packages/keepalived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-44225

Browse Source
This commit is contained in:
kwb0523 2022-03-29 19:26:48 +08:00
parent fc9e8ae150
commit b5261efeda
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
CVE-2021-44225.patch Normal file
View File

@ -0,0 +1,39 @@
From 7977fec0be89ae6fe87405b3f8da2f0b5e415e3d Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.ch>
Date: Tue, 23 Nov 2021 06:50:59 +0100
Subject: [PATCH] dbus: fix policy to not be overly broad
The DBus policy did not restrict the message destination, allowing any
user to inspect and manipulate any property.
CVE-2021-44225
https://nvd.nist.gov/vuln/detail/CVE-2021-44225
Reference:https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d.patch
Conflict:NA
Signed-off-by: Vincent Bernat <vincent@bernat.ch>
---
keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
index 2b78a575c..b5ced6085 100644
--- a/keepalived/dbus/org.keepalived.Vrrp1.conf
+++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
@@ -3,12 +3,15 @@
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
- <allow own="org.keepalived.Vrrp1"/>
- <allow send_destination="org.keepalived.Vrrp1"/>
+ <allow own="org.keepalived.Vrrp1" />
+ <allow send_destination="org.keepalived.Vrrp1" />
</policy>
<policy context="default">
- <allow send_interface="org.freedesktop.DBus.Introspectable" />
- <allow send_interface="org.freedesktop.DBus.Peer" />
- <allow send_interface="org.freedesktop.DBus.Properties" />
+ <allow send_destination="org.keepalived.Vrrp1"
+ send_interface="org.freedesktop.DBus.Introspectable" />
+ <allow send_destination="org.keepalived.Vrrp1"
+ send_interface="org.freedesktop.DBus.Peer" />
+ <allow send_destination="org.keepalived.Vrrp1"
+ send_interface="org.freedesktop.DBus.Properties" />
</policy>
</busconfig>

10
keepalived.spec
View File

@ -9,13 +9,15 @@
Name: keepalived Name: keepalived
Version: 2.2.4 Version: 2.2.4
Release: 1 Release: 2
Summary: High Availability monitor built upon LVS, VRRP and service pollers Summary: High Availability monitor built upon LVS, VRRP and service pollers
License: GPLv2+ License: GPLv2+
URL: http://www.keepalived.org/ URL: http://www.keepalived.org/
Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
Source1: keepalived.service Source1: keepalived.service
Patch0001: CVE-2021-44225.patch
BuildRequires: net-snmp-devel gcc systemd-units openssl-devel libnl3-devel BuildRequires: net-snmp-devel gcc systemd-units openssl-devel libnl3-devel
BuildRequires: ipset-devel iptables-devel libnfnetlink-devel libnftnl-devel BuildRequires: ipset-devel iptables-devel libnfnetlink-devel libnftnl-devel
BuildRequires: file-devel libmnl-devel BuildRequires: file-devel libmnl-devel
@ -90,6 +92,12 @@ install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
%{_mandir}/man* %{_mandir}/man*
%changelog %changelog
* Tue Mar 29 2022 kwb0523 <kwb0523@163.com> - 2.2.4-2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix CVE-2021-44225
* Tue Dec 21 2021 kwb0523 <kwb0523@163.com> - 2.2.4-1 * Tue Dec 21 2021 kwb0523 <kwb0523@163.com> - 2.2.4-1
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA