Add per-package pages

2023-10-13 21:37:48 +02:00 · 2023-10-13 21:37:48 +02:00 · 1bf84ab35e
parent 08b655bcef
commit 1bf84ab35e
3 changed files with 102 additions and 14 deletions
--- a/docs/index.md
+++ b/docs/index.md
@ -41,18 +41,12 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b

 ### Override packages (currently only for EL9)

- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
- openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
+- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
+- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)

-The changes are described in more detail in the package changelogs.
+The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs.
 More packages/changes are planned, including override packages also for EL8.

-#### Known-effective vulnerability mitigations and fixes
-
-`glibc-2.34-60.el9_2.security.0.2` (specifically the `.0.2` version!) includes mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL.
-
-The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
-
 ## Source code

 Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version.
@ -71,8 +65,10 @@ We hang out in our [Security Mattermost channel](https://chat.rockylinux.org/roc

 Some of the people particularly active with setting up this SIG so far:

-| Name           | Mattermost Name |
-|----------------|-----------------|
-| Neil Hanlon    | @neil           |
-| Scott Shinn    | @atomicturtle   |
-| Solar Designer | @solardiz       |
+| Name            | Mattermost Name |
+|-----------------|-----------------|
+| Fredrik Nyström | @nscfreny       |
+| Louis Abel      | @label          |
+| Neil Hanlon     | @neil           |
+| Scott Shinn     | @atomicturtle   |
+| Solar Designer  | @solardiz       |
--- a/docs/packages/glibc.md
+++ b/docs/packages/glibc.md
@ -0,0 +1,69 @@
+# Override package: glibc
+
+## EL9
+
+- Version `2.34-60.7.el9_2.security.0.3`
+- Based on `2.34-60.el9_2.7`
+
+### Changes summary
+
+- Distrust and/or unset many more environment variables used by current and previous glibc versions when running SUID/SGID/setcap (Owl via ALT Linux)
+- When `syslog(3)`/`vsyslog(3)` is called by a SUID/SGID/setcap program without a preceding call to `openlog(3)`, don't blindly trust `__progname` for the syslog ident (Owl via ALT Linux)
+- In `syslog(3)/vsyslog(3)` use `asctime_r(3)+localtime_r(3)` instead of `strftime_r()` so that month names don't depend on current locale settings (Owl via ALT Linux)
+- In `asprintf(3)/vasprintf(3)` reset the pointer to NULL on error, like BSDs do, so that the caller wouldn't access memory over an uninitialized or stale pointer (ALT Linux)
+- In `fread(3)/fwrite(3)` check for potential integer overflow (ALT Linux)
+- In `tmpfile(3)` use the `TMPDIR` environment variable (when not running SUID/SGID/setcap) (ALT Linux)
+
+#### Known-effective vulnerability mitigations and fixes
+
+`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
+
+In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
+
+### Change log
+
+```
+* Fri Oct  6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3
+- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's
+
+* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.7
+- Fix memory leak regression in getaddrinfo (RHEL-2425)
+
+* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.6
+- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999)
+
+* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.5
+- Revert: Always call destructors in reverse constructor order (RHEL-3385)
+
+* Mon Sep 18 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.4
+- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425)
+
+* Fri Sep 15 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.3
+- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437)
+
+* Fri Sep 15 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.2
+- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715)
+
+* Wed Sep 13 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.1
+- Always call destructors in reverse constructor order (RHEL-3385)
+
+* Mon Oct  2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
+- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
+  as none of their revisions matched this package's set of backports as-is
+- Add glibc-upstream-no-aaaa-CVE-2023-4527.patch based on upstream commit
+  bd77dd7e73e3530203be1c52c8a29d08270cb25d fixing
+  CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
+
+* Tue Sep 26 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.1
+- Revise the texinfo documentation edit of glibc-2.34-alt-asprintf.patch via
+  glibc-2.34-rocky-asprintf.patch
+
+* Sat Sep 23 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.0
+- Add some of the patches from ALT Linux as of when they were at 2.34:
+  https://git.altlinux.org/gears/g/glibc.git
+  git show 5fa32fb0f8509f4b2b1105d71b45966dfbadc099 > glibc-2.34-alt-tmpfile.patch
+  git show f97e5d60a6a4c9cb64e3b9ee6f5113969cf07d87 > glibc-2.34-alt-asprintf.patch
+  git show cd45d0f74560325cc48aedb9f56881270ab3dfab > glibc-2.34-alt-libio-bound.patch
+  git show 436eb1017c04aee3a553c2868d00a4b046e5e394 > glibc-2.34-owl-alt-syslog-ident.patch
+  git show 03a86c234873723c26b7e387c498c1332c223968 > glibc-2.34-mjt-owl-alt-syslog-timestamp.patch
+```
--- a/docs/packages/openssh.md
+++ b/docs/packages/openssh.md
@ -0,0 +1,23 @@
+# Override package: openssh
+
+## EL9
+
+- Version `8.7p1-30.el9_2.security.0.2`
+- Based on `8.7p1-30.el9_2`
+
+### Changes summary
+
+- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
+
+### Change log
+
+```
+* Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2
+- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by
+  systemd-devel
+
+* Mon Aug 28 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.1
+- Instead of linking against libsystemd, load it dynamically in a temporary
+  child process to avoid polluting actual sshd's address space with that
+  library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)
+```