shadow: CVE-2018-7169

newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Affects shadow <= 4.5 (From OE-Core rev: a875522540372a4fa6658885692e564dfd729f54) (From OE-Core rev: cfc8931d53cf9959995a4068a7e397e100922358) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 17:11:48 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-10-10 13:27:02 +0100
commit: 9833879d81547b6558c079cc2e71951452e70655 (patch)
tree: af938c24757adf16bc96a7a41f3aa231b521830f /meta/recipes-extended/shadow/shadow.inc
parent: 2f89032e5fcaa248400d3b84287f4ce8c4954547 (diff)
download: poky-9833879d81547b6558c079cc2e71951452e70655.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 5a493856a3..d7fbca7c77 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -21,6 +21,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
           file://0001-shadow-CVE-2017-12424 \
           file://CVE-2017-2616.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://CVE-2018-7169.patch \
           "
 SRC_URI_append_class-target = " \
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 17:11:48 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-10-10 13:27:02 +0100
commit	9833879d81547b6558c079cc2e71951452e70655 (patch)
tree	af938c24757adf16bc96a7a41f3aa231b521830f /meta/recipes-extended/shadow/shadow.inc
parent	2f89032e5fcaa248400d3b84287f4ce8c4954547 (diff)
download	poky-9833879d81547b6558c079cc2e71951452e70655.tar.gz

diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 5a493856a3..d7fbca7c77 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -21,6 +21,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
21	file://0001-shadow-CVE-2017-12424 \	21	file://0001-shadow-CVE-2017-12424 \
22	file://CVE-2017-2616.patch \	22	file://CVE-2017-2616.patch \
23	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	23	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
		24	file://CVE-2018-7169.patch \
24	"	25	"
25		26
26	SRC_URI_append_class-target = " \	27	SRC_URI_append_class-target = " \