microsoft · 0xba1a · May 20, 2025 · May 16, 2025
@@ -0,0 +1,125 @@
+From 4c593d659aff212cdcf9d3ca40cd24a8277f6638 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Fri, 16 May 2025 06:48:14 +0000
+Subject: [PATCH] CVE-2024-2905
+https://github.com/coreos/rpm-ostree/pull/4911
+---
+ Makefile-daemon.am                            |  1 +
+ packaging/rpm-ostree.spec.in                  |  5 +++++
+ rust/src/passwd.rs                            | 14 ++++++++++++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
+ tests/compose/libbasic-test.sh                |  5 +++++
+ 5 files changed, 44 insertions(+)
+ create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
+
+diff --git a/Makefile-daemon.am b/Makefile-daemon.am
+index 4233d90..f96f49a 100644
+--- a/Makefile-daemon.am
++++ b/Makefile-daemon.am
+@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
+ 	rpm-ostreed-automatic.service \
+ 	rpm-ostree-bootstatus.service \
+ 	rpm-ostree-countme.service \
++	rpm-ostree-fix-shadow-mode.service \
+ 	$(NULL)
+
+ systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
+diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
+index 8aa9afa..f734f67 100644
+--- a/packaging/rpm-ostree.spec.in
++++ b/packaging/rpm-ostree.spec.in
+@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
+ # Setup rpm-ostree-countme.timer according to presets
+ %post
+ %systemd_post rpm-ostree-countme.timer
++# Only enable on rpm-ostree based systems and manually force unit enablement to
++# explicitly ignore presets for this security fix
++if [ -e /run/ostree-booted ]; then
++    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
++fi
+
+ %preun
+ %systemd_preun rpm-ostree-countme.timer
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 79ee488..8f0e584 100644
+--- a/rust/src/passwd.rs
++++ b/rust/src/passwd.rs
+@@ -421,6 +421,12 @@ fn write_data_from_treefile(
+     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
+     let shadow_name = target.shadow_file();
+     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
++    // Ideally these permissions come from `setup`, which is the package
++    // that owns these files:
++    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
++    // But at this point of the compose, the rootfs is completely empty; we
++    // haven't started unpacking things yet. So we need to hardcode it here.
++    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
+
+     match target {
+         PasswdKind::User => {
+@@ -430,6 +436,10 @@ fn write_data_from_treefile(
+                     for user in entries {
+                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+@@ -441,6 +451,10 @@ fn write_data_from_treefile(
+                     for group in entries {
+                         writeln!(target_shadow, "{}:::", group.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+new file mode 100644
+index 0000000..4aea746
+--- /dev/null
++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -0,0 +1,19 @@
++[Unit]
++# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
++# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
++Description=Update permissions for /etc/shadow
++Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
++ConditionPathExists=/run/ostree-booted
++# Make sure this is started before any unprivileged (interactive) user has access to the system.
++Before=systemd-user-sessions.service
++
++[Service]
++Type=oneshot
++ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
++ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
++ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
++RemainAfterExit=yes
++
++[Install]
++WantedBy=multi-user.target
+diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
+index 0a75176..3f7c6d8 100644
+--- a/tests/compose/libbasic-test.sh
++++ b/tests/compose/libbasic-test.sh
+@@ -22,6 +22,11 @@ validate_passwd group
+ ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
+ assert_file_has_content_literal passwd.txt '00644 '
+
++ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
++assert_file_has_content_literal shadow.txt '00000 '
++ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
++assert_file_has_content_literal gshadow.txt '00000 '
++
+ ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
+ assert_file_has_content_literal useradd.txt HOME=/var/home
+
+-- 
+2.45.2
+
@@ -1,14 +1,15 @@
 Summary:        Commit RPMs to an OSTree repository
 Name:           rpm-ostree
 Version:        2024.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/coreos/rpm-ostree
 Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0:         0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
 Patch1:         rpm-ostree-libdnf-build.patch
+Patch2:         CVE-2024-2905.patch
 
 BuildRequires:  attr-devel
 BuildRequires:  autoconf
@@ -177,6 +178,9 @@ make check
 %{_datadir}/gir-1.0/*-1.0.gir
 
 %changelog
+* Fri May 16 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 2024.4-3
+- Patch CVE-2024-2905
+
 * Mon Apr 21 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2024.4-2
 - Pin rust version