Fix CVE-2024-23301 and only x86 require syslinux

2024-01-15 15:17:18 +08:00 · 2024-01-15 15:17:18 +08:00 · fcc4042ef9
commit fcc4042ef9
parent ef1279a664
2 changed files with 48 additions and 4 deletions
--- a/CVE-2024-23301.patch
+++ b/CVE-2024-23301.patch
@ -0,0 +1,34 @@
+From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
+From: Johannes Meixner <jsmeix@suse.com>
+Date: Fri, 12 Jan 2024 08:04:40 +0100
+Subject: [PATCH] Make initrd accessible only by root (#3123)
+
+Origin: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
+
+In pack/GNU/Linux/900_create_initramfs.sh call
+chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+to let only 'root' access the ReaR initrd because
+the ReaR recovery system in the initrd can contain secrets
+(not by default but when certain things are explicitly
+configured by the user like SSH keys without passphrase)
+see https://github.com/rear/rear/issues/3122
+and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
+---
+ usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+index 1e0c11039..12be718ed 100644
+--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
+         fi
+         ;;
+ esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
+ popd >/dev/null
--- a/rear.spec
+++ b/rear.spec
@ -2,14 +2,18 @@

 Name:           rear
 Version:        2.4
-Release:        3
+Release:        5
 License:        GPLv3
 Summary:        Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution
 URL:            http://relax-and-recover.org/
 Source0:        https://sourceforge.net/projects/rear/files/rear/%{version}/rear-%{version}.tar.gz
-ExclusiveArch:  x86_64
+Patch0:         CVE-2024-23301.patch
+ExclusiveArch:  x86_64 loongarch64
 Requires:       binutils ethtool gzip iputils parted tar openssl gawk attr bc crontabs iproute
-Requires:       genisoimage util-linux syslinux
+Requires:       genisoimage util-linux
+%ifarch x86_64 i686
+Requires:       syslinux
+%endif
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 %description
@ -29,7 +33,7 @@ if [ $1 -gt 1 ] ; then
 fi

 %prep
-%autosetup
+%autosetup -p1

 %build

@ -55,5 +59,11 @@ rm -rf %{buildroot}
 %doc %{_mandir}/man8/rear.8*

 %changelog
+* Mon Jan 15 2024 wangkai <13474090681@163.com> - 2.4-5
+- Fix CVE-2024-23301 and only x86 require syslinux
+
+* Tue Nov 15 2022 huajingyun <huajingyun@loongson.cn> - 2.4-4
+- Add loongarch64 support
+
 * Wed Feb 26 2020 Ling Yang <lingyang2@huawei.com> - 2.4-3
 - Package Init