From 8ed9862012642a9737480290e467431eeb3d1987 Mon Sep 17 00:00:00 2001
From: Wenchao Hao <haowenchao@huawei.com>
Date: Mon, 25 Jan 2021 19:55:27 +0800
Subject: [PATCH] fix CVE-2020-14019

Signed-off-by: Wenchao Hao <haowenchao@huawei.com>
---
 ...opy-temp-configfile-with-permissions.patch | 53 +++++++++++++++++++
 ...n-the-temp-configfile-with-modes-set.patch | 46 ++++++++++++++++
 0003-save_to_file-fix-fd-open-mode.patch      | 29 ++++++++++
 python-rtslib.spec                            |  9 +++-
 4 files changed, 136 insertions(+), 1 deletion(-)
 create mode 100644 0001-saveconfig-copy-temp-configfile-with-permissions.patch
 create mode 100644 0002-saveconfig-open-the-temp-configfile-with-modes-set.patch
 create mode 100644 0003-save_to_file-fix-fd-open-mode.patch

diff --git a/0001-saveconfig-copy-temp-configfile-with-permissions.patch b/0001-saveconfig-copy-temp-configfile-with-permissions.patch
new file mode 100644
index 0000000..e8b7cd2
--- /dev/null
+++ b/0001-saveconfig-copy-temp-configfile-with-permissions.patch
@@ -0,0 +1,53 @@
+From b23d061ee0fa7924d2cdce6194c313b9ee06c468 Mon Sep 17 00:00:00 2001
+From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+Date: Thu, 28 May 2020 20:42:16 +0530
+Subject: [PATCH] saveconfig: copy temp configfile with permissions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+shutil.copyfile() will not copy permissions, so all the perms that we
+set on tempfile will go for a toss, and will be reset to default
+
+┌──────────────────┬────────┬───────────┬───────┬────────────────┐
+│     Function     │ Copies │   Copies  │Can use│   Destination  │
+│                  │metadata│permissions│buffer │may be directory│
+├──────────────────┼────────┼───────────┼───────┼────────────────┤
+│shutil.copy       │   No   │    Yes    │   No  │      Yes       │
+│shutil.copyfile   │   No   │     No    │   No  │       No       │
+│shutil.copy2      │  Yes   │    Yes    │   No  │      Yes       │
+│shutil.copyfileobj│   No   │     No    │  Yes  │       No       │
+└──────────────────┴────────┴───────────┴───────┴────────────────┘
+
+Without this fix:
+----------------
+$ ls /etc/target/saveconfig.json -l
+-rw-r--r-- 1 root root 5078 May 28 20:01 /etc/target/saveconfig.json
+
+With this fix:
+--------------
+$ ls /etc/target/saveconfig.json -l
+-rw------- 1 root root 5078 May 28 20:15 /etc/target/saveconfig.json
+
+Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+---
+ rtslib/root.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/rtslib/root.py b/rtslib/root.py
+index a101edd..7364154 100644
+--- a/rtslib/root.py
++++ b/rtslib/root.py
+@@ -486,7 +486,8 @@ class RTSRoot(CFSNode):
+             os.fsync(f.fileno())
+             f.close()
+ 
+-        shutil.copyfile(tmp_file, save_file)
++        # copy along with permissions
++        shutil.copy(tmp_file, save_file)
+         os.remove(tmp_file)
+ 
+     def restore_from_file(self, restore_file=None, clear_existing=True,
+-- 
+1.8.3.1
+
diff --git a/0002-saveconfig-open-the-temp-configfile-with-modes-set.patch b/0002-saveconfig-open-the-temp-configfile-with-modes-set.patch
new file mode 100644
index 0000000..f2dbbcd
--- /dev/null
+++ b/0002-saveconfig-open-the-temp-configfile-with-modes-set.patch
@@ -0,0 +1,46 @@
+From dffcf83bead64e959505d64ad587768647caab3a Mon Sep 17 00:00:00 2001
+From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+Date: Thu, 28 May 2020 19:53:04 +0530
+Subject: [PATCH] saveconfig: open the temp configfile with modes set
+
+Fixes: #161
+Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+---
+ rtslib/root.py | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/rtslib/root.py b/rtslib/root.py
+index afe1a53..a101edd 100644
+--- a/rtslib/root.py
++++ b/rtslib/root.py
+@@ -461,8 +461,25 @@ class RTSRoot(CFSNode):
+ 
+         tmp_file = save_file + ".temp"
+ 
+-        with open(tmp_file, "w+") as f:
+-            os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IWUSR)
++        mode = stat.S_IRUSR | stat.S_IWUSR  # 0o600
++        umask = 0o777 ^ mode  # Prevents always downgrading umask to 0
++
++        # For security, remove file with potentially elevated mode
++        try:
++            os.remove(tmp_file)
++        except OSError:
++            pass
++
++        umask_original = os.umask(umask)
++        # Even though the old file is first deleted, a race condition is still
++        # possible. Including os.O_EXCL with os.O_CREAT in the flags will
++        # prevent the file from being created if it exists due to a race
++        try:
++            fdesc = os.open(tmp_file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, mode)
++        finally:
++            os.umask(umask_original)
++
++        with os.fdopen(fdesc, 'w+') as f:
+             f.write(json.dumps(saveconf, sort_keys=True, indent=2))
+             f.write("\n")
+             f.flush()
+-- 
+1.8.3.1
+
diff --git a/0003-save_to_file-fix-fd-open-mode.patch b/0003-save_to_file-fix-fd-open-mode.patch
new file mode 100644
index 0000000..b8c0a18
--- /dev/null
+++ b/0003-save_to_file-fix-fd-open-mode.patch
@@ -0,0 +1,29 @@
+From fc7c15f882d800cc7bce03936dfec7c5b7cd13bf Mon Sep 17 00:00:00 2001
+From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+Date: Tue, 9 Jun 2020 11:47:42 +0530
+Subject: [PATCH 10/15] save_to_file: fix fd open mode
+
+since we used O_WRONLY with os.open(), lets stick to
+same mode with os.fdopen() too
+
+Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+---
+ rtslib/root.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rtslib/root.py b/rtslib/root.py
+index 3135467..2c5cf43 100644
+--- a/rtslib/root.py
++++ b/rtslib/root.py
+@@ -479,7 +479,7 @@ class RTSRoot(CFSNode):
+         finally:
+             os.umask(umask_original)
+ 
+-        with os.fdopen(fdesc, 'w+') as f:
++        with os.fdopen(fdesc, 'w') as f:
+             f.write(json.dumps(saveconf, sort_keys=True, indent=2))
+             f.write("\n")
+             f.flush()
+-- 
+2.27.0
+
diff --git a/python-rtslib.spec b/python-rtslib.spec
index fbdf84f..7f371a0 100644
--- a/python-rtslib.spec
+++ b/python-rtslib.spec
@@ -2,13 +2,17 @@
 
 Name:    python-rtslib
 Version: 2.1.70
-Release: 4
+Release: 5
 Summary: Python object API for Linux kernel LIO SCSI target
 
 License: ASL 2.0
 URL:     https://github.com/open-iscsi/%{oname}
 Source0: %{url}/archive/v%{version}/%{oname}-%{version}.tar.gz
 
+Patch1: 0001-saveconfig-copy-temp-configfile-with-permissions.patch
+Patch2: 0002-saveconfig-open-the-temp-configfile-with-modes-set.patch
+Patch3: 0003-save_to_file-fix-fd-open-mode.patch
+
 BuildArch:        noarch
 BuildRequires:    systemd
 Requires(post):   systemd
@@ -91,6 +95,9 @@ install -m 644 doc/saveconfig.json.5 %{buildroot}%{_mandir}/man5/
 %{_mandir}/man5/saveconfig.json.5*
 
 %changelog
+* Mon Jan 25 2020 Wenchao Hao <haowenchao@huawei.com> - 2.1.70-5
+- fix CVE-2020-14019
+
 * Thu Jan 07 2021 Lixiaokeng <lixiaokeng@huawei.com> - 2.1.70-4
 - python2-kmod is removed and required by python2-rtslib. Remove python2-rtslib.
 
-- 
Gitee