 @@ int main(int argc, char **argv) + (unsigned long) getuid ())); + return EXIT_FAILURE; + } +- ++ + /* Get the effective uid and effective gid of the target process */ + if (fstat(proc_dir_fd, &st) < 0) { + fprintf(stderr, _("%s: Could not stat directory for target %u\n"), +@@ -177,8 +247,9 @@ int main(int argc, char **argv) + if (!mappings) + usage(); + +- verify_ranges(pw, ranges, mappings); ++ verify_ranges(pw, ranges, mappings, &allow_setgroups); + ++ write_setgroups(proc_dir_fd, allow_setgroups); + write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); + sub_gid_close(); + +-- +2.16.2 + -- 2.16.2 From unknown Wed Sep 10 15:50:32 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#30826: closed (Re: [bug#30826] [PATCH] gnu: shadow: Fix CVE-2018-7169.) Message-ID: References: <87d105tgj5.fsf@gnu.org> X-Gnu-PR-Message: they-closed 30826 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 30826@debbugs.gnu.org Date: Thu, 15 Mar 2018 17:07:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1521133622-10797-1" This is a multi-part message in MIME format... ------------=_1521133622-10797-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #30826: [PATCH] gnu: shadow: Fix CVE-2018-7169. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 30826@debbugs.gnu.org. --=20 30826: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D30826 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1521133622-10797-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 30826-done) by debbugs.gnu.org; 15 Mar 2018 17:06:28 +0000 Received: from localhost ([127.0.0.1]:35355 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewWKi-0002nG-BF for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:06:28 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:57420) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewWKe-0002n4-32 for 30826-done@debbugs.gnu.org; Thu, 15 Mar 2018 13:06:27 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 8F81F12CC6; Thu, 15 Mar 2018 18:06:23 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWVp9pXLSlQZ; Thu, 15 Mar 2018 18:06:22 +0100 (CET) Received: from ribbon (vpn-0-27.aquilenet.fr [IPv6:2a0c:e300:4:27::]) by hera.aquilenet.fr (Postfix) with ESMTPSA id A782912CC1; Thu, 15 Mar 2018 18:06:22 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#30826] [PATCH] gnu: shadow: Fix CVE-2018-7169. References: Date: Thu, 15 Mar 2018 18:06:22 +0100 In-Reply-To: (Leo Famulari's message of "Thu, 15 Mar 2018 12:19:43 -0400") Message-ID: <87d105tgj5.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30826-done Cc: 30826-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari skribis: > * gnu/packages/patches/shadow-CVE-2018-7169.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/admin.scm (shadow)[source]: Use it. LGTM, thank you! Ludo=E2=80=99. ------------=_1521133622-10797-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 15 Mar 2018 16:20:12 +0000 Received: from localhost ([127.0.0.1]:35325 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewVbq-0001g1-6W for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:20:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48819) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewVbm-0001fS-HK for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:20:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewVbf-0006Or-4M for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:19:57 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:40833) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewVbf-0006On-0y for submit@debbugs.gnu.org; Thu, 15 Mar 2018 12:19:55 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39765) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewVbc-0005Xn-S1 for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewVbY-0006MK-MD for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:52 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:38837) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewVbY-0006M9-Cn for guix-patches@gnu.org; Thu, 15 Mar 2018 12:19:48 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D84A020D18; Thu, 15 Mar 2018 12:19:47 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 15 Mar 2018 12:19:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=fX5THHFCb4ELNGvhsxi66niDa7iawD2LBHdC44 mgjIM=; b=0U0SOMOiTdBH6KYz8wozrTK7HACUZ3FADihtPmoHjnV3M2J/Ttdpfu uphtwdRIRJsbueBHdRpYnCu40Wp3UdUdp6lU3smR5GR63238dDrwqhpmtyRNNUQZ fvTWSsySxCjpBPFTQVxl1gFfTdU4lqsEic+27LWRGh6PmQXZJ0bdc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=fX5THHFCb4ELNGvhs xi66niDa7iawD2LBHdC44mgjIM=; b=EoXuCFR3qN07wuZ9MvwCKN9XSb382vGQb M17dTp0ViypIgOYT1Q69TNicmKTpzoMgvZ2pu3KPUJ3c/f+m8bAKsq5dnDqWM0iV hSTlz+i9mCSs8SSs1JvkAHC2I+73/RiEm1E6L1Ms/StBIeexRvGnx48RtBocxMHW md8/3/Mhl1pwiEZ6qbFvhTfhEehfTGLC8CrE1unZs4CHygzKFENhW/WeZbjrghLQ zpXNzBKr52SVymGg5BNvQ7HjD28/07CUMhAsUChuFqdbfDKpLtAq0pEivyNmMxlC HBszaXw5C0S21GUuLCzRKRnyKInRWWLlYaJim4feFLrOzPCGdymww== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 7E28F2413F for ; Thu, 15 Mar 2018 12:19:47 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: shadow: Fix CVE-2018-7169. Date: Thu, 15 Mar 2018 12:19:43 -0400 Message-Id: X-Mailer: git-send-email 2.16.2 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/shadow-CVE-2018-7169.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (shadow)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 1 + gnu/packages/patches/shadow-CVE-2018-7169.patch | 191 ++++++++++++++++++++++++ 3 files changed, 193 insertions(+) create mode 100644 gnu/packages/patches/shadow-CVE-2018-7169.patch diff --git a/gnu/local.mk b/gnu/local.mk index 165b83067..69e4d2b7b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1082,6 +1082,7 @@ dist_patch_DATA = \ %D%/packages/patches/scotch-test-threading.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ + %D%/packages/patches/shadow-CVE-2018-7169.patch \ %D%/packages/patches/shepherd-close-fds.patch \ %D%/packages/patches/shepherd-herd-status-sorted.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index ad31bc498..d6f4a5fab 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -360,6 +360,7 @@ hostname.") (uri (string-append "https://github.com/shadow-maint/shadow/releases/" "download/" version "/shadow-" version ".tar.xz")) + (patches (search-patches "shadow-CVE-2018-7169.patch")) (sha256 (base32 "0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w")))) diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch new file mode 100644 index 000000000..eeae5b9b7 --- /dev/null +++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch @@ -0,0 +1,191 @@ +Fix CVE-2018-7169: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169 + +Patch copied from upstream source repository: + +https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 + +From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 15 Feb 2018 23:49:40 +1100 +Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group + +This is necessary to match the kernel-side policy of "self-mapping in a +user namespace is fine, but you cannot drop groups" -- a policy that was +created in order to stop user namespaces from allowing trivial privilege +escalation by dropping supplementary groups that were "blacklisted" from +certain paths. + +This is the simplest fix for the underlying issue, and effectively makes +it so that unless a user has a valid mapping set in /etc/subgid (which +only administrators can modify) -- and they are currently trying to use +that mapping -- then /proc/$pid/setgroups will be set to deny. This +workaround is only partial, because ideally it should be possible to set +an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow +administrators to further restrict newgidmap(1). + +We also don't write anything in the "allow" case because "allow" is the +default, and users may