From c930a1ecda0f9106f60410ed5ef0bcd0e80721f2 Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion@nwra.com>
Date: Tue, 1 Mar 2022 17:23:35 -0700
Subject: [PATCH 1/2] More complete fix for CVE-2021-45083 - enforce
 permissions in %post

---
 cobbler.spec | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/cobbler.spec b/cobbler.spec
index 86073a8..1cac030 100644
--- a/cobbler.spec
+++ b/cobbler.spec
@@ -5,7 +5,7 @@
 
 Name:           cobbler
 Version:        3.2.2
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Boot server configurator
 URL:            https://cobbler.github.io/
 License:        GPLv2+
@@ -179,6 +179,20 @@ fi
 
 %post
 %systemd_post cobblerd.service
+# Fixup permission for world readable settings files
+chmod 640 %{_sysconfdir}/cobbler/settings.yaml
+chmod 600 %{_sysconfdir}/cobbler/mongodb.conf
+chmod 600 %{_sysconfdir}/cobbler/modules.conf
+chmod 640 %{_sysconfdir}/cobbler/users.conf
+chmod 640 %{_sysconfdir}/cobbler/users.digest
+chmod 750 %{_sysconfdir}/cobbler/settings.d
+chmod 640 %{_sysconfdir}/cobbler/settings.d/*
+chgrp apache %{_sysconfdir}/cobbler/settings.yaml
+chgrp apache %{_sysconfdir}/cobbler/users.conf
+chgrp apache %{_sysconfdir}/cobbler/users.digest
+chgrp apache %{_sysconfdir}/cobbler/settings.d
+chgrp apache %{_sysconfdir}/cobbler/settings.d/*
+
 
 %posttrans
 # Migrate pre-3.2.1 settings to settings.yaml
@@ -281,6 +295,9 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler
 
 
 %changelog
+* Wed Mar 02 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-10
+- More complete fix for CVE-2021-45083 - enforce permissions in %%post
+
 * Tue Mar 01 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-9
 - Apply fixes for CVE-2021-45082/3
 - Remove BR on python3-coverage

From 5ddaaca42c7d9116d2e2806f25e2d27c995d0d84 Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion@nwra.com>
Date: Wed, 23 Mar 2022 07:07:43 -0600
Subject: [PATCH 2/2] Add upstream patch for CVE-2022-0860 (bz#2066592)

---
 ...aa990a94752fa5bd5a24051adde099280bfa.patch | 42 +++++++++++++++++++
 cobbler.spec                                  |  7 +++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 9044aa990a94752fa5bd5a24051adde099280bfa.patch

diff --git a/9044aa990a94752fa5bd5a24051adde099280bfa.patch b/9044aa990a94752fa5bd5a24051adde099280bfa.patch
new file mode 100644
index 0000000..1dfa700
--- /dev/null
+++ b/9044aa990a94752fa5bd5a24051adde099280bfa.patch
@@ -0,0 +1,42 @@
+From aeb10a6d169da55bab0a5000dce5913e467c9344 Mon Sep 17 00:00:00 2001
+From: Enno Gotthold <egotthold@suse.de>
+Date: Thu, 10 Mar 2022 16:16:29 +0100
+Subject: [PATCH] Security: Fix CVE-2022-0860
+
+If PAM is correctly configured and a user account is set to expired,
+the expired user-account is still able to successfully log into
+Cobbler in all places (Web UI, CLI & XMLRPC-API).
+
+The same applies to user accounts with passwords set to be expired.
+
+This patch is fixing this and checking that this behavior is now
+correct via a reproducible test.
+---
+ cobbler/modules/authentication/pam.py |  8 ++++++++
+ tests/special_cases/security_test.py  | 28 +++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/cobbler/modules/authentication/pam.py b/cobbler/modules/authentication/pam.py
+index 97ecc02ab..893422c5b 100644
+--- a/cobbler/modules/authentication/pam.py
++++ b/cobbler/modules/authentication/pam.py
+@@ -114,6 +114,10 @@ class PamConv(Structure):
+ PAM_AUTHENTICATE.restype = c_int
+ PAM_AUTHENTICATE.argtypes = [PamHandle, c_int]
+ 
++PAM_ACCT_MGMT = LIBPAM.pam_acct_mgmt
++PAM_ACCT_MGMT.restype = c_int
++PAM_ACCT_MGMT.argtypes = [PamHandle, c_int]
++
+ 
+ def authenticate(api_handle, username: str, password: str) -> bool:
+     """
+@@ -157,4 +161,8 @@ def my_conv(n_messages, messages, p_response, app_data):
+         return False
+ 
+     retval = PAM_AUTHENTICATE(handle, 0)
++
++    if retval == 0:
++        retval = PAM_ACCT_MGMT(handle, 0)
++
+     return retval == 0
diff --git a/cobbler.spec b/cobbler.spec
index 1cac030..f5ca371 100644
--- a/cobbler.spec
+++ b/cobbler.spec
@@ -5,7 +5,7 @@
 
 Name:           cobbler
 Version:        3.2.2
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        Boot server configurator
 URL:            https://cobbler.github.io/
 License:        GPLv2+
@@ -25,6 +25,8 @@ Patch3:         cobbler-remove-get-loaders.patch
 Patch4:         cobbler-CVE-2021-45082.patch
 # Do not run coverage tests
 Patch5:         cobbler-nocov.patch
+# Upstream fix for CVE-2022-0860 (expired accounts)
+Patch6:         https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa.patch
 BuildArch:      noarch
 
 BuildRequires: python%{python3_pkgversion}-devel
@@ -295,6 +297,9 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler
 
 
 %changelog
+* Wed Mar 23 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-11
+- Add upstream patch for CVE-2022-0860 (bz#2066592)
+
 * Wed Mar 02 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-10
 - More complete fix for CVE-2021-45083 - enforce permissions in %%post