coreutils: CVE-2017-18018

CVE-2017-18018-1: doc: clarify chown/chgrp --dereference defaults * doc/coreutils.texi: the documentation for the --dereference flag of chown/chgrp states that it is the default mode of operation. Document that this is only the case when operating non-recursively. CVE-2017-18018-2: doc: warn about following symlinks recursively in chown/chgrp In both chown and chgrp (which shares its code with chown), operating on symlinks recursively has a window of vulnerability where the destination user or group can change the target of the operation. Warn about combining the --dereference, --recursive, and -L flags. * doc/coreutils.texi (warnOptDerefWithRec): Add macro. (node chown invocation): Add it to --dereference and -L. (node chgrp invocation): Likewise. Affects coreutils <= 8.29 (From OE-Core rev: a523bc6a2ff7d5b5415a789de02fb055ccd2c077) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 17:11:41 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29 15:23:51 +0100
commit: a4ce8dbcc6fafc9bbb9f0f281a4643df265f09b9 (patch)
tree: b8c036f151a7f458f0b5ff2a4960ed954bb75ad3 /meta/recipes-core
parent: c035a200286256d4e9dac378279a0f7fa6d3e279 (diff)
download: poky-a4ce8dbcc6fafc9bbb9f0f281a4643df265f09b9.tar.gz
3 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
new file mode 100644
index 0000000000..6f31eba26d
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
@@ -0,0 +1,40 @@
+From 7597cfa482e42a00a69fb9577ee523762980a9a2 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 28 Dec 2017 15:52:42 -0500
+Subject: doc: clarify chown/chgrp --dereference defaults
+* doc/coreutils.texi: the documentation for the --dereference
+  flag of chown/chgrp states that it is the default mode of
+  operation. Document that this is only the case when operating
+  non-recursively.
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff -Naurp coreutils-8.27_org/doc/coreutils.texi coreutils-8.27/doc/coreutils.texi
+--- coreutils-8.27_org/doc/coreutils.texi       2018-07-22 21:09:50.128736692 -0700
+++ coreutils-8.27/doc/coreutils.texi   2018-07-22 21:12:59.972219770 -0700
+@@ -10952,7 +10952,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
+This is the default when not operating recursively.
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11082,7 +11082,7 @@ changed.
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
+This is the default when not operating recursively.
+ 
+ @item -h
+ @itemx --no-dereference
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
new file mode 100644
index 0000000000..c8f5f54acf
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
@@ -0,0 +1,83 @@
+From bc2fd9796403e03bb757b064d44c22fab92e6842 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 4 Jan 2018 11:38:21 -0500
+Subject: doc: warn about following symlinks recursively in chown/chgrp
+In both chown and chgrp (which shares its code with chown), operating
+on symlinks recursively has a window of vulnerability where the
+destination user or group can change the target of the operation.
+Warn about combining the --dereference, --recursive, and -L flags.
+* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
+(node chown invocation): Add it to --dereference and -L.
+(node chgrp invocation): Likewise.
+See also: CVE-2017-18018
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 6bb9f09..9f5f95b 100644
+--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
+@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
+ In a recursive traversal, traverse every symbolic link to a directory
+ that is encountered.
+ @end macro
+
+@c Append the following warning to -L where appropriate (e.g. chown).
+@macro warnOptDerefWithRec
+
+Combining this dereferencing option with the @option{--recursive} option
+may create a security risk:
+During the traversal of the directory tree, an attacker may be able to
+introduce a symlink to an arbitrary target; when the tool reaches that,
+the operation will be performed on the target of that symlink,
+possibly allowing the attacker to escalate privileges.
+
+@end macro
+
+ @choptL
+ 
+ @macro choptP
+@@ -10995,6 +11008,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
+@warnOptDerefWithRec
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11051,6 +11065,7 @@ Recursively change ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+ 
+ @choptL
+@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+ 
+ @choptP
+@@ -11125,6 +11140,7 @@ changed.
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
+@warnOptDerefWithRec
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11180,6 +11196,7 @@ Recursively change the group ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+ 
+ @choptL
+@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+ 
+ @choptP
+-- 
+cgit v1.0-41-gc330
diff --git a/meta/recipes-core/coreutils/coreutils_8.29.bb b/meta/recipes-core/coreutils/coreutils_8.29.bb
index 4704f32196..b0572afdc0 100644
--- a/meta/recipes-core/coreutils/coreutils_8.29.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.29.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
           file://0001-uname-report-processor-and-hardware-correctly.patch \
           file://disable-ls-output-quoting.patch \
           file://0001-local.mk-fix-cross-compiling-problem.patch \
+           file://CVE-2017-18018-1.patch \
+           file://CVE-2017-18018-2.patch \
          "
 SRC_URI[md5sum] = "960cfe75a42c9907c71439f8eb436303"
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 17:11:41 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-29 15:23:51 +0100
commit	a4ce8dbcc6fafc9bbb9f0f281a4643df265f09b9 (patch)
tree	b8c036f151a7f458f0b5ff2a4960ed954bb75ad3 /meta/recipes-core
parent	c035a200286256d4e9dac378279a0f7fa6d3e279 (diff)
download	poky-a4ce8dbcc6fafc9bbb9f0f281a4643df265f09b9.tar.gz

diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch new file mode 100644 index 0000000000..6f31eba26d --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
@@ -0,0 +1,40 @@
		1	From 7597cfa482e42a00a69fb9577ee523762980a9a2 Mon Sep 17 00:00:00 2001
		2	From: Michael Orlitzky <michael@orlitzky.com>
		3	Date: Thu, 28 Dec 2017 15:52:42 -0500
		4	Subject: doc: clarify chown/chgrp --dereference defaults
		5
		6	* doc/coreutils.texi: the documentation for the --dereference
		7	flag of chown/chgrp states that it is the default mode of
		8	operation. Document that this is only the case when operating
		9	non-recursively.
		10
		11	CVE: CVE-2017-18018
		12	Upstream-Status: Backport from v8.30
		13
		14	Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
		15	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		16	---
		17	doc/coreutils.texi \| 4 ++--
		18	1 file changed, 2 insertions(+), 2 deletions(-)
		19
		20	diff -Naurp coreutils-8.27_org/doc/coreutils.texi coreutils-8.27/doc/coreutils.texi
		21	--- coreutils-8.27_org/doc/coreutils.texi 2018-07-22 21:09:50.128736692 -0700
		22	+++ coreutils-8.27/doc/coreutils.texi 2018-07-22 21:12:59.972219770 -0700
		23	@@ -10952,7 +10952,7 @@ chown -h -R --from=OLDUSER NEWUSER /
		24	@cindex symbolic links, changing owner
		25	@findex lchown
		26	Do not act on symbolic links themselves but rather on what they point to.
		27	-This is the default.
		28	+This is the default when not operating recursively.
		29
		30	@item -h
		31	@itemx --no-dereference
		32	@@ -11082,7 +11082,7 @@ changed.
		33	@cindex symbolic links, changing owner
		34	@findex lchown
		35	Do not act on symbolic links themselves but rather on what they point to.
		36	-This is the default.
		37	+This is the default when not operating recursively.
		38
		39	@item -h
		40	@itemx --no-dereference


diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch new file mode 100644 index 0000000000..c8f5f54acf --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
@@ -0,0 +1,83 @@
		1	From bc2fd9796403e03bb757b064d44c22fab92e6842 Mon Sep 17 00:00:00 2001
		2	From: Michael Orlitzky <michael@orlitzky.com>
		3	Date: Thu, 4 Jan 2018 11:38:21 -0500
		4	Subject: doc: warn about following symlinks recursively in chown/chgrp
		5
		6	In both chown and chgrp (which shares its code with chown), operating
		7	on symlinks recursively has a window of vulnerability where the
		8	destination user or group can change the target of the operation.
		9	Warn about combining the --dereference, --recursive, and -L flags.
		10
		11	* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
		12	(node chown invocation): Add it to --dereference and -L.
		13	(node chgrp invocation): Likewise.
		14
		15	See also: CVE-2017-18018
		16	CVE: CVE-2017-18018
		17	Upstream-Status: Backport from v8.30
		18
		19	Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
		20	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		21	---
		22	doc/coreutils.texi \| 17 +++++++++++++++++
		23	1 file changed, 17 insertions(+)
		24
		25	diff --git a/doc/coreutils.texi b/doc/coreutils.texi
		26	index 6bb9f09..9f5f95b 100644
		27	--- a/doc/coreutils.texi
		28	+++ b/doc/coreutils.texi
		29	@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
		30	In a recursive traversal, traverse every symbolic link to a directory
		31	that is encountered.
		32	@end macro
		33	+
		34	+@c Append the following warning to -L where appropriate (e.g. chown).
		35	+@macro warnOptDerefWithRec
		36	+
		37	+Combining this dereferencing option with the @option{--recursive} option
		38	+may create a security risk:
		39	+During the traversal of the directory tree, an attacker may be able to
		40	+introduce a symlink to an arbitrary target; when the tool reaches that,
		41	+the operation will be performed on the target of that symlink,
		42	+possibly allowing the attacker to escalate privileges.
		43	+
		44	+@end macro
		45	+
		46	@choptL
		47
		48	@macro choptP
		49	@@ -10995,6 +11008,7 @@ chown -h -R --from=OLDUSER NEWUSER /
		50	@findex lchown
		51	Do not act on symbolic links themselves but rather on what they point to.
		52	This is the default when not operating recursively.
		53	+@warnOptDerefWithRec
		54
		55	@item -h
		56	@itemx --no-dereference
		57	@@ -11051,6 +11065,7 @@ Recursively change ownership of directories and their contents.
		58	@xref{Traversing symlinks}.
		59
		60	@choptL
		61	+@warnOptDerefWithRec
		62	@xref{Traversing symlinks}.
		63
		64	@choptP
		65	@@ -11125,6 +11140,7 @@ changed.
		66	@findex lchown
		67	Do not act on symbolic links themselves but rather on what they point to.
		68	This is the default when not operating recursively.
		69	+@warnOptDerefWithRec
		70
		71	@item -h
		72	@itemx --no-dereference
		73	@@ -11180,6 +11196,7 @@ Recursively change the group ownership of directories and their contents.
		74	@xref{Traversing symlinks}.
		75
		76	@choptL
		77	+@warnOptDerefWithRec
		78	@xref{Traversing symlinks}.
		79
		80	@choptP
		81	--
		82	cgit v1.0-41-gc330
		83


diff --git a/meta/recipes-core/coreutils/coreutils_8.29.bb b/meta/recipes-core/coreutils/coreutils_8.29.bb index 4704f32196..b0572afdc0 100644 --- a/meta/recipes-core/coreutils/coreutils_8.29.bb +++ b/meta/recipes-core/coreutils/coreutils_8.29.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
19	file://0001-uname-report-processor-and-hardware-correctly.patch \	19	file://0001-uname-report-processor-and-hardware-correctly.patch \
20	file://disable-ls-output-quoting.patch \	20	file://disable-ls-output-quoting.patch \
21	file://0001-local.mk-fix-cross-compiling-problem.patch \	21	file://0001-local.mk-fix-cross-compiling-problem.patch \
		22	file://CVE-2017-18018-1.patch \
		23	file://CVE-2017-18018-2.patch \
22	"	24	"
23		25
24	SRC_URI[md5sum] = "960cfe75a42c9907c71439f8eb436303"	26	SRC_URI[md5sum] = "960cfe75a42c9907c71439f8eb436303"