Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/utils
History
Sebastian Kemper 9f5fb8034c mariadb: follow up on CVE-2020-7221 
Today CVE-2020-7221 was publicly discussed on oss-sec [1]. MariaDB
upstream had not mentioned this CVE in their last release notes. The CVE
is related to auth-pam and the possibility of a local mariadb to root
user exploit in the mysql_install_db script.

Upstream has made amendments to the script, but according to the oss-sec
posts the folder permissions were not updated as they should have been.

In OpenWrt the script mysql_install_db is actually patched to never run
the commands in question. This has been this way since MariaDB 10.4 was
made available.

Still, the directory permissions set by the postinstall script are too
lax. To quote the discoverer of the issue, Matthias Gerstner from Suse,
they exhibit "the dangerous situation of a setuid-root binary residing
in a directory owned by an unprivileged user".

This commit fixes this by changing the permissions to the following:

root:mariadb  0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir

This way the setuid-root binary is only available to root and the
mariadb user, while at the same time the mariadb user has no ownership
of the directory.

[1] https://seclists.org/oss-sec/2020/q1/55

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-02-04 20:14:09 +01:00
..
acl acl: Switch to tarballs 2018-07-21 19:52:36 -07:00
acpica-unix treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
acpid acpid: Update to 2.0.32 2019-10-30 10:17:08 -07:00
ap51-flash ap51-flash: Update to 2019.0.1 2019-10-30 10:26:11 -07:00
at treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
attendedsysupgrade-common treewide: add missing PKGARCH:=all to non-binary packages 2019-03-30 17:11:50 +08:00
attr attr: Backport upstream patch fixing compilation without bzero 2019-08-13 12:43:30 -07:00
auc auc: send revision in update check 2019-03-08 00:32:48 +01:00
avrdude avrdude: Fix GPIO path building 2019-07-02 10:07:53 -07:00
bandwidthd treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
banhosts add list of domains serving advertising 2015-07-03 12:21:03 +02:00
bash treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
bc treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
beep Update Makefile 2017-01-16 03:10:38 -06:00
bigclown bigclown-mqtt2influxdb: update to version 1.2.0 2019-09-16 14:03:29 +02:00
bluelog treewide: Replace MD5SUM with HASH 2019-10-31 15:54:36 +08:00
bluez bluez: Update to version 5.51 2019-10-16 08:49:23 +01:00
bmx7-dnsupdate treewide: add missing PKGARCH:=all to non-binary packages 2019-03-30 17:11:50 +08:00
bonnie++ treewide: Remove self from PKG_MAINTAINER 2019-12-21 12:52:41 -08:00
btrfs-progs btrfs-progs: update to version 5.4.1 2020-01-11 23:11:09 +01:00
byobu byobu: Update to 5.130 2019-12-02 21:15:41 +08:00
cache-domains cache-domains: Changed to hotplug script 2019-12-02 19:16:42 +10:00
canutils canutils: fix canutils makefile dependency 2020-01-15 00:36:10 +00:00
ccid ccid: update to version 1.4.31 2020-01-07 01:27:16 +02:00
ccrypt treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
cgroupfs-mount cgroups-mount,docker-ce,lxc: rework kernel feature dependency 2019-09-12 10:31:16 +08:00
cmdpad cmdpad: Fix compilation with musl 2019-07-06 16:47:37 -07:00
collectd collectd: add vmem uci config 2019-12-11 00:22:47 +01:00
containerd containerd: enable build for aarch64 and arm 2019-11-06 22:11:12 +08:00
coreutils treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
crconf crconf: Pass CFLAGS properly 2019-08-28 13:56:10 -07:00
crelay crelay: Update to 0.13 2018-08-29 13:33:46 -07:00
cryptsetup cryptsetup: update to version 2.2.2 2020-01-07 01:27:16 +02:00
dbus treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
device-observatory treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
dfu-programmer dfu-programmer: Change PKG_SOURCE_URL to use @SF macro. 2018-02-20 13:40:27 -08:00
dfu-util treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
digitemp treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
dmidecode dmidecode: Update to 3.2 2018-10-28 10:08:22 -07:00
docker-ce docker-ce: bump to version 19.03.5 2019-11-16 20:19:59 +08:00
domoticz domoticz: Fix compilation with uClibc-ng 2019-12-24 17:21:38 -08:00
