diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2024-03-01 23:30:19 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2024-03-02 00:24:34 +0300 |
commit | 7363086d8a6f87f6c162a314937f1c2e3c063b42 (patch) | |
tree | f37b4996342d0af75369338b4a1a0fc416c5feeb /poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch | |
parent | d4fa64b8fbad9ed7bef03090adec4a99cf9ecd5b (diff) | |
download | openbmc-7363086d8a6f87f6c162a314937f1c2e3c063b42.tar.xz |
subtree updatesnanbield
meta-arm: 79c52afe74..9a4ae38e84:
Emekcan Aras (1):
arm-bsp/optee: Improve PIN counter handling robustness
Harsimran Singh Tungal (2):
corstone1000:arm-bsp/tftf: Fix tftf tests on mps3
arm-bsp/tf-a-tests: fix corstone1000
Ross Burton (2):
arm-bsp/documentation: upgrade Sphinx slightly
CI: use https: to fetch meta-virtualization
meta-openembedded: 2da6e1b0e4..da9063bdfb:
Changqing Li (2):
postgresql: upgrade 15.4 -> 15.5
redis: upgrade 6.2.13 -> 6.2.14
Khem Raj (1):
webkitgtk3: upgrade 2.42.0 -> 2.42.1
Meenali Gupta (1):
nginx: upgrade 1.25.2 -> 1.25.3
Mingli Yu (1):
mariadb: Upgrade to 10.11.6
Wang Mingyu (5):
strongswan: upgrade 5.9.12 -> 5.9.13
webkitgtk3: upgrade 2.42.1 -> 2.42.2
webkitgtk3: upgrade 2.42.2 -> 2.42.3
webkitgtk3: upgrade 2.42.3 -> 2.42.4
libssh: upgrade 0.10.5 -> 0.10.6
Yi Zhao (1):
samba: upgrade 4.18.8 -> 4.18.9
poky: 61a59d00a0..1a5c00f00c:
Alassane Yattara (1):
bitbake: toaster/toastergui: Bug-fix verify given layer path only if import/add local layer
Alexander Kanavin (2):
glibc-y2038-tests: do not run tests using 32 bit time APIs
icon-naming-utils: take tarball from debian
Alexander Sverdlin (1):
linux-firmware: upgrade 20231030 -> 20231211
Anuj Mittal (2):
base-passwd: upgrade 3.6.2 -> 3.6.3
glib-2.0: upgrade 2.78.1 -> 2.78.3
Baruch Siach (1):
contributor-guide: fix lore URL
Benjamin Bara (1):
glibc: stable 2.38 branch updates
Bruce Ashfield (8):
linux-yocto/6.1: update to v6.1.69
linux-yocto/6.1: update to v6.1.70
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.1: update to v6.1.72
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.1: security/cfg: add configs to harden protection
linux-yocto/6.1: update to v6.1.73
linux-yocto/6.1: update CVE exclusions
Chen Qi (2):
sudo: upgrade from 1.9.15p2 to 1.9.15p5
multilib_global.bbclass: fix parsing error with no kernel module split
Clay Chang (1):
devtool: deploy: provide max_process to strip_execs
Enguerrand de Ribaucourt (1):
manuals: document VSCode extension
Ilya A. Kriveshko (1):
dev-manual: update license manifest path
Jason Andryuk (3):
linux-firmware: Package iwlwifi .pnvm files
linux-firmware: Change bnx2 packaging
linux-firmware: Create bnx2x subpackage
Jeremy A. Puhlman (1):
create-spdx-2.2: combine spdx can try to write before dir creation
Joao Marcos Costa (1):
documentation.conf: fix do_menuconfig description
Jonathan GUILLOT (1):
udev-extraconf: fix unmount directories containing octal-escaped chars
Jose Quaresma (2):
go: update 1.20.10 -> 1.20.11
go: update 1.20.11 -> 1.20.12
Joshua Watt (2):
rpcbind: Specify state directory under /run
classes-global/sstate: Fix variable typo
Julien Stephan (1):
externalsrc: fix task dependency for do_populate_lic
Jörg Sommer (1):
documentation: Add UBOOT_BINARY, extend UBOOT_CONFIG
Kai Kang (1):
xserver-xorg: 21.1.9 -> 21.1.11
Khem Raj (2):
tiff: Backport fixes for CVE-2023-6277
tcl: Fix prepending to run-ptest script
Lee Chee Yang (5):
curl: Fix CVE-2023-46219
qemu: 8.1.2 -> 8.1.4
migration-guide: add release notes for 4.3.2
migration-guide: add release notes for 4.0.16
migration-guide: add release notes for 4.3.3
Markus Volk (1):
libadwaita: update 1.4.0 -> 1.4.2
Massimiliano Minella (1):
zstd: fix LICENSE statement
Maxin B. John (1):
ref-manual: classes: remove insserv bbclass
Michael Opdenacker (3):
contributor-guide: use "apt" instead of "aptitude"
release-notes-4.3: fix spacing
migration-guides: fix release notes for 4.3.3
Ming Liu (2):
grub: fs/fat: Don't error when mtime is 0
qemu.bbclass: fix a python TypeError
Mingli Yu (1):
python3-license-expression: Fix the ptest failure
Peter Kjellerstedt (1):
devtool: modify: Handle recipes with a menuconfig task correctly
Peter Marko (4):
dtc: preserve version also from shallow git clones
sqlite3: upgrade 3.43.1 -> 3.43.2
sqlite: drop obsolete CVE ignore
zlib: ignore CVE-2023-6992
Richard Purdie (9):
pseudo: Update to pull in syncfs probe fix
sstate: Fix dir ownership issues in SSTATE_DIR
curl: Disable two intermittently failing tests
lib/prservice: Improve lock handling robustness
oeqa/selftest/prservice: Improve test robustness
curl: Disable test 1091 due to intermittent failures
allarch: Fix allarch corner case
reproducible: Fix race with externalsrc/devtool over lockfile
pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept
Robert Berger (1):
uninative-tarball.xz - reproducibility fix
Robert Joslyn (1):
gtk: Set CVE_PRODUCT
Robert Yang (2):
nfs-utils: Upgrade 2.6.3 -> 2.6.4
nfs-utils: Update Upstream-Status
Rodrigo M. Duarte (1):
linux-firmware: Fix the linux-firmware-bcm4373 FILES variable
Ross Burton (4):
avahi: update URL for new project location
libssh2: backport fix for CVE-2023-48795
cve_check: handle CVE_STATUS being set to the empty string
cve_check: cleanup logging
Saul Wold (1):
package.py: OEHasPackage: Add MLPREFIX to packagename
Simone Weiß (5):
dev-manual: start.rst: Update use of Download page
dev-manual: start.rst: Update use of Download page
glibc: Set status for CVE-2023-5156 & CVE-2023-0687
dev-manual: gen-tapdevs need iptables installed
gcc: Update status of CVE-2023-4039
Soumya Sambu (1):
ncurses: Fix - tty is hung after reset
Steve Sakoman (2):
poky.conf: bump version for 4.3.3 release
build-appliance-image: Update to nanbield head revision
Trevor Gamblin (1):
scripts/runqemu: fix regex escape sequences
Wang Mingyu (9):
xwayland: upgrade 23.2.2 -> 23.2.3
libatomic-ops: upgrade 7.8.0 -> 7.8.2
libva-utils: upgrade 2.20.0 -> 2.20.1
kea: upgrade 2.4.0 -> 2.4.1
gstreamer1.0: upgrade 1.22.7 -> 1.22.8
aspell: upgrade 0.60.8 -> 0.60.8.1
at-spi2-core: upgrade 2.50.0 -> 2.50.1
cpio: upgrade 2.14 -> 2.15
gstreamer: upgrade 1.22.8 -> 1.22.9
William Lyu (1):
elfutils: Update license information
Xiangyu Chen (2):
shadow: Fix for CVE-2023-4641
sudo: upgrade 1.9.14p3 -> 1.9.15p2
Yang Xu (1):
rootfs.py: check depmodwrapper execution result
Yogita Urade (2):
tiff: fix CVE-2023-6228
tiff: fix CVE-2023-52355 and CVE-2023-52356
Zahir Hussain (1):
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
baruch@tkos.co.il (1):
overlayfs: add missing closing parenthesis in selftest
Change-Id: I613697694d0eb51ae9451f7e869b69d6c1ba1fd3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Diffstat (limited to 'poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch')
-rw-r--r-- | poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..1fabfe928e --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch @@ -0,0 +1,147 @@ +From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") + +CVE: CVE-2023-4641 +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 5983f787..2d8869ef 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.34.1 + |