Merge remote-tracking branch 'upstream/3' into 3

Updated patch to sync with upstream
Added upstream patch fix for reposync errors
2022-08-25 07:27:46 -05:00 · 2022-08-23 14:12:16 -05:00 · 2022-08-11 14:27:26 -05:00 · 2022-04-22 17:25:10 +02:00 · 2022-03-23 07:07:43 -06:00 · 2022-03-01 17:23:35 -07:00
4 changed files with 1184 additions and 1 deletions
--- a/2965.patch
+++ b/2965.patch
--- a/3227.patch
+++ b/3227.patch
@ -0,0 +1,52 @@
+From 7d5e0bb4a206365ce2cb1de30ba0f49ad43e97d2 Mon Sep 17 00:00:00 2001
+From: Robby Callicotte <rcallicotte@fedoraproject.org>
+Date: Thu, 11 Aug 2022 13:46:23 -0500
+Subject: [PATCH] Added backport fix for reposync
+
+---
+ cobbler/actions/reposync.py | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/cobbler/actions/reposync.py b/cobbler/actions/reposync.py
+index 2900dfd665..651514f36a 100644
+--- a/cobbler/actions/reposync.py
+++ b/cobbler/actions/reposync.py
+@@ -443,6 +443,9 @@ def rhn_sync(self, repo):
+         if repo.arch != "":
+             cmd = "%s -a %s" % (cmd, repo.arch)
+ 
+        if repo.arch == "":
+            cmd = "%s" % (cmd)
+
+         # Now regardless of whether we're doing yumdownloader or reposync or whether the repo was http://, ftp://, or
+         # rhn://, execute all queued commands here. Any failure at any point stops the operation.
+ 
+@@ -537,7 +540,7 @@ def yum_sync(self, repo):
+                     # Counter-intuitive, but we want the newish kernels too
+                     cmd = "%s -a i686" % (cmd)
+                 else:
+-                    cmd = "%s -a %s" % (cmd, repo.arch)
+                    cmd = "%s -a %s -a noarch" % (cmd, repo.arch)
+ 
+         else:
+             # Create the output directory if it doesn't exist
+@@ -570,12 +573,16 @@ def yum_sync(self, repo):
+             proxy = repo.proxy
+         (cert, verify) = self.gen_urlgrab_ssl_opts(repo.yumopts)
+ 
+-        # FIXME: These two variables were deleted
+-        repodata_path = ""
+-        repomd_path = ""
+        repodata_path = os.path.join(temp_path, "repodata")
+        repomd_path = os.path.join(repodata_path, "repomd.xml")
+         if os.path.exists(repodata_path) and not os.path.isfile(repomd_path):
+             shutil.rmtree(repodata_path, ignore_errors=False, onerror=None)
+ 
+        repodata_path = os.path.join(temp_path, "repodata")
+        if os.path.exists(repodata_path):
+            self.logger.info("Deleted old repo metadata for %s" % repodata_path)
+            shutil.rmtree(repodata_path, ignore_errors=False, onerror=None)
+
+         h = librepo.Handle()
+         r = librepo.Result()
+         h.setopt(librepo.LRO_REPOTYPE, librepo.LR_YUMREPO)
--- a/9044aa990a94752fa5bd5a24051adde099280bfa.patch
+++ b/9044aa990a94752fa5bd5a24051adde099280bfa.patch
@ -0,0 +1,42 @@
+From aeb10a6d169da55bab0a5000dce5913e467c9344 Mon Sep 17 00:00:00 2001
+From: Enno Gotthold <egotthold@suse.de>
+Date: Thu, 10 Mar 2022 16:16:29 +0100
+Subject: [PATCH] Security: Fix CVE-2022-0860
+
+If PAM is correctly configured and a user account is set to expired,
+the expired user-account is still able to successfully log into
+Cobbler in all places (Web UI, CLI & XMLRPC-API).
+
+The same applies to user accounts with passwords set to be expired.
+
+This patch is fixing this and checking that this behavior is now
+correct via a reproducible test.
+---
+ cobbler/modules/authentication/pam.py |  8 ++++++++
+ tests/special_cases/security_test.py  | 28 +++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/cobbler/modules/authentication/pam.py b/cobbler/modules/authentication/pam.py
+index 97ecc02ab..893422c5b 100644
+--- a/cobbler/modules/authentication/pam.py
+++ b/cobbler/modules/authentication/pam.py
+@@ -114,6 +114,10 @@ class PamConv(Structure):
+ PAM_AUTHENTICATE.restype = c_int
+ PAM_AUTHENTICATE.argtypes = [PamHandle, c_int]
+ 
+PAM_ACCT_MGMT = LIBPAM.pam_acct_mgmt
+PAM_ACCT_MGMT.restype = c_int
+PAM_ACCT_MGMT.argtypes = [PamHandle, c_int]
+
+ 
+ def authenticate(api_handle, username: str, password: str) -> bool:
+     """
+@@ -157,4 +161,8 @@ def my_conv(n_messages, messages, p_response, app_data):
+         return False
+ 
+     retval = PAM_AUTHENTICATE(handle, 0)
+
+    if retval == 0:
+        retval = PAM_ACCT_MGMT(handle, 0)
+
+     return retval == 0
--- a/cobbler.spec
+++ b/cobbler.spec
@ -5,7 +5,7 @@

