From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 5bfdb4e5398d697bc7dfafd4c91ef38c4b610d68
Date: Wed, 13 Apr 2022 08:11:14 +0000 [thread overview]
Message-ID: <4KdZzl5bF6z2xnj@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 15435 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 5bfdb4e5398d697bc7dfafd4c91ef38c4b610d68 (commit)
via cad867506d768bb049ee7083bdfdeaf8a9e8cce4 (commit)
via cad2ce78dde6d3df70c1bbde011bb677b8df9ae4 (commit)
via 2506def0a603ea4111bfb0f87794bd5a9c9a48fd (commit)
via e0da038fc9d5f970150976715ef9d5d28f48092b (commit)
via 0db4fbe1b521db9f2f62b5a3229dcd8fb5d974f4 (commit)
via 423e2e7f92e4baba13dab98160c87f13087960b7 (commit)
via 1e0314afdfd26566605fb3ca735e239023bc3d31 (commit)
via c8d047f562f5aef6769ee44380dec81332cb904e (commit)
via 95229400b3cdc093e648cd20b9da48d151bdae83 (commit)
via f4dca7f1afd184dcf1c23325ac079af0f490816b (commit)
via bc82eb79b111eb2dbca250530e8a7171fb86e46c (commit)
from 24c8e6a6df46745963afd1f9f67fca0350f477c6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5bfdb4e5398d697bc7dfafd4c91ef38c4b610d68
Merge: 24c8e6a6d cad867506
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 13 08:11:05 2022 +0000
Merge branch 'next'
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/libloc | 2 +-
config/rootfiles/core/167/filelists/files | 3 +
.../{oldcore/148 => core/167}/filelists/libloc | 0
.../{oldcore/111 => core/167}/filelists/vnstat | 0
.../{oldcore/100 => core/167}/filelists/xz | 0
config/rootfiles/core/167/update.sh | 72 ++++++++++++++++-
lfs/libloc | 8 +-
lfs/stage2 | 3 +-
lfs/xz | 1 +
src/initscripts/system/mountfs | 6 --
src/initscripts/system/partresize | 6 --
src/patches/xzgrep-ZDI-CAN-16587.patch | 94 ++++++++++++++++++++++
12 files changed, 176 insertions(+), 19 deletions(-)
copy config/rootfiles/{oldcore/148 => core/167}/filelists/libloc (100%)
copy config/rootfiles/{oldcore/111 => core/167}/filelists/vnstat (100%)
copy config/rootfiles/{oldcore/100 => core/167}/filelists/xz (100%)
create mode 100644 src/patches/xzgrep-ZDI-CAN-16587.patch
Difference in files:
diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc
index c7335c7ef..955e91cde 100644
--- a/config/rootfiles/common/libloc
+++ b/config/rootfiles/common/libloc
@@ -18,7 +18,7 @@ usr/bin/location
#usr/lib/libloc.la
#usr/lib/libloc.so
usr/lib/libloc.so.1
-usr/lib/libloc.so.1.0.1
+usr/lib/libloc.so.1.0.2
usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/Location.pm
#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location
#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location/.packlist
diff --git a/config/rootfiles/core/167/filelists/files b/config/rootfiles/core/167/filelists/files
index 7e85b24ac..18f533e93 100644
--- a/config/rootfiles/core/167/filelists/files
+++ b/config/rootfiles/core/167/filelists/files
@@ -1,7 +1,9 @@
etc/collectd.conf
etc/inittab.d
etc/rc.d/init.d/firewall
+etc/rc.d/init.d/mountfs
etc/rc.d/init.d/pakfire
+etc/rc.d/init.d/partresize
etc/sysctl.conf
lib/udev/network-hotplug-bridges
srv/web/ipfire/cgi-bin/connections.cgi
@@ -10,6 +12,7 @@ srv/web/ipfire/cgi-bin/getrrdimage.cgi
srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/location-block.cgi
usr/lib/firewall/rules.pl
+usr/lib/perl5/site_perl/5.32.1/Net/IP.pm
usr/local/bin/backupiso
usr/sbin/unbound-dhcp-leases-bridge
var/ipfire/backup/include
diff --git a/config/rootfiles/core/167/filelists/libloc b/config/rootfiles/core/167/filelists/libloc
new file mode 120000
index 000000000..ff4a92429
--- /dev/null
+++ b/config/rootfiles/core/167/filelists/libloc
@@ -0,0 +1 @@
+../../../common/libloc
\ No newline at end of file
diff --git a/config/rootfiles/core/167/filelists/vnstat b/config/rootfiles/core/167/filelists/vnstat
new file mode 120000
index 000000000..2e2e6100b
--- /dev/null
+++ b/config/rootfiles/core/167/filelists/vnstat
@@ -0,0 +1 @@
+../../../common/vnstat
\ No newline at end of file
diff --git a/config/rootfiles/core/167/filelists/xz b/config/rootfiles/core/167/filelists/xz
new file mode 120000
index 000000000..734e926c7
--- /dev/null
+++ b/config/rootfiles/core/167/filelists/xz
@@ -0,0 +1 @@
+../../../common/xz
\ No newline at end of file
diff --git a/config/rootfiles/core/167/update.sh b/config/rootfiles/core/167/update.sh
index fdcb843cf..0f98f1757 100644
--- a/config/rootfiles/core/167/update.sh
+++ b/config/rootfiles/core/167/update.sh
@@ -26,11 +26,61 @@
core=167
+exit_with_error() {
+ # Set last succesfull installed core.
