quagga: CVE-2021-44038 unsafe chown/chmod operations may lead to privileges escalation

Upstream-Status: Backport from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 118 insertions, 1 deletions

diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch
new file mode 100644
index 0000000000..bdb48a3993
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch
@@ -0,0 +1,117 @@
+From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski <mt@suse.com>
+Date: Fri Nov 11 09:07:22 UTC 2022
+Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation
+
+Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890
+
+Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch
+
+CVE: CVE-2021-44038
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ redhat/bgpd.service   | 2 --
+ redhat/isisd.service  | 2 --
+ redhat/ospf6d.service | 2 --
+ redhat/ospfd.service  | 2 --
+ redhat/ripd.service   | 2 --
+ redhat/ripngd.service | 2 --
+ redhat/zebra.service  | 3 ---
+ 7 files changed, 15 deletions(-)
+
+diff --git a/redhat/bgpd.service b/redhat/bgpd.service
+index a50bfff..6f46a97 100644
+--- a/redhat/bgpd.service
++++ b/redhat/bgpd.service
+@@ -10,8 +10,6 @@ Documentation=man:bgpd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf
+ ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/isisd.service b/redhat/isisd.service
+index 93663aa..c1464c0 100644
+--- a/redhat/isisd.service
++++ b/redhat/isisd.service
+@@ -10,8 +10,6 @@ Documentation=man:isisd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf
+ ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service
+index 3c1c978..d493429 100644
+--- a/redhat/ospf6d.service
++++ b/redhat/ospf6d.service
+@@ -10,8 +10,6 @@ Documentation=man:ospf6d
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf
+ ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ospfd.service b/redhat/ospfd.service
+index 0084b6c..6c84580 100644
+--- a/redhat/ospfd.service
++++ b/redhat/ospfd.service
+@@ -10,8 +10,6 @@ Documentation=man:ospfd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf
+ ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ripd.service b/redhat/ripd.service
+index 103b5a9..be0f75c 100644
+--- a/redhat/ripd.service
++++ b/redhat/ripd.service
+@@ -10,8 +10,6 @@ Documentation=man:ripd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf
+ ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/ripngd.service b/redhat/ripngd.service
+index 6fe6ba8..23447da 100644
+--- a/redhat/ripngd.service
++++ b/redhat/ripngd.service
+@@ -10,8 +10,6 @@ Documentation=man:ripngd
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/quagga
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf
+ ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
+ Restart=on-abort
+ 
+diff --git a/redhat/zebra.service b/redhat/zebra.service
+index fa5a004..e3cf0ab 100644
+--- a/redhat/zebra.service
++++ b/redhat/zebra.service
+@@ -10,9 +10,6 @@ Documentation=man:zebra
+ Type=forking
+ EnvironmentFile=-/etc/sysconfig/quagga
+ ExecStartPre=/sbin/ip route flush proto zebra
+-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
+-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf
+-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf
+ ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
+ Restart=on-abort
+ 
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index 134a33d478..5ef3843b15 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \
            file://ripd.service \
            file://ripngd.service \
            file://zebra.service \
+           file://CVE-2021-44038.patch \
           "
-
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"
 PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam"