diff options
Diffstat (limited to 'meta-security/dynamic-layers')
12 files changed, 279 insertions, 37 deletions
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb index f2ef335b13..7074f68152 100644 --- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb @@ -83,11 +83,11 @@ do_install () { install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille - install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/FileContent.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille @@ -138,7 +138,7 @@ do_install () { install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config + install -m 0644 ${UNPACKDIR}/config ${D}${sysconfdir}/Bastille/config for file in `cat Modules.txt` ; do install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb index ba0f974c33..46cdc8e3c9 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb @@ -7,7 +7,11 @@ SRC_URI[sha256sum] = "6425963d91054cfcc185807141c7314a9c5ad46325911bd24dcb489bd0 PYPI_PACKAGE = "Flask-Script" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" RDEPENDS:${PN} += "\ python3-flask \ diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb index 638c56fc27..3d7e8975c0 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c346 PYPI_PACKAGE = "json2html" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb index ff1b611bf5..9aaa7c990c 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb @@ -2,6 +2,19 @@ DESCRIPTION = "Python pyinotify: Linux filesystem events monitoring" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382" +SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" +SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4" + +SRC_URI += " \ + file://0001-Make-asyncore-support-optional-for-Python-3.patch \ +" + +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" + RDEPENDS:${PN} += "\ python3-ctypes \ python3-fcntl \ @@ -11,12 +24,3 @@ RDEPENDS:${PN} += "\ python3-shell \ python3-threading \ " - -SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" -SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4" - -SRC_URI += " \ - file://0001-Make-asyncore-support-optional-for-Python-3.patch \ -" - -inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb index f8a6552ad4..e24f3222f7 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb @@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8e8db3765a57bcb968140e0a353c1a35" SRC_URI[sha256sum] = "983424b296e62189d70fc73460cd946cf56dcbe82b9bda18c066fc1b24371cdc" -#PYPI_PACKAGE = "Flask-Script" +inherit pypi python_setuptools_build_meta -inherit pypi setuptools3 +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb index 517ed87f3a..811cf36756 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "19b030b3fa37d1f0b5c5ad9ada9059884c3bf2c751c5dd8f1eb4ed49cf PYPI_PACKAGE = "xmldiff" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb index 5d88951658..8d5f33ec42 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "81d5b8baba60c255b519ccd31a691f9bc064223ff196709d41119bde81 PYPI_PACKAGE = "yamlpath" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index bf5f87d367..52d35f85c9 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -11,12 +11,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" DEPENDS = "python3-native" -SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120" +SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ file://initd \ file://run-ptest \ " +PV = "1.1.0+git" + UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" inherit update-rc.d ptest setuptools3_legacy @@ -24,23 +26,13 @@ inherit systemd SYSTEMD_SERVICE:${PN} = "fail2ban.service" -S = "${WORKDIR}/git" - -do_compile () { - cd ${S} - - #remove symlink to python3 - # otherwise 2to3 is run against it - rm -f bin/fail2ban-python - - ./fail2ban-2to3 -} +S = "${UNPACKDIR}/git" do_install:append () { rm -f ${D}/${bindir}/fail2ban-python install -d ${D}/${sysconfdir}/fail2ban install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + install -m 0755 ${UNPACKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_system_unitdir} @@ -66,7 +58,7 @@ INITSCRIPT_PARAMS = "defaults 25" INSANE_SKIP:${PN}:append = "already-stripped" -RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables python3-core python3-pyinotify" +RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} nftables python3-core python3-pyinotify" RDEPENDS:${PN} += "python3-sqlite3" RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json" RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb index 8268345f7e..36e50e4841 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb @@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" PYPI_PACKAGE = "privacyIDEA" SRC_URI[sha256sum] = "7c70feb44980a3fd7501457777a1ec30e73541e54d3b31f2b9b5ab6cd73cff4f" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" do_install:append () { rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb index 3a074614a5..62157e0859 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc" PYPI_PACKAGE = "oauth2client" SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch new file mode 100644 index 0000000000..1e9fca5425 --- /dev/null +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch @@ -0,0 +1,219 @@ +From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Wed, 8 Nov 2023 14:50:24 +0100 +Subject: [PATCH] ad-gpo: use hash to store intermediate results + +Currently after the evaluation of a single GPO file the intermediate +results are stored in the cache and this cache entry is updated until +all applicable GPO files are evaluated. Finally the data in the cache is +used to make the decision of access is granted or rejected. + +If there are two or more access-control request running in parallel one +request might overwrite the cache object with intermediate data while +another request reads the cached data for the access decision and as a +result will do this decision based on intermediate data. + +To avoid this the intermediate results are not stored in the cache +anymore but in hash tables which are specific to the request. Only the +final result is written to the cache to have it available for offline +authentication. + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726] +CVE: CVE-2023-3758 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- + 1 file changed, 102 insertions(+), 14 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 44e9cbb..cec0cb4 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + return ret; + } + ++static errno_t ++add_result_to_hash(hash_table_t *hash, const char *key, char *value) ++{ ++ int hret; ++ hash_key_t k; ++ hash_value_t v; ++ ++ if (hash == NULL || key == NULL || value == NULL) { ++ return EINVAL; ++ } ++ ++ k.type = HASH_KEY_CONST_STRING; ++ k.c_str = key; ++ ++ v.type = HASH_VALUE_PTR; ++ v.ptr = value; ++ ++ hret = hash_enter(hash, &k, &v); ++ if (hret != HASH_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", ++ key, value, hash_error_string(hret)); ++ return EIO; ++ } ++ ++ return EOK; ++} ++ + /* + * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, + * and stores the allow_key and deny_key of all of the gpo_map_types present +@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + */ + static errno_t + ad_gpo_store_policy_settings(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps, + const char *filename) + { + struct ini_cfgfile *file_ctx = NULL; +@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = allow_value ? allow_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- allow_key, +- value); ++ ret = add_result_to_hash(allow_maps, allow_key, ++ talloc_strdup(allow_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to allow maps " ++ "[%d][%s].\n", ++ allow_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = deny_value ? deny_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- deny_key, +- value); ++ ret = add_result_to_hash(deny_maps, deny_key, ++ talloc_strdup(deny_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to deny maps " ++ "[%d][%s].\n", ++ deny_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state { + int num_cse_filtered_gpos; + int cse_gpo_index; + const char *ad_domain; ++ hash_table_t *allow_maps; ++ hash_table_t *deny_maps; + }; + + static void ad_gpo_connect_done(struct tevent_req *subreq); +@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, + goto immediately; + } + ++ ret = sss_hash_create(state, 0, &state->allow_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } ++ ++ ret = sss_hash_create(state, 0, &state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { +@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req) + return EAGAIN; + } + ++static errno_t ++store_hash_maps_in_cache(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps) ++{ ++ int ret; ++ struct hash_iter_context_t *iter; ++ hash_entry_t *entry; ++ size_t c; ++ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; ++ ++ ++ for (c = 0; hash_list[c] != NULL; c++) { ++ iter = new_hash_iter_context(hash_list[c]); ++ if (iter == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); ++ return EINVAL; ++ } ++ ++ while ((entry = iter->next(iter)) != NULL) { ++ ret = sysdb_gpo_store_gpo_result_setting(domain, ++ entry->key.c_str, ++ entry->value.ptr); ++ if (ret != EOK) { ++ free(iter); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_gpo_store_gpo_result_setting failed for key:" ++ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, ++ (char *) entry->value.ptr, ret, sss_strerror(ret)); ++ return ret; ++ } ++ } ++ talloc_free(iter); ++ } ++ ++ return EOK; ++} ++ + /* + * This cse-specific function (GP_EXT_GUID_SECURITY) increments the + * cse_gpo_index until the policy settings for all applicable GPOs have been +@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) + * (as part of the GPO Result object in the sysdb cache). + */ + ret = ad_gpo_store_policy_settings(state->host_domain, ++ state->allow_maps, state->deny_maps, + cse_filtered_gpo->policy_filename); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) + + if (ret == EOK) { + /* ret is EOK only after all GPO policy files have been downloaded */ ++ ret = store_hash_maps_in_cache(state->host_domain, ++ state->allow_maps, state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " ++ "[%d][%s].\n", ret, sss_strerror(ret)); ++ goto done; ++ } + ret = ad_gpo_perform_hbac_processing(state, + state->gpo_mode, + state->gpo_map_type, +-- +2.25.1 diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb index 0c75d8f45f..f973ee158d 100644 --- a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ file://0001-sssctl-add-error-analyzer.patch \ + file://CVE-2023-3758.patch \ " SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" |