diff --git a/0001-db-Force-anchored-patterns-when-matching-regex.patch b/0001-db-Force-anchored-patterns-when-matching-regex.patch new file mode 100644 index 0000000000000000000000000000000000000000..e880efde1522057a4927d75587ebcfdc9d3693dc --- /dev/null +++ b/0001-db-Force-anchored-patterns-when-matching-regex.patch @@ -0,0 +1,34 @@ +From e6168463f4fc659b9827b5c8694dc1c6d7d5239a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Fri, 7 Sep 2018 15:53:20 +0200 +Subject: [PATCH] db: Force anchored patterns when matching regex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without forcing anchored patterns some matches may be completely wrong +as "(J_)?CENN?A_X64FREV" (volume-id for Windows 10) that could be taken +as a match for "HRM_CENNA_X64FREV" (volume-id of a Windows 8 ISO). + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Cole Robinson +--- + osinfo/osinfo_db.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/osinfo/osinfo_db.c b/osinfo/osinfo_db.c +index fa14c6d..f4b3a8c 100644 +--- a/osinfo/osinfo_db.c ++++ b/osinfo/osinfo_db.c +@@ -37,7 +37,7 @@ G_DEFINE_TYPE(OsinfoDb, osinfo_db, G_TYPE_OBJECT); + #define match_regex(pattern, str) \ + (((pattern) == NULL) || \ + (((str) != NULL) && \ +- g_regex_match_simple((pattern), (str), 0, 0))) ++ g_regex_match_simple((pattern), (str), 0, G_REGEX_MATCH_ANCHORED))) + + static gchar *get_raw_lang(const char *volume_id, const gchar *regex_str) + { +-- +1.8.3.1 + diff --git a/CVE-2019-13313-1.patch b/CVE-2019-13313-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..16811f156786393b8040517166f73c2d96dc9b6c --- /dev/null +++ b/CVE-2019-13313-1.patch @@ -0,0 +1,170 @@ +From 08fb8316b4ac42fe74c1fa5ca0ac593222cdf81a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 3 Jul 2019 14:55:24 +0200 +Subject: [PATCH 1/2] tools,install-script: Add --config-file (-f) option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let's add a new option so users can set their config from a file, +instead of directly passing the values via command-line. + +CVE-2019-13313 +Libosinfo: osinfo-install-script option leaks password via command line +argument. 'osinfo-install-script' is used to generate a script for +automated guest installations. It accepts user and admin passwords via +command line arguments, thus leaking them via process listing. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Daniel P. Berrangé +--- + tools/osinfo-install-script.c | 103 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 102 insertions(+), 1 deletion(-) + +diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c +index 15af48d..af58440 100644 +--- a/tools/osinfo-install-script.c ++++ b/tools/osinfo-install-script.c +@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE; + static gboolean list_inj_method = FALSE; + static gboolean quiet = FALSE; + ++static const gchar *configs[] = { ++ OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE, ++ OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD, ++ OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME, ++ OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN, ++ OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN, ++ OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD, ++ OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY, ++ OSINFO_INSTALL_CONFIG_PROP_HOSTNAME, ++ OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, ++ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, ++ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, ++ OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, ++ NULL ++}; ++ + static OsinfoInstallConfig *config; + + static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, +@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, + } + + ++static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED, ++ const gchar *value, ++ gpointer data G_GNUC_UNUSED, ++ GError **error) ++{ ++ GKeyFile *key_file = NULL; ++ gchar *val = NULL; ++ gsize i; ++ gboolean ret = FALSE; ++ ++ key_file = g_key_file_new(); ++ if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error)) ++ goto error; ++ ++ for (i = 0; configs[i] != NULL; i++) { ++ val = g_key_file_get_string(key_file, "install-script", configs[i], error); ++ if (val == NULL) { ++ if (g_error_matches(*error, G_KEY_FILE_ERROR, ++ G_KEY_FILE_ERROR_KEY_NOT_FOUND)) { ++ g_clear_error(error); ++ continue; ++ } ++ ++ goto error; ++ } ++ ++ osinfo_entity_set_param(OSINFO_ENTITY(config), ++ configs[i], ++ val); ++ g_free(val); ++ } ++ ++ ret = TRUE; ++ ++error: ++ g_key_file_unref(key_file); ++ ++ return ret; ++} ++ ++ + static GOptionEntry entries[] = + { + { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile, +@@ -78,6 +147,9 @@ static GOptionEntry entries[] = + { "config", 'c', 0, G_OPTION_ARG_CALLBACK, + handle_config, + N_("Set configuration parameter"), "key=value" }, ++ { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK, ++ handle_config_file, ++ N_("Set configuration parameters"), "file:///path/to/config/file" }, + { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config, + N_("List configuration parameters"), NULL }, + { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile, +@@ -448,6 +520,15 @@ script. Defaults to C, but can also be C. + + Set the configuration parameter C to C. + ++=item B<--config-file=config-file> ++ ++Set the configurations parameters according to the config-file passed. ++ ++Note that use of --config-file is strongly recommended if the user or ++admin passwords need to be set. Providing passwords directly using ++B<--config=> is insecure as the password is visible to all processes ++and users on the same host. ++ + =back + + =head1 CONFIGURATION KEYS +@@ -510,9 +591,29 @@ The software registration user password + + =back + ++=head1 CONFIGURATION FILE FORMAT ++ ++The configuration file must consist in a file which contains a ++`install-script` group and, under this group, C=C ++pairs, as shown below: ++ ++[install-script] ++l10n-timezone=GMT ++l10n-keyboard=uk ++l10n-language=en_GB ++admin-password=123456 ++user-login=berrange ++user-password=123456 ++user-realname="Daniel P Berrange" ++ + =head1 EXAMPLE USAGE + +-The following usage generates a Fedora 16 kickstart script ++The following usages generates a Fedora 16 kickstart script ++ ++ # osinfo-install-script \ ++ --profile jeos \ ++ --config-file /path/to/config/file \ ++ fedora16 + + # osinfo-install-script \ + --profile jeos \ +-- +1.8.3.1 + diff --git a/CVE-2019-13313-2.patch b/CVE-2019-13313-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..a14536ad6ef59b5c3e5f79e4736f4a360bc4d038 --- /dev/null +++ b/CVE-2019-13313-2.patch @@ -0,0 +1,59 @@ +From 3654abee6ead9f11f8bb9ba8fc71efd6fa4dabbc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 3 Jul 2019 14:59:07 +0200 +Subject: [PATCH 2/2] tools,install-script: Deprecate --config + {user,admin}-password +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let's deprecate user-password and admin-password options of --config and +also warn out whenever they're passed to osinfo-install-script. + +CVE-2019-13313 +Libosinfo: osinfo-install-script option leaks password via command line +argument. 'osinfo-install-script' is used to generate a script for +automated guest installations. It accepts user and admin passwords via +command line arguments, thus leaking them via process listing. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Daniel P. Berrangé +--- + tools/osinfo-install-script.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c +index af58440..c0528e7 100644 +--- a/tools/osinfo-install-script.c ++++ b/tools/osinfo-install-script.c +@@ -85,6 +85,12 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, + val++; + key = g_strndup(value, len); + ++ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) || ++ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) { ++ g_warning("When setting user or admin password, use --config-file " ++ "instead.\n"); ++ } ++ + osinfo_entity_set_param(OSINFO_ENTITY(config), + key, + val); +@@ -556,10 +562,14 @@ The local language + =item C + + The administrator password ++This option has been deprecated, use B<--config-file> ++for setting the admin password. + + =item C + + The user password ++This option has been deprecated, use B<--config-file> ++for setting the user password. + + =item C + +-- +1.8.3.1 + diff --git a/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch b/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch new file mode 100644 index 0000000000000000000000000000000000000000..a3f3254e69b4cb765e67a0373284b80b1d3505c2 --- /dev/null +++ b/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch @@ -0,0 +1,44 @@ +From 3e61b6ccfc2dcb88cc155b7ca33cbe34f20a25b9 Mon Sep 17 00:00:00 2001 +From: huangkaibin +Date: Fri, 20 Jul 2018 15:54:54 +0800 +Subject: [PATCH] libosinfo: Do not raise error on unknown osinfo db directory. + +When an osinfo directory can not be acccessed by the running user, +g_file_query_info will return a type of G_FILE_TYPE_UNKNOWN, and +osinfo_loader_find_files will raise an error and abort the application. +This patch fix this problem by just ignoring this unknown osinfo directory. +--- + osinfo/osinfo_loader.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c +index 46bc633..4c30e6c 100644 +--- a/osinfo/osinfo_loader.c ++++ b/osinfo/osinfo_loader.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "ignore-value.h" + #include "osinfo_install_script_private.h" + #include "osinfo_device_driver_private.h" +@@ -2061,8 +2062,14 @@ + } + g_object_unref(ents); + g_list_free(children); ++ } else if (type == G_FILE_TYPE_UNKNOWN) { ++ g_warning("File type unknown. path: %s, errno:%d.", g_file_get_path(file), errno); + } else { +- OSINFO_ERROR(&error, "Unexpected file type"); ++ char *error_msg; ++ error_msg = g_strdup_printf("Unexpected file type. type: %d, path: %s, errno:%d.", ++ type, g_file_get_path(file), errno); ++ OSINFO_ERROR(&error, error_msg); ++ free(error_msg); + g_propagate_error(err, error); + } + } +-- +1.8.3.1 + diff --git a/fix-build-error-for-CVE-2019-13313.patch b/fix-build-error-for-CVE-2019-13313.