[gridengine] Set _hardened_build Add two more upstream security patches Renumber patches
Orion Poplawski
orion at fedoraproject.org
Tue Apr 17 16:35:15 UTC 2012
commit 36488a816cb0435b14bd3ab3f8c993ebb1e08768
Author: Orion Poplawski <orion at cora.nwra.com>
Date: Tue Apr 17 10:35:13 2012 -0600
Set _hardened_build
Add two more upstream security patches
Renumber patches
buffer-overflow.patch | 66 +++++++++++++++++++++++++++++++++++++++++++
gridengine.spec | 34 ++++++++++++++--------
symlink.patch | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 163 insertions(+), 12 deletions(-)
---
diff --git a/buffer-overflow.patch b/buffer-overflow.patch
new file mode 100644
index 0000000..a2fbaba
--- /dev/null
+++ b/buffer-overflow.patch
@@ -0,0 +1,66 @@
+Index: source/utilbin/sge_passwd.c
+===================================================================
+--- source/utilbin/sge_passwd.c (revision 115)
++++ source/utilbin/sge_passwd.c (working copy)
+@@ -1049,7 +1049,7 @@
+ static void
+ sge_passwd_add_change(const char *username, const char *domain, uid_t uid)
+ {
+- char user[128] = "";
++ char user[128+128] = ""; /* actually (128-1) + (1) + (128-1) + (1) */
+ char **users = NULL;
+ char **encryped_pwd = NULL;
+ char err_str[MAX_STRING_SIZE];
+@@ -1319,9 +1319,13 @@
+ DEXIT;
+ exit(1);
+ }
+- if (!strcmp(argv[1],"-D")) {
++ if (!strcmp(argv[1],"-D"))
++ {
+ argc--; argv++;
+- if (argc != 1 && sscanf(argv[1], "%s", domain) == 1) {
++
++ if (argc != 1 && strncpy(domain, argv[1], sizeof(domain)))
++ {
++ domain[sizeof(domain)-1] = '\0';
+ argc--; argv++;
+ continue;
+ } else {
+@@ -1330,7 +1334,8 @@
+ exit(1);
+ }
+ }
+- if (!strcmp(argv[1],"-d")) {
++ if (!strcmp(argv[1],"-d"))
++ {
+ uid_t uid = getuid();
+
+ if (uid != 0) {
+@@ -1340,7 +1345,11 @@
+ }
+
+ argc--; argv++;
+- if (argc != 1 && sscanf(argv[1], "%s", username) == 1) {
++
++ if (argc != 1 && strncpy(username, argv[1], sizeof(username)))
++ {
++ username[sizeof(username)-1] = '\0';
++
+ argc--; argv++;
+ do_delete = true;
+ continue;
+@@ -1349,8 +1358,11 @@
+ DEXIT;
+ exit(1);
+ }
+- }
+- if (argv[1][0] != '-' && sscanf(argv[1], "%s", username) == 1) {
++ }
++
++
++ if (argv[1][0] != '-' && strncpy(username, argv[1], sizeof(username)))
++ {
+ uid_t uid = getuid();
+
+ if (uid != 0) {
diff --git a/gridengine.spec b/gridengine.spec
index cc2e0b9..3ccb764 100644
--- a/gridengine.spec
+++ b/gridengine.spec
@@ -3,10 +3,11 @@
%define username sgeadmin
%define homedir %{_datadir}/gridengine
%define gecos Grid Engine
+%define _hardened_build 1
Name: gridengine
Version: 2011.11
-Release: 2.svn131%{?dist}
+Release: 3.svn131%{?dist}
Summary: Grid Engine - Distributed Computing Management software
Group: Applications/System
@@ -37,19 +38,21 @@ Source10: http://gridengine.sunsource.net/nonav/issues/showattachment.cgi/165/li
Source11: README
Source12: maketarball
Patch0: gridengine-svn131.patch
-# Upstream security patch
+# Upstream security patches
Patch1: env-code-injection-GE2011.11p1.patch
+Patch2: buffer-overflow.patch
+Patch3: symlink.patch
# Don't need to make rc files in inst_common.sh
# Partially http://gridengine.sunsource.net/issues/show_bug.cgi?id=2780
-Patch3: gridengine-rctemplates.patch
+Patch10: gridengine-rctemplates.patch
# Fixup sge_ca to use system openssl and java paths
-Patch4: gridengine-6.2u2_1-sge_ca.patch
+Patch11: gridengine-6.2u2_1-sge_ca.patch
# Fixup jni paths
-Patch5: gridengine-6.2-jni.patch
+Patch12: gridengine-6.2-jni.patch
# Don't use rpaths
-Patch22: gridengine-rpath.patch
+Patch13: gridengine-rpath.patch
# Fix issue with hostnames and localhost
-Patch28: gridengine-6.2u5-gethostname.patch
+Patch14: gridengine-6.2u5-gethostname.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
ExcludeArch: ppc64
@@ -175,11 +178,13 @@ cp %SOURCE8 %SOURCE11 .