 Name:           cobbler
 Version:        3.2.2
-Release:        9%{?dist}
+Release:        13%{?dist}
 Summary:        Boot server configurator
 URL:            https://cobbler.github.io/
 License:        GPLv2+
@ -25,6 +25,12 @@ Patch3:         cobbler-remove-get-loaders.patch
 Patch4:         cobbler-CVE-2021-45082.patch
 # Do not run coverage tests
 Patch5:         cobbler-nocov.patch
+# Upstream fix for CVE-2022-0860 (expired accounts)
+Patch6:         https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa.patch
+# Based on https://github.com/cobbler/cobbler/pull/2965
+Patch7:         2965.patch
+# Upstream fix for reposync_librepo
+Patch8:         https://patch-diff.githubusercontent.com/raw/cobbler/cobbler/pull/3227.patch
 BuildArch:      noarch

 BuildRequires: python%{python3_pkgversion}-devel
@ -179,6 +185,20 @@ fi

 %post
 %systemd_post cobblerd.service
+# Fixup permission for world readable settings files
+chmod 640 %{_sysconfdir}/cobbler/settings.yaml
+chmod 600 %{_sysconfdir}/cobbler/mongodb.conf
+chmod 600 %{_sysconfdir}/cobbler/modules.conf
+chmod 640 %{_sysconfdir}/cobbler/users.conf
+chmod 640 %{_sysconfdir}/cobbler/users.digest
+chmod 750 %{_sysconfdir}/cobbler/settings.d
+chmod 640 %{_sysconfdir}/cobbler/settings.d/*
+chgrp apache %{_sysconfdir}/cobbler/settings.yaml
+chgrp apache %{_sysconfdir}/cobbler/users.conf
+chgrp apache %{_sysconfdir}/cobbler/users.digest
+chgrp apache %{_sysconfdir}/cobbler/settings.d
+chgrp apache %{_sysconfdir}/cobbler/settings.d/*
+

 %posttrans
 # Migrate pre-3.2.1 settings to settings.yaml
@ -281,6 +301,21 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler


 %changelog
+* Wed Aug 10 2022 Robby Callicotte <rcallicotte@fedoraproject.org> - 3.2.2-13
+- Add upstream patch for reposync errors (bz#2117750)
+
+* Fri Apr 22 2022 Xavier Bachelot <xavier@bachelot.org> - 3.2.2-12
+- Add patch7:
+  - fix ldap anonymous bind
+  - sync distro signatures
+  - support older anaconda boot line options
+
+* Wed Mar 23 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-11
+- Add upstream patch for CVE-2022-0860 (bz#2066592)
+
+* Wed Mar 02 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-10
+- More complete fix for CVE-2021-45083 - enforce permissions in %%post
+
 * Tue Mar 01 2022 Orion Poplawski <orion@nwra.com> - 3.2.2-9
 - Apply fixes for CVE-2021-45082/3
 - Remove BR on python3-coverage
Author	SHA1	Message	Date
Robby Callicotte	75085bbe88	Merge remote-tracking branch 'upstream/3' into 3	2022-08-25 07:27:46 -05:00
Robby Callicotte	802b141f1b	Updated patch to sync with upstream	2022-08-23 14:12:16 -05:00
Robby Callicotte	98d0179877	Added upstream patch fix for reposync errors	2022-08-11 14:27:26 -05:00
Xavier Bachelot	0ff1d9cb43	Fix anonbind/Sync distro sigs/Support old anaconda	2022-04-22 17:25:10 +02:00
Orion Poplawski	5ddaaca42c	Add upstream patch for CVE-2022-0860 (bz#2066592)	2022-03-23 07:07:43 -06:00
Orion Poplawski	c930a1ecda	More complete fix for CVE-2021-45083 - enforce permissions in %post	2022-03-01 17:23:35 -07:00