This thread contains a patchset. You're looking at the original emails,
but you may wish to use the patch review UI.
Review patch
[PATCH] main/doas: upgrade to 6.8.1
---
main/doas/APKBUILD | 12 ++++ --------
main/doas/reset-path.patch | 36 ------------------------------------
2 files changed, 4 insertions(+), 44 deletions(-)
delete mode 100644 main/doas/reset-path.patch
diff --git a/main/doas/APKBUILD b/main/doas/APKBUILD
index 6e863e45d1..3abbc541e0 100644
--- a/main/doas/APKBUILD
+++ b/main/doas/APKBUILD
@@ -1,17 +1,14 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=doas
- pkgver=6.8- pkgrel=1+ pkgver=6.8.1+ pkgrel=0 pkgdesc="OpenBSD's temporary privilege escalation tool"
url="https://github.com/Duncaen/OpenDoas"
arch="all"
license="BSD"
makedepends="bison"
subpackages="$pkgname-doc"
- source="- $pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz- reset-path.patch- "+ source="$pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz" builddir="$srcdir/OpenDoas-$pkgver"
options="$options suid"
@@ -44,5 +41,4 @@ package() {
chmod 440 "$pkgdir"/etc/doas.conf
}
- sha512sums="4a57079bba353247e645bc07a5d4e78fd01471d193e83751fd87b72cffa4e152c0f7ea172563f767a7193b14489f57bc066b4fee50842d30b5b7f7ce918434bb doas-6.8.tar.gz- f261e954e7daf89bb7a8381a0be2942edebe4020b3b304ca1a71a5e5894482f1725e3dc75bc0da0603bde9cb729516010d1fdaeb7cd464b2ad03b131edc614a7 reset-path.patch"+ sha512sums="d96fe1cdd70e9211de9996ad05bcf7a127facd02af48f7ab2561869d9d16708f1b61722c6e6b9fe15a62e9ef501e09b1ba444b7b43a066f1895e543ebc9402e7 doas-6.8.1.tar.gz"--- a/main/doas/reset-path.patch
@@ -1,36 +0,0 @@
- From bf60b34f014432140b712395da9e792db3f55f06 Mon Sep 17 00:00:00 2001- From: Duncan Overbruck <mail@duncano.de>- Date: Thu, 28 Jan 2021 17:58:34 +0100- Subject: [PATCH] correctly reset path for rules without specific command- - This is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168- where the behaviour was changed to not inherit the PATH variable- by default.- ---- doas.c | 3 +++- 1 file changed, 3 insertions(+)- - diff --git a/doas.c b/doas.c- index a184650..d312b24 100644- --- a/doas.c- +++ b/doas.c- @@ -386,6 +386,7 @@ main(int argc, char **argv)- - #ifdef HAVE_LOGIN_CAP_H- if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |- + LOGIN_SETPATH |- LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |- LOGIN_SETUSER) != 0)- errx(1, "failed to set user context for target");- @@ -396,6 +397,8 @@ main(int argc, char **argv)- err(1, "initgroups");- if (setresuid(target, target, target) != 0)- err(1, "setresuid");- + if (setenv("PATH", safepath, 1) == -1)- + err(1, "failed to set PATH '%s'", safepath);- #endif- - if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)---
- 2.30.0-
On Thu, Jan 28, 2021 at 05:08:33PM -0500, Drew DeVault wrote:
> ---
> main/doas/APKBUILD | 12 ++++--------
> main/doas/reset-path.patch | 36 ------------------------------------
> 2 files changed, 4 insertions(+), 44 deletions(-)
> delete mode 100644 main/doas/reset-path.patch
>
> diff --git a/main/doas/APKBUILD b/main/doas/APKBUILD
> index 6e863e45d1..3abbc541e0 100644
> --- a/main/doas/APKBUILD
> +++ b/main/doas/APKBUILD
> @@ -1,17 +1,14 @@
> # Maintainer: Drew DeVault <sir@cmpwn.com >
> pkgname=doas
> -pkgver=6.8
> -pkgrel=1
> +pkgver=6.8.1
> +pkgrel=0
> pkgdesc="OpenBSD's temporary privilege escalation tool"
> url="https://github.com/Duncaen/OpenDoas"
> arch="all"
> license="BSD"
> makedepends="bison"
> subpackages="$pkgname-doc"
> -source="
> - $pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz
> - reset-path.patch
> -"
> +source="$pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz"
> builddir="$srcdir/OpenDoas-$pkgver"
> options="$options suid"
>
> @@ -44,5 +41,4 @@ package() {
> chmod 440 "$pkgdir"/etc/doas.conf
> }
>
> -sha512sums="4a57079bba353247e645bc07a5d4e78fd01471d193e83751fd87b72cffa4e152c0f7ea172563f767a7193b14489f57bc066b4fee50842d30b5b7f7ce918434bb doas-6.8.tar.gz
> -f261e954e7daf89bb7a8381a0be2942edebe4020b3b304ca1a71a5e5894482f1725e3dc75bc0da0603bde9cb729516010d1fdaeb7cd464b2ad03b131edc614a7 reset-path.patch"
> +sha512sums="d96fe1cdd70e9211de9996ad05bcf7a127facd02af48f7ab2561869d9d16708f1b61722c6e6b9fe15a62e9ef501e09b1ba444b7b43a066f1895e543ebc9402e7 doas-6.8.1.tar.gz"
> diff --git a/main/doas/reset-path.patch b/main/doas/reset-path.patch
> deleted file mode 100644
> index 0cf85f1e13..0000000000
> --- a/main/doas/reset-path.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -From bf60b34f014432140b712395da9e792db3f55f06 Mon Sep 17 00:00:00 2001
> -From: Duncan Overbruck <mail@duncano.de >
> -Date: Thu, 28 Jan 2021 17:58:34 +0100
> -Subject: [PATCH] correctly reset path for rules without specific command
> -
> -This is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168
> -where the behaviour was changed to not inherit the PATH variable
> -by default.
> ----
> - doas.c | 3 +++
> - 1 file changed, 3 insertions(+)
> -
> -diff --git a/doas.c b/doas.c
> -index a184650..d312b24 100644
> ---- a/doas.c
> -+++ b/doas.c
> -@@ -386,6 +386,7 @@ main(int argc, char **argv)
> -
> - #ifdef HAVE_LOGIN_CAP_H
> - if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
> -+ LOGIN_SETPATH |
> - LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
> - LOGIN_SETUSER) != 0)
> - errx(1, "failed to set user context for target");
> -@@ -396,6 +397,8 @@ main(int argc, char **argv)
> - err(1, "initgroups");
> - if (setresuid(target, target, target) != 0)
> - err(1, "setresuid");
> -+ if (setenv("PATH", safepath, 1) == -1)
> -+ err(1, "failed to set PATH '%s'", safepath);
> - #endif
> -
> - if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
> ---
> -2.30.0
> -
> --
> 2.30.0
>
Do we want to backport this to 3.13 as well?
On Fri Jan 29, 2021 at 12:20 PM EST, Kevin Daudt wrote:
> Do we want to backport this to 3.13 as well?
A separate fix for the vulnerability was already backported into older
Alpine versions.