This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 5bfdb4e5398d697bc7dfafd4c91ef38c4b610d68 (commit) via cad867506d768bb049ee7083bdfdeaf8a9e8cce4 (commit) via cad2ce78dde6d3df70c1bbde011bb677b8df9ae4 (commit) via 2506def0a603ea4111bfb0f87794bd5a9c9a48fd (commit) via e0da038fc9d5f970150976715ef9d5d28f48092b (commit) via 0db4fbe1b521db9f2f62b5a3229dcd8fb5d974f4 (commit) via 423e2e7f92e4baba13dab98160c87f13087960b7 (commit) via 1e0314afdfd26566605fb3ca735e239023bc3d31 (commit) via c8d047f562f5aef6769ee44380dec81332cb904e (commit) via 95229400b3cdc093e648cd20b9da48d151bdae83 (commit) via f4dca7f1afd184dcf1c23325ac079af0f490816b (commit) via bc82eb79b111eb2dbca250530e8a7171fb86e46c (commit) from 24c8e6a6df46745963afd1f9f67fca0350f477c6 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 5bfdb4e5398d697bc7dfafd4c91ef38c4b610d68 Merge: 24c8e6a6d cad867506 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 13 08:11:05 2022 +0000
Merge branch 'next'
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/libloc | 2 +- config/rootfiles/core/167/filelists/files | 3 + .../{oldcore/148 => core/167}/filelists/libloc | 0 .../{oldcore/111 => core/167}/filelists/vnstat | 0 .../{oldcore/100 => core/167}/filelists/xz | 0 config/rootfiles/core/167/update.sh | 72 ++++++++++++++++- lfs/libloc | 8 +- lfs/stage2 | 3 +- lfs/xz | 1 + src/initscripts/system/mountfs | 6 -- src/initscripts/system/partresize | 6 -- src/patches/xzgrep-ZDI-CAN-16587.patch | 94 ++++++++++++++++++++++ 12 files changed, 176 insertions(+), 19 deletions(-) copy config/rootfiles/{oldcore/148 => core/167}/filelists/libloc (100%) copy config/rootfiles/{oldcore/111 => core/167}/filelists/vnstat (100%) copy config/rootfiles/{oldcore/100 => core/167}/filelists/xz (100%) create mode 100644 src/patches/xzgrep-ZDI-CAN-16587.patch
Difference in files: diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc index c7335c7ef..955e91cde 100644 --- a/config/rootfiles/common/libloc +++ b/config/rootfiles/common/libloc @@ -18,7 +18,7 @@ usr/bin/location #usr/lib/libloc.la #usr/lib/libloc.so usr/lib/libloc.so.1 -usr/lib/libloc.so.1.0.1 +usr/lib/libloc.so.1.0.2 usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/Location.pm #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location/.packlist diff --git a/config/rootfiles/core/167/filelists/files b/config/rootfiles/core/167/filelists/files index 7e85b24ac..18f533e93 100644 --- a/config/rootfiles/core/167/filelists/files +++ b/config/rootfiles/core/167/filelists/files @@ -1,7 +1,9 @@ etc/collectd.conf etc/inittab.d etc/rc.d/init.d/firewall +etc/rc.d/init.d/mountfs etc/rc.d/init.d/pakfire +etc/rc.d/init.d/partresize etc/sysctl.conf lib/udev/network-hotplug-bridges srv/web/ipfire/cgi-bin/connections.cgi @@ -10,6 +12,7 @@ srv/web/ipfire/cgi-bin/getrrdimage.cgi srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/location-block.cgi usr/lib/firewall/rules.pl +usr/lib/perl5/site_perl/5.32.1/Net/IP.pm usr/local/bin/backupiso usr/sbin/unbound-dhcp-leases-bridge var/ipfire/backup/include diff --git a/config/rootfiles/core/167/filelists/libloc b/config/rootfiles/core/167/filelists/libloc new file mode 120000 index 000000000..ff4a92429 --- /dev/null +++ b/config/rootfiles/core/167/filelists/libloc @@ -0,0 +1 @@ +../../../common/libloc \ No newline at end of file diff --git a/config/rootfiles/core/167/filelists/vnstat b/config/rootfiles/core/167/filelists/vnstat new file mode 120000 index 000000000..2e2e6100b --- /dev/null +++ b/config/rootfiles/core/167/filelists/vnstat @@ -0,0 +1 @@ +../../../common/vnstat \ No newline at end of file diff --git a/config/rootfiles/core/167/filelists/xz b/config/rootfiles/core/167/filelists/xz new file mode 120000 index 000000000..734e926c7 --- /dev/null +++ b/config/rootfiles/core/167/filelists/xz @@ -0,0 +1 @@ +../../../common/xz \ No newline at end of file diff --git a/config/rootfiles/core/167/update.sh b/config/rootfiles/core/167/update.sh index fdcb843cf..0f98f1757 100644 --- a/config/rootfiles/core/167/update.sh +++ b/config/rootfiles/core/167/update.sh @@ -26,11 +26,61 @@
core=167
+exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # force fsck at next boot, this may fix free space on xfs + touch /forcefsck + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + # Remove old core updates from pakfire cache to save space... for (( i=1; i<=$core; i++ )); do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire done
+ +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks. +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 + exit 2 +fi + +# Remove the old kernel +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-* +rm -rf /boot/zImage-* +rm -rf /boot/uInit-* +rm -rf /boot/dtb-* +rm -rf /lib/modules + # Remove files rm -rvf \ /bin/setserial \ @@ -272,7 +322,6 @@ rm -rvf \ /usr/lib/libxslt.so \ /usr/lib/pango \ /usr/lib/perl5/site_perl/5.30.0 \ - /usr/lib/perl5/site_perl/5.32.1/Net/IP.pm \ /usr/lib/python3.8/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl \ /usr/lib/python3.8/idlelib/Icons/idle.icns \ /usr/lib/python3.8/lib2to3/Grammar3.8.1.final.0.pickle \ @@ -337,6 +386,13 @@ hardlink -c -vv /lib/firmware # Regenerate all initrds dracut --regenerate-all --force
+# Replace /etc/mtab by symlink as mount no longer writes it +rm -vf /etc/mtab +ln -vs /proc/self/mounts /etc/mtab + +# Export the location database again and reload the firewall engine +/usr/local/bin/update-location-database + # Rebuild IPS rules perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::oinkmaster();" /etc/init.d/suricata reload @@ -362,6 +418,20 @@ if [ -e "/opt/pakfire/db/installed/meta-nano" ] && [ -e "/opt/pakfire/db/meta/me /opt/pakfire/db/rootfiles/nano fi
+# remove lm_sensor config after collectd was started +# to reserch sensors at next boot with updated kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + # This update needs a reboot... touch /var/run/need_reboot
diff --git a/lfs/libloc b/lfs/libloc index c9b82383a..71939a966 100644 --- a/lfs/libloc +++ b/lfs/libloc @@ -24,8 +24,8 @@
include Config
-VER = 0.9.11 -DB_DATE = 2022-02-16 +VER = 0.9.13 +DB_DATE = 2022-04-12
THISAPP = libloc-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,8 +43,8 @@ objects = $(DL_FILE) \ $(DL_FILE) = https://source.ipfire.org/releases/libloc/$(DL_FILE) location-$(DB_DATE).db.xz = https://location.ipfire.org/databases/1/archive/location-$(DB_DATE).db.xz
-$(DL_FILE)_BLAKE2 = 46df0dc058235ede47c103c9be5882f50b688c80613c2bdf6f3bc40a2effff67e3ef77cd28142dc3b3fb832689a345e8840fe466738e7ae151698e98c17a68ed -location-$(DB_DATE).db.xz_BLAKE2 = 9ba0ae5bbabef1a0f692cee11515796d754b2f83aa21c2a2730b4d04249606fe00df856dad08fbdfdad3fad6b06c902b36e3a7717181ce0fac4738b46737b5b4 +$(DL_FILE)_BLAKE2 = 5fccd6f0564899499939c63af8975f20b1f7d5267a8cf6c15e14ab377b9d5c008ae5e154c804ac6a1106471aaeebac97dc4ebe6b70fc1e59f416fe2cc02c52a7 +location-$(DB_DATE).db.xz_BLAKE2 = 8634405ddba8c38d4512ec586722faaeccb295b8bfe7778e52e7bb60dfe804c6a3ae201d04a43d200e1118cf5fed05ef3eada59e2dd6386fe37023274ccb6795
install : $(TARGET)
diff --git a/lfs/stage2 b/lfs/stage2 index 9f93babe2..39697a848 100644 --- a/lfs/stage2 +++ b/lfs/stage2 @@ -87,7 +87,8 @@ endif cp -rvf $(DIR_SRC)/config/etc/* /etc; [ ! -d "$(DIR_SRC)/config/etc-$(BUILD_ARCH)" ] || cp -rvf $(DIR_SRC)/config/etc-$(BUILD_ARCH)/* /etc cp -rvf $(DIR_SRC)/config/lib/* /lib; - touch /etc/{fs,m}tab + touch /etc/fstab + ln -s /proc/self/mounts /etc/mtab echo "$(NAME) v$(VERSION) - $(SLOGAN)" > /etc/issue echo "===============================" >> /etc/issue echo "\n running on \s \r \m" >> /etc/issue diff --git a/lfs/xz b/lfs/xz index 586fbc90f..9345df954 100644 --- a/lfs/xz +++ b/lfs/xz @@ -75,6 +75,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -p1 -i $(DIR_SRC)/src/patches/xzgrep-ZDI-CAN-16587.patch cd $(DIR_APP) && ./configure --prefix=$(PREFIX) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/initscripts/system/mountfs b/src/initscripts/system/mountfs index b1533d6a2..81ed729c1 100644 --- a/src/initscripts/system/mountfs +++ b/src/initscripts/system/mountfs @@ -31,12 +31,6 @@ case "${1}" in # Remove fsck-related file system watermarks. rm -f /fastboot /forcefsck
- boot_mesg "Create /etc/mtab..." - > /etc/mtab - mount -f / || failed=1 - (exit ${failed}) - evaluate_retval - # This will mount all filesystems that do not have _netdev in # their option list. _netdev denotes a network filesystem. boot_mesg "Mounting remaining file systems..." diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize index 7605b9e2b..147405e1e 100644 --- a/src/initscripts/system/partresize +++ b/src/initscripts/system/partresize @@ -30,12 +30,6 @@ case "${1}" in mount -o remount,rw / > /dev/null evaluate_retval
- boot_mesg "Create /etc/mtab..." - > /etc/mtab - mount -f / || failed=1 - (exit ${failed}) - evaluate_retval - # check if serial console enabled scon="off"; if [ ! "$(grep "console=ttyS0" /proc/cmdline)" == "" ]; then diff --git a/src/patches/xzgrep-ZDI-CAN-16587.patch b/src/patches/xzgrep-ZDI-CAN-16587.patch new file mode 100644 index 000000000..406ded590 --- /dev/null +++ b/src/patches/xzgrep-ZDI-CAN-16587.patch @@ -0,0 +1,94 @@ +From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001 +From: Lasse Collin lasse.collin@tukaani.org +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using <newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index b180936..e5186ba 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *''* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&|]/\&/g +- $s/\n/\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&|]/\&/g; $!s/$/\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- +-- +2.35.1 +
hooks/post-receive -- IPFire 2.x development tree