sed -i -e '/^#! *\/bin\/sh/d' source/dist/util/install_modules/*.sh
%patch0 -p1 -b .svn
%patch1 -p0 -b .env-code-injection
-%patch3 -p1 -b .rctemplates
-%patch4 -p1 -b .sge_ca
-%patch5 -p1 -b .jni
-%patch22 -p1 -b .rpath
-%patch28 -p1 -b .gethostname
+%patch2 -p0 -b .buffer-overflow
+%patch3 -p0 -b .symlink
+%patch10 -p1 -b .rctemplates
+%patch11 -p1 -b .sge_ca
+%patch12 -p1 -b .jni
+%patch13 -p1 -b .rpath
+%patch14 -p1 -b .gethostname
sed -i.arch -e 's,/\$DSTARCH,,g' source/scripts/distinst
#Don't ship rctemplates
rm -rf source/dist/util/rctemplates
@@ -628,6 +633,11 @@ fi
%changelog
+* Tue Apr 17 2012 Orion Poplawski <orion at cora.nwra.com> 2011.11-3.svn131
+- Set _hardened_build
+- Add two more upstream security patches
+- Renumber patches
+
* Tue Apr 17 2012 Orion Poplawski <orion at cora.nwra.com> 2011.11-2.svn131
- Update to svn 131
- Add upstream env-code-injection security patch
diff --git a/symlink.patch b/symlink.patch
new file mode 100644
index 0000000..1c28346
--- /dev/null
+++ b/symlink.patch
@@ -0,0 +1,75 @@
+Index: source/libs/uti/sge_log.c
+===================================================================
+--- source/libs/uti/sge_log.c (revision 121)
++++ source/libs/uti/sge_log.c (working copy)
+@@ -38,6 +38,8 @@
+ #include <pthread.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <unistd.h>
++#include <errno.h>
+
+ #include "sge.h"
+ #include "sge_time.h"
+@@ -643,10 +645,20 @@
+ static void sge_do_log(u_long32 me, const char* progname, const char* unqualified_hostname,
+ int aLevel, const char *aMessage)
+ {
+- int fd;
++ if (me == QMASTER || me == EXECD || me == SCHEDD || me == SHADOWD)
++ {
++ int fd, open_flags = O_WRONLY | O_APPEND | O_CREAT;
++ const char *logfile = log_state_get_log_file();
+
+- if (me == QMASTER || me == EXECD || me == SCHEDD || me == SHADOWD) {
+- if ((fd = SGE_OPEN3(log_state_get_log_file(), O_WRONLY | O_APPEND | O_CREAT, 0666)) >= 0) {
++ #if defined(O_NOFOLLOW)
++ open_flags |= O_NOFOLLOW;
++ #elif defined(O_EXCL)
++ open_flags |= O_EXCL;
++ #endif
++
++ again:
++ if ((fd = SGE_OPEN3(logfile, open_flags, 0666)) >= 0)
++ {
+ char msg2log[4*MAX_STRING_SIZE];
+ dstring msg;
+
+@@ -654,15 +666,32 @@
+
+ append_time((time_t)sge_get_gmt(), &msg, false);
+
+- sge_dstring_sprintf_append(&msg, "|%6.6s|%s|%c|%s\n",
+- progname,
+- unqualified_hostname,
+- aLevel,
+- aMessage);
++ sge_dstring_sprintf_append(&msg, "|%6.6s|%s|%c|%s\n", progname, unqualified_hostname, aLevel, aMessage);
+
+ write(fd, msg2log, strlen(msg2log));
+ close(fd);
+ }
++ #if defined(O_NOFOLLOW)
++ else if (errno == ELOOP)
++ {
++ if (unlink(logfile) == 0)
++ {
++ goto again;
++ }
++ }
++ #elif defined(O_EXCL)
++ else if (errno == EEXIST)
++ {
++ struct stat buf;
++
++ if (lstat(logfile, &buf) == 0 && buf.st_uid == getuid()) /* our file?? */
++ {
++ open_flags = O_WRONLY | O_APPEND | O_CREAT;
++
++ goto again;
++ }
++ }
++ #endif
+ }
+
+ return;
More information about the scm-commits
mailing list