+ echo $(($core-1)) > /opt/pakfire/db/core/mine
+ # force fsck at next boot, this may fix free space on xfs
+ touch /forcefsck
+ # don't start pakfire again at error
+ killall -KILL pak_update
+ /usr/bin/logger -p syslog.emerg -t ipfire \
+ "core-update-${core}: $1"
+ exit $2
+}
+
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
+
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+ cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+ *-ipfire*)
+ # Ok.
+ ;;
+ *)
+ exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+ ;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+ exit_with_error "ERROR cannot update because not enough free space on root." 2
+ exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-*
+rm -rf /boot/zImage-*
+rm -rf /boot/uInit-*
+rm -rf /boot/dtb-*
+rm -rf /lib/modules
+
# Remove files
rm -rvf \
/bin/setserial \
@@ -272,7 +322,6 @@ rm -rvf \
/usr/lib/libxslt.so \
/usr/lib/pango \
/usr/lib/perl5/site_perl/5.30.0 \
- /usr/lib/perl5/site_perl/5.32.1/Net/IP.pm \
/usr/lib/python3.8/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl \
/usr/lib/python3.8/idlelib/Icons/idle.icns \
/usr/lib/python3.8/lib2to3/Grammar3.8.1.final.0.pickle \
@@ -337,6 +386,13 @@ hardlink -c -vv /lib/firmware
# Regenerate all initrds
dracut --regenerate-all --force
+# Replace /etc/mtab by symlink as mount no longer writes it
+rm -vf /etc/mtab
+ln -vs /proc/self/mounts /etc/mtab
+
+# Export the location database again and reload the firewall engine
+/usr/local/bin/update-location-database
+
# Rebuild IPS rules
perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::oinkmaster();"
/etc/init.d/suricata reload
@@ -362,6 +418,20 @@ if [ -e "/opt/pakfire/db/installed/meta-nano" ] && [ -e "/opt/pakfire/db/meta/me
/opt/pakfire/db/rootfiles/nano
fi
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+ sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+ /boot/pakfire-kernel-update ${KVER}
+fi
+
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/lfs/libloc b/lfs/libloc
index c9b82383a..71939a966 100644
--- a/lfs/libloc
+++ b/lfs/libloc
@@ -24,8 +24,8 @@
include Config
-VER = 0.9.11
-DB_DATE = 2022-02-16
+VER = 0.9.13
+DB_DATE = 2022-04-12
THISAPP = libloc-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -43,8 +43,8 @@ objects = $(DL_FILE) \
$(DL_FILE) = https://source.ipfire.org/releases/libloc/$(DL_FILE)
location-$(DB_DATE).db.xz = https://location.ipfire.org/databases/1/archive/location-$(DB_DATE).db.xz
-$(DL_FILE)_BLAKE2 = 46df0dc058235ede47c103c9be5882f50b688c80613c2bdf6f3bc40a2effff67e3ef77cd28142dc3b3fb832689a345e8840fe466738e7ae151698e98c17a68ed
-location-$(DB_DATE).db.xz_BLAKE2 = 9ba0ae5bbabef1a0f692cee11515796d754b2f83aa21c2a2730b4d04249606fe00df856dad08fbdfdad3fad6b06c902b36e3a7717181ce0fac4738b46737b5b4
+$(DL_FILE)_BLAKE2 = 5fccd6f0564899499939c63af8975f20b1f7d5267a8cf6c15e14ab377b9d5c008ae5e154c804ac6a1106471aaeebac97dc4ebe6b70fc1e59f416fe2cc02c52a7
+location-$(DB_DATE).db.xz_BLAKE2 = 8634405ddba8c38d4512ec586722faaeccb295b8bfe7778e52e7bb60dfe804c6a3ae201d04a43d200e1118cf5fed05ef3eada59e2dd6386fe37023274ccb6795
install : $(TARGET)
diff --git a/lfs/stage2 b/lfs/stage2
index 9f93babe2..39697a848 100644
--- a/lfs/stage2
+++ b/lfs/stage2
@@ -87,7 +87,8 @@ endif
cp -rvf $(DIR_SRC)/config/etc/* /etc;
[ ! -d "$(DIR_SRC)/config/etc-$(BUILD_ARCH)" ] || cp -rvf $(DIR_SRC)/config/etc-$(BUILD_ARCH)/* /etc
cp -rvf $(DIR_SRC)/config/lib/* /lib;
- touch /etc/{fs,m}tab
+ touch /etc/fstab
+ ln -s /proc/self/mounts /etc/mtab
echo "$(NAME) v$(VERSION) - $(SLOGAN)" > /etc/issue
echo "===============================" >> /etc/issue
echo "\n running on \s \r \m" >> /etc/issue
diff --git a/lfs/xz b/lfs/xz
index 586fbc90f..9345df954 100644
--- a/lfs/xz
+++ b/lfs/xz
@@ -75,6 +75,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -p1 -i $(DIR_SRC)/src/patches/xzgrep-ZDI-CAN-16587.patch
cd $(DIR_APP) && ./configure --prefix=$(PREFIX)
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
diff --git a/src/initscripts/system/mountfs b/src/initscripts/system/mountfs
index b1533d6a2..81ed729c1 100644
--- a/src/initscripts/system/mountfs
+++ b/src/initscripts/system/mountfs
@@ -31,12 +31,6 @@ case "${1}" in
# Remove fsck-related file system watermarks.
rm -f /fastboot /forcefsck
- boot_mesg "Create /etc/mtab..."
- > /etc/mtab
- mount -f / || failed=1
- (exit ${failed})
- evaluate_retval
-
# This will mount all filesystems that do not have _netdev in
# their option list. _netdev denotes a network filesystem.
boot_mesg "Mounting remaining file systems..."
diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize
index 7605b9e2b..147405e1e 100644
--- a/src/initscripts/system/partresize
+++ b/src/initscripts/system/partresize
@@ -30,12 +30,6 @@ case "${1}" in
mount -o remount,rw / > /dev/null
evaluate_retval
- boot_mesg "Create /etc/mtab..."
- > /etc/mtab
- mount -f / || failed=1
- (exit ${failed})
- evaluate_retval
-
# check if serial console enabled
scon="off";
if [ ! "$(grep "console=ttyS0" /proc/cmdline)" == "" ]; then
diff --git a/src/patches/xzgrep-ZDI-CAN-16587.patch b/src/patches/xzgrep-ZDI-CAN-16587.patch
new file mode 100644
index 000000000..406ded590
--- /dev/null
+++ b/src/patches/xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin(a)tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+ info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+ { test $# -eq 1 || test $no_filename -eq 1; }; then
+ eval "$grep"
+ else
++ # Append a colon so that the last character will never be a newline
++ # which would otherwise get lost in shell command substitution.
++ i="$i:"
++
++ # Escape & \ | and newlines only if such characters are present
++ # (speed optimization).
+ case $i in
+ (*'
+ '* | *'&'* | *'\'* | *'|'*)
+- i=$(printf '%s\n' "$i" |
+- sed '
+- $!N
+- $s/[&\|]/\\&/g
+- $s/\n/\\n/g
+- ');;
++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+ esac
+- sed_script="s|^|$i:|"
++
++ # $i already ends with a colon so don't add it here.
++ sed_script="s|^|$i|"
+
+ # Fail if grep or sed fails.
+ r=$(
+ exec 4>&1
+- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++ (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++ LC_ALL=C sed "$sed_script" >&3 4>&-
+ ) || r=2
+ exit $r
+ fi >&3 5>&-
+--
+2.35.1
+
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2022-04-13 8:11 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4KdZzl5bF6z2xnj@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox