diff --git a/docs/index.md b/docs/index.md index e0f0180..860e831 100644 --- a/docs/index.md +++ b/docs/index.md @@ -41,18 +41,12 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b ### Override packages (currently only for EL9) -- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) -- openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) +- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) +- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) -The changes are described in more detail in the package changelogs. +The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs. More packages/changes are planned, including override packages also for EL8. -#### Known-effective vulnerability mitigations and fixes - -`glibc-2.34-60.el9_2.security.0.2` (specifically the `.0.2` version!) includes mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. - -The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. - ## Source code Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version. @@ -71,8 +65,10 @@ We hang out in our [Security Mattermost channel](https://chat.rockylinux.org/roc Some of the people particularly active with setting up this SIG so far: -| Name | Mattermost Name | -|----------------|-----------------| -| Neil Hanlon | @neil | -| Scott Shinn | @atomicturtle | -| Solar Designer | @solardiz | \ No newline at end of file +| Name | Mattermost Name | +|-----------------|-----------------| +| Fredrik Nyström | @nscfreny | +| Louis Abel | @label | +| Neil Hanlon | @neil | +| Scott Shinn | @atomicturtle | +| Solar Designer | @solardiz | diff --git a/docs/packages/glibc.md b/docs/packages/glibc.md new file mode 100644 index 0000000..aabb623 --- /dev/null +++ b/docs/packages/glibc.md @@ -0,0 +1,69 @@ +# Override package: glibc + +## EL9 + +- Version `2.34-60.7.el9_2.security.0.3` +- Based on `2.34-60.el9_2.7` + +### Changes summary + +- Distrust and/or unset many more environment variables used by current and previous glibc versions when running SUID/SGID/setcap (Owl via ALT Linux) +- When `syslog(3)`/`vsyslog(3)` is called by a SUID/SGID/setcap program without a preceding call to `openlog(3)`, don't blindly trust `__progname` for the syslog ident (Owl via ALT Linux) +- In `syslog(3)/vsyslog(3)` use `asctime_r(3)+localtime_r(3)` instead of `strftime_r()` so that month names don't depend on current locale settings (Owl via ALT Linux) +- In `asprintf(3)/vasprintf(3)` reset the pointer to NULL on error, like BSDs do, so that the caller wouldn't access memory over an uninitialized or stale pointer (ALT Linux) +- In `fread(3)/fwrite(3)` check for potential integer overflow (ALT Linux) +- In `tmpfile(3)` use the `TMPDIR` environment variable (when not running SUID/SGID/setcap) (ALT Linux) + +#### Known-effective vulnerability mitigations and fixes + +`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). + +In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. + +### Change log + +``` +* Fri Oct 6 2023 Solar Designer - 2.34-60.7.el9.security.0.3 +- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's + +* Mon Sep 25 2023 Florian Weimer - 2.34-60.7 +- Fix memory leak regression in getaddrinfo (RHEL-2425) + +* Tue Sep 19 2023 Carlos O'Donell - 2.34-60.6 +- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999) + +* Tue Sep 19 2023 Carlos O'Donell - 2.34-60.5 +- Revert: Always call destructors in reverse constructor order (RHEL-3385) + +* Mon Sep 18 2023 Siddhesh Poyarekar - 2.34-60.4 +- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425) + +* Fri Sep 15 2023 Siddhesh Poyarekar - 2.34-60.3 +- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437) + +* Fri Sep 15 2023 Carlos O'Donell - 2.34-60.2 +- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715) + +* Wed Sep 13 2023 Florian Weimer - 2.34-60.1 +- Always call destructors in reverse constructor order (RHEL-3385) + +* Mon Oct 2 2023 Solar Designer - 2.34-60.el9.security.0.2 +- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits + as none of their revisions matched this package's set of backports as-is +- Add glibc-upstream-no-aaaa-CVE-2023-4527.patch based on upstream commit + bd77dd7e73e3530203be1c52c8a29d08270cb25d fixing + CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode + +* Tue Sep 26 2023 Solar Designer - 2.34-60.el9.security.0.1 +- Revise the texinfo documentation edit of glibc-2.34-alt-asprintf.patch via + glibc-2.34-rocky-asprintf.patch + +* Sat Sep 23 2023 Solar Designer - 2.34-60.el9.security.0.0 +- Add some of the patches from ALT Linux as of when they were at 2.34: + https://git.altlinux.org/gears/g/glibc.git + git show 5fa32fb0f8509f4b2b1105d71b45966dfbadc099 > glibc-2.34-alt-tmpfile.patch + git show f97e5d60a6a4c9cb64e3b9ee6f5113969cf07d87 > glibc-2.34-alt-asprintf.patch + git show cd45d0f74560325cc48aedb9f56881270ab3dfab > glibc-2.34-alt-libio-bound.patch + git show 436eb1017c04aee3a553c2868d00a4b046e5e394 > glibc-2.34-owl-alt-syslog-ident.patch + git show 03a86c234873723c26b7e387c498c1332c223968 > glibc-2.34-mjt-owl-alt-syslog-timestamp.patch +``` diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md new file mode 100644 index 0000000..33f5c30 --- /dev/null +++ b/docs/packages/openssh.md @@ -0,0 +1,23 @@ +# Override package: openssh + +## EL9 + +- Version `8.7p1-30.el9_2.security.0.2` +- Based on `8.7p1-30.el9_2` + +### Changes summary + +- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines) + +### Change log + +``` +* Sat Oct 07 2023 Solar Designer 8.7p1-30.el9.security.0.2 +- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by + systemd-devel + +* Mon Aug 28 2023 Solar Designer 8.7p1-30.el9.security.0.1 +- Instead of linking against libsystemd, load it dynamically in a temporary + child process to avoid polluting actual sshd's address space with that + library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines) +```