2 files changed, 105 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch
new file mode 100644
index 000000000..5859dc7ed
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch
@@ -0,0 +1,104 @@
+From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 7 May 2019 16:04:29 -0400
+Subject: [PATCH] su to radiusd user/group when rotating logs
+The su directive to logrotate ensures that log rotation happens under the
+owner of the logs. Otherwise, logrotate runs as root:root, potentially
+enabling privilege escalation if a RCE is discovered against the
+FreeRADIUS daemon.
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/1f233773962bf1a9c2d228a180eacddb9db2d574]
+CVE: CVE-2019-10143
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ debian/freeradius.logrotate  | 3 +++
+ redhat/freeradius-logrotate  | 1 +
+ scripts/logrotate/freeradius | 3 +++
+ suse/radiusd-logrotate       | 1 +
+ 4 files changed, 8 insertions(+)
+diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
+index 7d837d5..a8d29b7 100644
+--- a/debian/freeradius.logrotate
+++ b/debian/freeradius.logrotate
+@@ -9,6 +9,7 @@
+        notifempty
+ 
+        copytruncate
+       su freerad freerad
+ }
+ 
+ # (in order)
+@@ -26,6 +27,7 @@
+        notifempty
+ 
+        nocreate
+       su freerad freerad
+ }
+ 
+ # There are different detail-rotating strategies you can use.  One is
+@@ -45,4 +47,5 @@
+        notifempty
+ 
+        nocreate
+       su freerad freerad
+ }
+diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
+index 360765d..bb97ca5 100644
+--- a/redhat/freeradius-logrotate
+++ b/redhat/freeradius-logrotate
+@@ -9,6 +9,7 @@ rotate 4
+ missingok
+ compress
+ delaycompress
+su radiusd radiusd
+ 
+ #
+ #  The main server log
+diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
+index 3de435e..eecf631 100644
+--- a/scripts/logrotate/freeradius
+++ b/scripts/logrotate/freeradius
+@@ -17,6 +17,7 @@
+        notifempty
+ 
+        copytruncate
+       su radiusd radiusd
+ }
+ 
+ # (in order)
+@@ -34,6 +35,7 @@
+        notifempty
+ 
+        nocreate
+       su radiusd radiusd
+ }
+ 
+ # There are different detail-rotating strategies you can use.  One is
+@@ -53,4 +55,5 @@
+        notifempty
+ 
+        nocreate
+       su radiusd radiusd
+ }
+diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
+index 24d56be..be5a797 100644
+--- a/suse/radiusd-logrotate
+++ b/suse/radiusd-logrotate
+@@ -11,6 +11,7 @@ missingok
+ compress
+ delaycompress
+ notifempty
+su radiusd radiusd
+ 
+ #
+ #  The main server log
+-- 
+2.7.4
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb
index 9da15e07a..8c95bbae3 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x; \
    file://freeradius-fix-quoting-for-BUILT_WITH.patch \
    file://freeradius-fix-error-for-expansion-of-macro.patch \
    file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
+    file://0001-su-to-radiusd-user-group-when-rotating-logs.patch \
    file://radiusd.service \
    file://radiusd-volatiles.conf \
 "

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch new file mode 100644 index 000000000..5859dc7ed --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0001-su-to-radiusd-user-group-when-rotating-logs.patch
@@ -0,0 +1,104 @@
		1	From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
		2	From: Alexander Scheel <ascheel@redhat.com>
		3	Date: Tue, 7 May 2019 16:04:29 -0400
		4	Subject: [PATCH] su to radiusd user/group when rotating logs
		5
		6	The su directive to logrotate ensures that log rotation happens under the
		7	owner of the logs. Otherwise, logrotate runs as root:root, potentially
		8	enabling privilege escalation if a RCE is discovered against the
		9	FreeRADIUS daemon.
		10
		11	Signed-off-by: Alexander Scheel <ascheel@redhat.com>
		12
		13	Upstream-Status: Backport
		14	[https://github.com/FreeRADIUS/freeradius-server/commit/1f233773962bf1a9c2d228a180eacddb9db2d574]
		15
		16	CVE: CVE-2019-10143
		17
		18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		19	---
		20	debian/freeradius.logrotate \| 3 +++
		21	redhat/freeradius-logrotate \| 1 +
		22	scripts/logrotate/freeradius \| 3 +++
		23	suse/radiusd-logrotate \| 1 +
		24	4 files changed, 8 insertions(+)
		25
		26	diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
		27	index 7d837d5..a8d29b7 100644
		28	--- a/debian/freeradius.logrotate
		29	+++ b/debian/freeradius.logrotate
		30	@@ -9,6 +9,7 @@
		31	notifempty
		32
		33	copytruncate
		34	+ su freerad freerad
		35	}
		36
		37	# (in order)
		38	@@ -26,6 +27,7 @@
		39	notifempty
		40
		41	nocreate
		42	+ su freerad freerad
		43	}
		44
		45	# There are different detail-rotating strategies you can use. One is
		46	@@ -45,4 +47,5 @@
		47	notifempty
		48
		49	nocreate
		50	+ su freerad freerad
		51	}
		52	diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
		53	index 360765d..bb97ca5 100644
		54	--- a/redhat/freeradius-logrotate
		55	+++ b/redhat/freeradius-logrotate
		56	@@ -9,6 +9,7 @@ rotate 4
		57	missingok
		58	compress
		59	delaycompress
		60	+su radiusd radiusd
		61
		62	#
		63	# The main server log
		64	diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
		65	index 3de435e..eecf631 100644
		66	--- a/scripts/logrotate/freeradius
		67	+++ b/scripts/logrotate/freeradius
		68	@@ -17,6 +17,7 @@
		69	notifempty
		70
		71	copytruncate
		72	+ su radiusd radiusd
		73	}
		74
		75	# (in order)
		76	@@ -34,6 +35,7 @@
		77	notifempty
		78
		79	nocreate
		80	+ su radiusd radiusd
		81	}
		82
		83	# There are different detail-rotating strategies you can use. One is
		84	@@ -53,4 +55,5 @@
		85	notifempty
		86
		87	nocreate
		88	+ su radiusd radiusd
		89	}
		90	diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
		91	index 24d56be..be5a797 100644
		92	--- a/suse/radiusd-logrotate
		93	+++ b/suse/radiusd-logrotate
		94	@@ -11,6 +11,7 @@ missingok
		95	compress
		96	delaycompress
		97	notifempty
		98	+su radiusd radiusd
		99
		100	#
		101	# The main server log
		102	--
		103	2.7.4
		104


diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb index 9da15e07a..8c95bbae3 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.19.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x; \
26	file://freeradius-fix-quoting-for-BUILT_WITH.patch \	26	file://freeradius-fix-quoting-for-BUILT_WITH.patch \
27	file://freeradius-fix-error-for-expansion-of-macro.patch \	27	file://freeradius-fix-error-for-expansion-of-macro.patch \
28	file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \	28	file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
		29	file://0001-su-to-radiusd-user-group-when-rotating-logs.patch \
29	file://radiusd.service \	30	file://radiusd.service \
30	file://radiusd-volatiles.conf \	31	file://radiusd-volatiles.conf \
31	"	32	"