have already written "deny" even if they +technically are allowed to use setgroups. And we don't write anything if +the setgroups policy is already "deny". + +Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 +Fixes: CVE-2018-7169 +Reported-by: Craig Furman +Signed-off-by: Aleksa Sarai +--- + src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 80 insertions(+), 9 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index b1e33513..59a2e75c 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -46,32 +46,37 @@ + */ + const char *Prog; + +-static bool verify_range(struct passwd *pw, struct map_range *range) ++ ++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) + { + /* An empty range is invalid */ + if (range->count == 0) + return false; + +- /* Test /etc/subgid */ +- if (have_sub_gids(pw->pw_name, range->lower, range->count)) ++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ ++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { ++ *allow_setgroups = true; + return true; ++ } + +- /* Allow a process to map its own gid */ +- if ((range->count == 1) && (pw->pw_gid == range->lower)) ++ /* Allow a process to map its own gid. */ ++ if ((range->count == 1) && (pw->pw_gid == range->lower)) { ++ /* noop -- if setgroups is enabled already we won't disable it. */ + return true; ++ } + + return false; + } + + static void verify_ranges(struct passwd *pw, int ranges, +- struct map_range *mappings) ++ struct map_range *mappings, bool *allow_setgroups) + { + struct map_range *mapping; + int idx; + + mapping = mappings; + for (idx = 0; idx < ranges; idx++, mapping++) { +- if (!verify_range(pw, mapping)) { ++ if (!verify_range(pw, mapping, allow_setgroups)) { + fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), + Prog, + mapping->upper, +@@ -89,6 +94,70 @@ static void usage(void) + exit(EXIT_FAILURE); + } + ++void write_setgroups(int proc_dir_fd, bool allow_setgroups) ++{ ++ int setgroups_fd; ++ char *policy, policy_buffer[4096]; ++ ++ /* ++ * Default is "deny", and any "allow" will out-rank a "deny". We don't ++ * forcefully write an "allow" here because the process we are writing ++ * mappings for may have already set themselves to "deny" (and "allow" ++ * is the default anyway). So allow_setgroups == true is a noop. ++ */ ++ policy = "deny\n"; ++ if (allow_setgroups) ++ return; ++ ++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); ++ if (setgroups_fd < 0) { ++ /* ++ * If it's an ENOENT then we are on too old a kernel for the setgroups ++ * code to exist. Emit a warning and bail on this. ++ */ ++ if (ENOENT == errno) { ++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); ++ goto out; ++ } ++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* ++ * Check whether the policy is already what we want. /proc/self/setgroups ++ * is write-once, so attempting to write after it's already written to will ++ * fail. ++ */ ++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { ++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (!strncmp(policy_buffer, policy, strlen(policy))) ++ goto out; ++ ++ /* Write the policy. */ ++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { ++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (dprintf(setgroups_fd, "%s", policy) < 0) { ++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), ++ Prog, ++ policy, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++out: ++ close(setgroups_fd); ++} ++ + /* + * newgidmap - Set the gid_map for the specified process + */ +@@ -103,6 +172,7 @@ int main(int argc, char **argv) + struct stat st; + struct passwd *pw; + int written; ++ bool allow_setgroups = false; + + Prog = Basename (argv[0]); + +@@ -145,7 +215,7 @@ int main(int argc, char **argv) + (unsigned long) getuid ())); + return EXIT_FAILURE; + } +- ++ + /* Get the effective uid and effective gid of the target process */ + if (fstat(proc_dir_fd, &st) < 0) { + fprintf(stderr, _("%s: Could not stat directory for target %u\n"), +@@ -177,8 +247,9 @@ int main(int argc, char **argv) + if (!mappings) + usage(); + +- verify_ranges(pw, ranges, mappings); ++ verify_ranges(pw, ranges, mappings, &allow_setgroups); + ++ write_setgroups(proc_dir_fd, allow_setgroups); + write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); + sub_gid_close(); + +-- +2.16.2 + -- 2.16.2 ------------=_1521133622-10797-1-- From unknown Wed Sep 10 15:50:32 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#30826] [PATCH] gnu: shadow: Fix CVE-2018-7169. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 15 Mar 2018 17:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30826 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch Cc: 30826-done@debbugs.gnu.org Received: via spool by 30826-done@debbugs.gnu.org id=D30826.152113405511473 (code D ref 30826); Thu, 15 Mar 2018 17:15:01 +0000 Received: (at 30826-done) by debbugs.gnu.org; 15 Mar 2018 17:14:15 +0000 Received: from localhost ([127.0.0.1]:35367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewWSF-0002yz-CS for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:14:15 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:39877) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewWSA-0002ym-0b for 30826-done@debbugs.gnu.org; Thu, 15 Mar 2018 13:14:13 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 1F65520CAA; Thu, 15 Mar 2018 13:14:09 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 15 Mar 2018 13:14:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=4hUfvIV1BGfy4HK3Ztby+JXHqKNlkzn1xFACyW1DQB8=; b=jd0qT sngioYSe4x0DKyeFzR2PcUXGzWFUpTI6JdQPmRVf7Udv9PtaE2u+2oTGlS+Et1QO 3gJ0KErm9ZTiYW2dKzG4+qQeC2HvsNbRTmRk35gcco9eObZzGnF4xFGCTABZ+eLD AcG8NR1+ESvtVUYtlcIlE1Ubqia7AhqzoPoJ7g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=4hUfvIV1BGfy4HK3Ztby+JXHqKNlk zn1xFACyW1DQB8=; b=dErRpRE4JG7ciYwGOqD0ccdN+KcFwNaGueCgJB3l3DzFE e0RIgWXxWoihAnqzW5mfQqdf5297IkXHjiq5g6xSSUjdN+XYJ1Y/RlYSWKq45zcK FKgjUs5xj/KKkJQOvP4yx7+kzJXUiJvS/M1VclupoCYEB+JVcLBtrGTOPFruH4nV WkXMs1nNUt5znZWZfon8sEqnZAifjfs1gvPrEm3d0b1Hb5JHcASOvFlYfC8Pggah Jp+iy5IUAOLKlMGE8mwgoTcUQtYtTYc3Iov6Ruzqw5c8yzlbNR/Ywq03R7shvc/x 08wWj7xY8qNFdLEjgOn5IAqNYKKtcCjpgoQcq+Crw== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id D39AB7E17B for <30826-done@debbugs.gnu.org>; Thu, 15 Mar 2018 13:14:08 -0400 (EDT) Date: Thu, 15 Mar 2018 13:14:07 -0400 From: Leo Famulari Message-ID: <20180315171407.GA29670@jasmine.lan> References: <87d105tgj5.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <87d105tgj5.fsf@gnu.org> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: 0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) --wac7ysb48OaltWcw Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 15, 2018 at 06:06:22PM +0100, Ludovic Court=E8s wrote: > Leo Famulari skribis: >=20 > > * gnu/packages/patches/shadow-CVE-2018-7169.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/admin.scm (shadow)[source]: Use it. >=20 > LGTM, thank you! Thanks! Pushed as 20ecede9690cb7f75bc8fee60619a4adf82ba4d5 --wac7ysb48OaltWcw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqqqd8ACgkQJkb6MLrK fwgtnw//YhhBoIzKMXnvhGtB40cAROkm5Ej+uUNCsN2/r87Tz5fBacExCXF8zNO1 FYqNJKth9iksW9PEC/NSTy5oA57OveAl5f0DBHO2eR38LUOyp4S9ZUWF4Z7tpMqI Kz4KhEZf+DW/3GUKknkW037IG6Fudtssr59qNkB5DZeZEDYqY1nJWkzOCWuzGlWZ bjPGo5JC0+qbzEXG2G+fnTddPkoaQls+ZHatADApYUiCE3rgyYIceB5kLdCu1aao 1Dhs9OOVILaCOLjo7+nIVfnalxjbw+Gq4Ym/YZoD+yOZLBiy51nfhgcQLvzRvAf4 04a4HUD4pfP1B1F59AJorzXC/09/b0YGtW+AEPEVJ42GlNWO5WsK7h9JkUcmSqqH 4t3NUuhq64mpUi3WG6t5PtTVQW+gJfO6z3Gm6HFpevwtgC3zpMEczRFObxGQKuHT BacEjJhAU5aGuifaU6pu1Dd6cvLQ9KFhb7+W/pVDRlkJq8y0f3qanRXbsCim4v+B 9XlgAhDjmkMJLUMTQeYbs6C3vkIljUFbYJXzXRZ43aFtH1KYl0LccREuw4VhlyJe SH+Wz2wgYALWhg43V1uFk+9c2bAJ0to722xiIeRTKBSYo1yDK8ZLnW672GqneIT2 ya233FYfsyjO/O4SFDBGLoh3HH9RAreAEObuQcbmwmg7SceJs/k= =9XXX -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--