shadow: CVE-2018-7169

newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Affects shadow <= 4.5 (From OE-Core rev: a875522540372a4fa6658885692e564dfd729f54) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 17:11:48 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29 15:23:51 +0100
commit: f183e88d06881ebc818419e978e2ddb8b588d14d (patch)
tree: 426172069be7670051431684fe2eea8bed80d07f /meta/recipes-extended/shadow/shadow.inc
parent: 8fcd5a31b9563de0f208826cfb3aaf1da886b286 (diff)
download: poky-f183e88d06881ebc818419e978e2ddb8b588d14d.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 6efe4a9119..9691c3879a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
           file://0001-shadow-CVE-2017-12424 \
           file://CVE-2017-2616.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://CVE-2018-7169.patch \
           "
 SRC_URI_append_class-target = " \
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 17:11:48 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-29 15:23:51 +0100
commit	f183e88d06881ebc818419e978e2ddb8b588d14d (patch)
tree	426172069be7670051431684fe2eea8bed80d07f /meta/recipes-extended/shadow/shadow.inc
parent	8fcd5a31b9563de0f208826cfb3aaf1da886b286 (diff)
download	poky-f183e88d06881ebc818419e978e2ddb8b588d14d.tar.gz

diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 6efe4a9119..9691c3879a 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
20	file://0001-shadow-CVE-2017-12424 \	20	file://0001-shadow-CVE-2017-12424 \
21	file://CVE-2017-2616.patch \	21	file://CVE-2017-2616.patch \
22	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	22	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
		23	file://CVE-2018-7169.patch \
23	"	24	"
24		25
25	SRC_URI_append_class-target = " \	26	SRC_URI_append_class-target = " \