Hello, Am Donnerstag, 27. September 2018, 18:09:12 CEST schrieb Matthias Gerstner:
the SUSE security team wants to draw your attention to a potential security threat involving the use of `quilt setup ...` on untrusted RPM spec files. [...] - The statements in the `%prep` section of the RPM spec file are unconditionally executed in the context of the calling user. - Arbitrary flags can be passed to `patch` via `%define _default_patch_flags ...` in the spec file. By embedding semicolons into the flags also arbitrary commands can be injected this way. - By combining the available vectors, difficult to spot malicious code can be hidden in RPM spec files. For example patch can be caused to follow symlinks, thereby "patching" files in a user's home directory as demonstrated in [1].
I'd like to add that code can also be executed via %define, for example %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) This %define will also run as part of quilt setup.
A demonstration works like this:
```sh $ osc co home:mgerstner/surprise $ cd home:mgerstner/surprise $ quilt setup surprise.spec # notice the surprise $ bash ```
My latest test doesn't show any surprise when starting bash.
Maybe the reason is that I just created an AppArmor profile for quilt? ;-)
I'll paste it below - if you want to use it, save it as
/etc/apparmor.d/usr.bin.quilt
Then adjust @{packages_dir} and run rcapparmor reload
Notes:
- you'll HAVE TO adjust @{packages_dir} to your needs - it has to be set
to the directory where you run osc co
- write access is restricted to
- *.diff, *.diff~, *.patch, *.patch~
- the directory with the extracted tarball
- tempfiles in /tmp/ and /var/tmp/
Note that quilt could modify files of another package in @{packages_dir}
matching the above patterns, so there's no perfect protection.
- I only tested the quilt commands I typically use - setup, push, pop,
edit, refresh
- all tests were done using the apparmor package (which includes the
%define quoted above - that's also the reason why the profile allows
reading a file in /usr/share/apache2/)
- other packages might need other / more permissions - you can update
the profile with aa-logprof
Questions and feedback welcome - maybe we can even come up with a
profile that is good enough for everybody, and ship that as part of the
quilt rpm ;-)
That all said - here's my AppArmor profile for quilt:
# ---------------------------------------------------------------------
# packages directory
# expected layout is @{packages_dir}/$project/$package/
# so set it to the directory where you run osc co
@{packages_dir} = /home/cb/packages/
#include
good luck, Usually "good luck" is going together with "as I told you before" :) [> Greg KH and Johannes Nohl in opensuse-project]
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org