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f151f4b1e860b2927ffc6fb2d7dd419d6c7be7e --- /dev/null +++ b/fix-build-error-for-CVE-2019-13313.patch @@ -0,0 +1,24 @@ +From 1698257717d7a6be38ce81b4da2fbcd1e775dd6d Mon Sep 17 00:00:00 2001 +From: openEuler Buildteam +Date: Tue, 31 Dec 2019 23:34:18 +0800 +Subject: [PATCH] fix build error for CVE-2019-13313 + +--- + tools/osinfo-install-script.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c +index 67df0a0..c2f2bc1 100644 +--- a/tools/osinfo-install-script.c ++++ b/tools/osinfo-install-script.c +@@ -61,7 +61,6 @@ static const gchar *configs[] = { + OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, + OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, +- OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, + NULL + }; + +-- +1.8.3.1 + diff --git a/libosinfo-1.2.0.tar.gz b/libosinfo-1.2.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0406d0f2bffc440f014382797c70c3ad294b00eb Binary files /dev/null and b/libosinfo-1.2.0.tar.gz differ diff --git a/libosinfo.spec b/libosinfo.spec new file mode 100644 index 0000000000000000000000000000000000000000..f9220611f15147e8f10fd7bf13a02431eb5a7c28 --- /dev/null +++ b/libosinfo.spec @@ -0,0 +1,136 @@ +Name: libosinfo +Version: 1.2.0 +Release: 9 +Summary: A library for managing OS information for virtualization +License: LGPLv2+ +URL: https://libosinfo.org/ +Source: https://releases.pagure.io/%{name}/%{name}-%{version}.tar.gz + +BuildRequires: hwdata gobject-introspection-devel osinfo-db +BuildRequires: libcurl-devel intltool glib2-devel +BuildRequires: perl-podlators vala vala-tools +BuildRequires: libxml2-devel >= 2.6.0 +BuildRequires: libxslt-devel >= 1.0.0 +Requires: hwdata osinfo-db-tools +Requires: osinfo-db >= 20180920-1 + +Patch0001: 0001-db-Force-anchored-patterns-when-matching-regex.patch +Patch6000: CVE-2019-13313-1.patch +Patch6001: CVE-2019-13313-2.patch +Patch6002: fix-build-error-for-CVE-2019-13313.patch + +Patch9000: bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch + +Provides: %{name}-vala +Obsoletes: %{name}-vala + +%description +Libosinfo is designed to provide a single place containing all the +information about an operating system that is required in order to +provision and manage it in a virtualized environment. + +%package devel +Summary: Development package for libosinfo +Requires: %{name} = %{version}-%{release} +Requires: glib2-devel pkgconfig + +%description devel +The development package for libosinfo. + +%package help +Summary: Help files for libosinfo + +%description help +The Help files for libosindo. + +%package lang +Summary: Language support for libosinfo + +%description lang +Language support for libosindo. + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +%configure \ + --enable-introspection=yes \ + --enable-vala=yes +%make_build V=1 +chmod a-x examples/*.js examples/*.py + +%install +rm -rf %{buildroot} +%make_install +%find_lang %{name} + +%check +if ! make check +then + cat tests/test-suite.log || true + exit 1 +fi + +%ldconfig_scriptlets + +%files +%{_bindir}/osinfo-detect +%{_bindir}/osinfo-query +%{_bindir}/osinfo-install-script +%{_libdir}/%{name}-1.0.so.* +%{_libdir}/girepository-1.0/Libosinfo-1.0.typelib +%{_datadir}/vala/vapi/libosinfo-1.0.vapi +%doc AUTHORS ChangeLog COPYING.LIB NEWS README +%exclude %{_libdir}/*.la + +%files devel +%dir %{_includedir}/%{name}-1.0/ +%dir %{_includedir}/%{name}-1.0/osinfo/ +%{_includedir}/%{name}-1.0/osinfo/*.h +%{_libdir}/%{name}-1.0.so +%{_libdir}/pkgconfig/%{name}-1.0.pc +%{_datadir}/gir-1.0/Libosinfo-1.0.gir +%{_datadir}/gtk-doc/html/Libosinfo +%doc examples/demo.js +%doc examples/demo.py + +%files help +%{_mandir}/man1/osinfo-detect.1* +%{_mandir}/man1/osinfo-query.1* +%{_mandir}/man1/osinfo-install-script.1* + +%files lang -f %{name}.lang + +%changelog +* Wed Aug 21 2019 fangyufa - 1.2.0-9 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: modify info of patch + +* Fri Aug 02 2019 liujing - 1.2.0-8 +- Type:cves +- ID:CVE-2019-13313 +- SUG:restart +- DESC:fix CVE-2019-13313 + +* Wed Jul 31 2019 zhuguodong - 1.2.0-7 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: openEuler Debranding + +* Sat Apr 6 2019 luochunsheng - 1.2.0-6 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:remove sensitive information + +* Thu Jan 24 2019 wangxiao - 1.2.0-5 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync patch + +* Fri Sep 6 2018 openEuler Buildteam - 1.2.0-4 +- Package init