!18 [sync] PR-16: fix CVE-2023-5557

From: @openeuler-sync-bot Reviewed-by: @zhang__3125 Signed-off-by: @zhang__3125
2024-05-23 02:39:03 +00:00 · 2024-05-23 02:39:03 +00:00 · 04c1622d8b
commit 04c1622d8b
parent de725bc475 fbcb908c87
2 changed files with 131 additions and 1 deletions
--- a/CVE-2023-5557.patch
+++ b/CVE-2023-5557.patch
@ -0,0 +1,126 @@
+From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
+From: technology208 <technology@208suo.com>
+Date: Mon, 20 May 2024 16:32:52 +0800
+Subject: [PATCH] CreatePatch
+
+---
+ .../tracker-seccomp.c                         | 23 +++++++++++++++++++
+ src/tracker-extract/tracker-extract.c         |  5 ----
+ src/tracker-extract/tracker-main.c            | 19 +++++++++++----
+ 3 files changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index 01887e8..a2b7ed9 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (lstat);
+ 	ALLOW_RULE (lstat64);
+ 	ALLOW_RULE (statx);
+        ALLOW_RULE (fstatfs);
+ 	ALLOW_RULE (access);
+ 	ALLOW_RULE (getdents);
+ 	ALLOW_RULE (getdents64);
+@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (getpeername);
+ 	ALLOW_RULE (shutdown);
+ 
+       ERROR_RULE (inotify_init1, EINVAL);
+       ERROR_RULE (inotify_init, EINVAL);
+
+       ERROR_RULE (mkdir, EPERM);
+       ERROR_RULE (rename, EPERM);
+       ERROR_RULE (unlink, EPERM);
+       ERROR_RULE (ioctl, EBADF);
+       ERROR_RULE (bind, EACCES);
+       ERROR_RULE (setsockopt, EBADF);
+       ERROR_RULE (sched_getattr, EPERM);
+
+       /* Allow prlimit64, only if no new limits are being set */
+       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
+                             SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
+               goto out;
+
+
+ 	/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
+ 		goto out;
+
+       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
+                             SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
+               goto out;
+
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+ 		goto out;
+diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
+index 3406164..209c76b 100644
+--- a/src/tracker-extract/tracker-extract.c
+++ b/src/tracker-extract/tracker-extract.c
+@@ -30,8 +30,6 @@
+ #include <gio/gunixinputstream.h>
+ #include <gio/gunixfdlist.h>
+ 
+-#include <libtracker-miners-common/tracker-common.h>
+-
+ #include <libtracker-extract/tracker-extract.h>
+ 
+ #include "tracker-extract.h"
+@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
+ static gpointer
+ single_thread_get_metadata (GAsyncQueue *queue)
+ {
+-	if (!tracker_seccomp_init ())
+-		g_assert_not_reached ();
+-
+ 	while (TRUE) {
+ 		TrackerExtractTask *task;
+ 
+diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
+index 2a646cc..484be22 100644
+--- a/src/tracker-extract/tracker-main.c
+++ b/src/tracker-extract/tracker-main.c
+@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
+ }
+ 
+ int
+-main (int argc, char *argv[])
+do_main (int argc, char *argv[])
+ {
+ 	GOptionContext *context;
+ 	GError *error = NULL;
+@@ -311,9 +311,6 @@ main (int argc, char *argv[])
+ 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+ 	textdomain (GETTEXT_PACKAGE);
+ 
+-	/* This makes sure we don't steal all the system's resources */
+-	initialize_priority_and_scheduling ();
+-
+ 	/* Translators: this message will appear immediately after the  */
+ 	/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE>     */
+ 	context = g_option_context_new (_("— Extract file meta data"));
+@@ -487,3 +484,17 @@ main (int argc, char *argv[])
+ 
+ 	return EXIT_SUCCESS;
+ }
+
+int
+main (int argc, char *argv[])
+{
+       /* This function is untouchable! Add things to do_main() */
+
+       /* This makes sure we don't steal all the system's resources */
+       initialize_priority_and_scheduling ();
+
+       if (!tracker_seccomp_init ())
+               g_assert_not_reached ();
+
+       return do_main (argc, argv);
+}
+-- 
+2.33.0
+
--- a/tracker3-miners.spec
+++ b/tracker3-miners.spec
@ -2,7 +2,7 @@

 Name:           tracker3-miners
 Version:        3.0.5
-Release:        4
+Release:        5
 Summary:        One of two parts of tracker mainly contains the indexer daemon and tools. 

 License:        GPLv2+ and LGPLv2+
@ -10,6 +10,7 @@ URL:            https://wiki.gnome.org/Projects/Tracker
 Source0:        https://download.gnome.org/sources/tracker-miners/3.0/tracker-miners-%{version}.tar.xz
 Source1: 	tracker3-miners.conf
 Patch1:         tracker-miners-3.0.5-sw.patch
+Patch2:         CVE-2023-5557.patch

 BuildRequires:  asciidoc libxslt coreutils glib2 glib2-devel gcc giflib-devel meson systemd
 BuildRequires:  pkgconfig(tracker-sparql-3.0) pkgconfig(tracker-testutils-3.0)
@ -90,6 +91,9 @@ sed -i 's/lib64/lib/g' %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.


 %changelog
+* Mon May 20 2024 technology208 <technology@208suo.com> - 3.0.5-5
+- fix CVE-2023-5557
+
 * Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 3.0.5-4
 - Add sw64 architecture