diff --git a/rudder-agent/SOURCES/Makefile b/rudder-agent/SOURCES/Makefile index 6f674dac9..3cbc6ac52 100644 --- a/rudder-agent/SOURCES/Makefile +++ b/rudder-agent/SOURCES/Makefile @@ -22,7 +22,7 @@ RUDDER_VERSION_TO_PACKAGE = RUDDER_MAJOR_VERSION := $(shell echo ${RUDDER_VERSION_TO_PACKAGE} | cut -d'.' -f 1-2) -CFENGINE_RELEASE = 3.10.0 +CFENGINE_RELEASE = 3.10.2 FUSION_RELEASE = 2.3.19 LMDB_RELEASE = 0.9.18 OPENSSL_RELEASE = 1.0.2l diff --git a/rudder-agent/SOURCES/patches/cfengine/31-fix-symlink-traversal.patch b/rudder-agent/SOURCES/patches/cfengine/31-fix-symlink-traversal.patch deleted file mode 100644 index f3307ba3a..000000000 --- a/rudder-agent/SOURCES/patches/cfengine/31-fix-symlink-traversal.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff -upr cfengine-a/libutils/file_lib.c cfengine-b/libutils/file_lib.c ---- cfengine-a/libutils/file_lib.c 2016-11-01 08:47:08.000000000 +0100 -+++ cfengine-b/libutils/file_lib.c 2016-11-25 18:21:44.163553332 +0100 -@@ -387,6 +387,7 @@ int safe_open(const char *pathname, int - bool trunc = false; - const int orig_flags = flags; - char *next_component = path; -+ bool p_uid; - - if (*next_component == '/') - { -@@ -408,6 +409,9 @@ int safe_open(const char *pathname, int - return -1; - } - -+ // current process user id -+ p_uid = geteuid(); -+ - size_t final_size = (size_t) -1; - while (next_component) - { -@@ -558,8 +562,13 @@ int safe_open(const char *pathname, int - close(currentfd); - return -1; - } -- if (stat_before.st_uid != stat_after.st_uid || -- stat_before.st_gid != stat_after.st_gid) -+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition -+ // This attack is not useful if the symlink has been created by root -+ // This attack is not useful if the process's user is the owner of the symlink -+ // As everyone use symlink for server administration, we reenable those cases. -+ if ( stat_before.st_uid != 0 && -+ stat_before.st_uid != p_uid && -+ (stat_before.st_uid != stat_after.st_uid || stat_before.st_gid != stat_after.st_gid) ) - { - close(currentfd); - // Return ENOLINK to signal that the link cannot be followed -@@ -736,6 +745,7 @@ static int safe_open_true_parent_dir(con - char *parent_dir = dirname(parent_dir_alloc); - char *leaf = basename(leaf_alloc); - struct stat statbuf; -+ uid_t p_uid = geteuid(); - - if ((dirfd = safe_open(parent_dir, O_RDONLY)) == -1) - { -@@ -747,7 +757,14 @@ static int safe_open_true_parent_dir(con - goto cleanup; - } - -- if (traversed_link && (link_user != statbuf.st_uid || link_group != statbuf.st_gid)) -+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition -+ // This attack is not useful if the symlink has been created by root -+ // This attack is not useful if the process's user is the owner of the symlink -+ // As everyone use symlink for server administration, we reenable those cases. -+ if ( traversed_link && -+ link_user != 0 && -+ link_user != p_uid && -+ (link_user != statbuf.st_uid || link_group != statbuf.st_gid) ) - { - errno = ENOLINK; - ret = -1; diff --git a/rudder-agent/SOURCES/patches/cfengine/50-build-with-pcre.patch b/rudder-agent/SOURCES/patches/cfengine/50-build-with-pcre.patch deleted file mode 100644 index dad289281..000000000 --- a/rudder-agent/SOURCES/patches/cfengine/50-build-with-pcre.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -ruN cfengine-source/cf-key/Makefile.am cfengine-source.new/cf-key/Makefile.am ---- cfengine-source/cf-key/Makefile.am 2016-11-01 08:47:08.000000000 +0100 -+++ cfengine-source.new/cf-key/Makefile.am 2016-12-01 16:24:37.521436465 +0100 -@@ -28,10 +28,12 @@ - -I$(srcdir)/../libutils \ - -I$(srcdir)/../libcfnet \ - -I$(srcdir)/../libpromises \ -+ $(PCRE_CPPFLAGS) \ - $(ENTERPRISE_CPPFLAGS) - - AM_CFLAGS = \ - $(OPENSSL_CFLAGS) \ -+ $(PCRE_CFLAGS) \ - $(ENTERPRISE_CFLAGS) - - libcf_key_la_SOURCES = \ -diff -ruN cfengine-source/cf-key/Makefile.in cfengine-source.new/cf-key/Makefile.in ---- cfengine-source/cf-key/Makefile.in 2016-11-01 08:47:50.000000000 +0100 -+++ cfengine-source.new/cf-key/Makefile.in 2016-12-01 16:25:02.017436542 +0100 -@@ -427,10 +427,12 @@ - -I$(srcdir)/../libutils \ - -I$(srcdir)/../libcfnet \ - -I$(srcdir)/../libpromises \ -+ $(PCRE_CPPFLAGS) \ - $(ENTERPRISE_CPPFLAGS) - - AM_CFLAGS = \ - $(OPENSSL_CFLAGS) \ -+ $(PCRE_CFLAGS) \ - $(ENTERPRISE_CFLAGS) - - libcf_key_la_SOURCES = \