dosfstools treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
dump1090 dump1090: update to 3.7.2 2019-09-27 18:40:10 +08:00
dvtm treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
ecdsautils ecdsautils: Cleanup Makefile to modern standards 2019-07-31 15:13:16 -07:00
evtest evtest: Fix compilation with musl 2019-11-27 23:40:40 -08:00
fft-eval fft-eval: new maintainer 2020-01-21 19:34:47 +05:00
findutils findutils: Update and switch to xz tarball 2019-10-24 00:24:02 +08:00
fio fio: Update to 3.16 2019-10-18 14:46:32 -07:00
fish fish: Fix compilation with libcxx 2019-12-18 12:01:21 -08:00
flashrom treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
flent-tools flent-tools: Update to 1.2.2 2019-05-12 00:32:38 -07:00
fontconfig treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
gammu gammu: Remove python dependency, fix lib symlinks 2019-10-13 03:45:54 +08:00
gawk gawk: Update to 5.0.1 2019-10-31 18:09:18 -07:00
gddrescue gddrescue: Remove uClibc++ patch 2019-10-12 17:52:27 -07:00
gkermit gkermit: Fix compilation with -Wimplicit-function-declaration 2019-07-06 16:45:53 -07:00
gnupg gnupg: Remove myself as maintainer 2018-07-04 23:54:49 -04:00
gpsd gpsd: Update to 3.20, add/refresh patches 2020-01-17 04:42:46 +08:00
gptfdisk gptfdisk: Switch to using uClibc++ 2019-10-12 15:05:13 -07:00
grep treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
gzip treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
hamlib hamlib: Update to 3.3 2018-09-29 11:50:29 +08:00
haserl treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
hashdeep Hashdeep: add package 2019-04-19 10:33:20 +02:00
haveged haveged: convert to procd 2019-10-01 23:11:45 +03:00
hd-idle hd-idle: Update init script 2019-02-11 22:25:14 +08:00
hdparm hdparm: Fix LDFLAGS 2019-01-21 21:38:57 -08:00
hfsprogs treewide: Remove self from PKG_MAINTAINER 2019-12-21 12:52:41 -08:00
hplip sane-backends: run (xinetd) saned as non-root 2019-12-21 20:44:56 -03:00
hub-ctrl treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
i2c-tools treewide: avoid deref symlinks when installing .so 2019-06-21 09:52:32 +08:00
idevicerestore idevicerestore: Add package 2019-12-16 12:24:01 -08:00
infozip zip: rename package to infozip to avoid name collision with tools 2020-02-01 10:23:16 +02:00
inotify-tools inotify-tools: update to 3.20.1 2018-05-07 20:18:59 +02:00
io io: Add TARGET_LDFLAGS to fix PIE 2019-11-13 23:25:03 +01:00
irqbalance irqbalance: add support for uci config 2019-06-02 12:43:08 +03:00
joe treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
jq jq: compile with _GNU_SOURCE (fixes #7785) 2019-02-11 06:58:21 -05:00
jupp jupp: new package 2018-12-03 16:16:44 +00:00
klish klish: Remove unused libstdcpp dependency 2019-10-17 12:22:22 -07:00
kmod treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
lcd4linux lcd4linux: Add limits header for PATH_MAX 2019-11-27 23:36:07 -08:00
lcdproc lcdproc: add serdisplib dependency 2020-01-20 17:13:04 -08:00
less treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
libnetwork libnetwork: enable build for aarch64 and arm 2019-11-06 22:11:12 +08:00
lm-sensors lm-sensors: update to 3.6.0 2019-10-20 22:40:31 +08:00
logrotate treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
lrzsz treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
lsof lsof: Fix dead URL + cosmetic fixes 2018-08-15 18:53:58 -07:00
lvm2 lvm2: update to version 2.03.05 2020-01-07 01:27:16 +02:00
lxc lxc: Fix pkgconfig file 2019-11-27 23:28:24 -08:00
macchanger treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
mariadb mariadb: follow up on CVE-2020-7221 2020-02-04 20:14:09 +01:00
mariadb-common mariadb: move mariadb-common into its own package 2019-11-17 15:54:17 +01:00
mbtools mbtools: fix PKG_MIRROR_HASH 2017-09-22 21:53:40 -07:00
mc treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
mg mg: update to 6.6 2019-10-28 12:39:26 +09:00
micrond micrond: use procd for service start 2019-04-22 19:32:40 +02:00
minicom treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
mksh mksh: update to R56c 2018-03-09 02:45:09 +00:00
mktorrent mktorrent: Update to version 1.1 + use GitHub properly 2018-02-21 20:09:13 -08:00
mmc-utils mmc-utils: update to latest git head 2019-10-15 21:35:34 +02:00
moreutils moreutils: Update to 0.63 2019-02-02 11:19:50 -08:00
mpack treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
mt-st pciutils: Fix pkgconfig file 2019-11-27 23:30:09 -08:00
nano nano: update to 4.7 2019-12-29 15:18:27 +02:00
ncdu ncdu: Update to 1.14.1 2019-10-18 15:20:31 -07:00
netwhere netwhere: fix memory corruption problem 2017-12-26 12:13:02 -08:00
nnn nnn: Update to version 2.8.1 2019-12-06 21:47:32 +01:00
ntfs-3g treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
oath-toolkit treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
open-plc-utils open-plc-utils: take maintainership 2019-12-21 23:31:50 +01:00
open-vm-tools open-vm-tools: bump to version 11.0.5 2020-01-22 14:48:18 +00:00
open2300 open2300: Switch to GitHub fork 2019-07-08 13:16:22 -07:00
openobex treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
openocd openocd: update to current master, allow building without USB 2020-01-10 14:28:42 +03:00
opensc opensc: update to version 0.20.0 2020-01-07 01:29:45 +02:00
openzwave treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
owfs treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
pciutils pciutils: update to 3.6.4 2020-01-27 22:19:46 +02:00
pcmciautils treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
pcsc-lite pcsc-lite: update to version 1.8.26 2020-01-07 01:27:16 +02:00
pcsc-tools pcsc-tools: update to version 1.5.4 2019-05-10 23:36:49 +02:00
picocom treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
pigz pigz: something change 2019-06-10 10:46:42 +08:00
powertop powertop: Do not use fstack-protector on ARC 2019-06-04 11:51:26 -07:00
pps-tools pps-tools: use INSTALL_DATA instead of CP 2019-11-08 10:58:57 +01:00
procps-ng procps-ng: Remove DEFAULT line 2019-11-26 22:51:31 -08:00
progress progress: Update to 0.14 2018-11-05 21:32:13 -08:00
prometheus prometheus: Fix build for mips64/mips64el 2019-07-23 04:07:56 +08:00
prometheus-node-exporter-lua prometheus-node-exporter-lua: add hostapd exporter 2020-02-03 15:42:35 +01:00
prometheus-statsd-exporter prometheus-statsd-exporter: bump version 2019-01-09 09:26:31 +01:00
pservice pservice: shorten code 2019-08-12 08:23:03 +00:00
pv pv: Update to 1.6.6 2018-12-15 21:35:30 -08:00
qemu qemu: bump to version 4.2.0 2019-12-16 02:50:15 +00:00
relayctl treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
restic restic: add package 2019-12-19 19:27:33 +01:00
rng-tools rng-tools: Update to 6.7 2019-07-14 16:14:27 -07:00
rpcd-mod-lxc rpcd-mod-lxc: bump PKG_RELEASE to indicate recent changes 2017-12-06 13:27:49 +01:00
rrdtool1 treewide: Capitalize submenus 2019-07-25 09:35:40 +08:00
rtklib rtklib: Update to 2.4.3_b32 2019-07-29 07:58:40 +02:00
rtl-ais rtl-ais: Add missing header 2019-07-05 11:56:00 +02:00
rtl-sdr rtl-sdr: Update to 0.6.0 2018-11-19 14:14:35 -08:00
rtl_433 rtl_433: Update to 18.12 2019-05-03 13:06:27 -07:00
rtty rtty: update to 7.0.1 2020-01-31 16:31:09 +08:00
runc runc: enable build for aarch64 and arm 2019-11-06 22:11:12 +08:00
sane-backends sane-backends: update to 1.0.29 2020-02-03 02:24:08 -03:00
screen screen: Update to 4.7.0 2019-10-18 15:13:59 -07:00
serialconsole treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
setserial setserial: Add missing headers 2019-07-03 20:55:38 -07:00
shadow shadow: update to 4.8.1 2020-02-02 13:07:52 -08:00
shinit shinit: Add package 2019-10-06 06:01:47 +08:00
sispmctl sispmctl: Reduce ipk size 2019-10-18 15:28:43 -07:00
slide-switch slide-switch: Update to 0.9.5 2019-08-02 15:53:10 +08:00
smartmontools smartmontools: fix dependency declaration by f5f49e4 2020-01-06 12:39:45 +02:00
smstools3 smstools3: Run in foreground 2019-12-31 21:37:23 -08:00
sockread sockread: add support for reading data from a pipe 2015-01-20 13:43:59 +01:00
spi-tools spi-tools: Disable PIE 2020-01-10 18:13:05 -08:00
squashfs-tools treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
ssdeep ssdeep: add new package 2019-01-30 23:28:42 +01:00
stm32flash treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
stoken treewide: Remove self from PKG_MAINTAINER 2019-12-21 12:52:41 -08:00
stress treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
sumo sumo: Update to 1.3.1 2019-10-07 22:44:35 -07:00
swig swig: update to 4.0.1 2019-08-26 09:41:29 +09:00
syncthing syncthing: add package 2019-08-21 15:21:36 -10:00
sysstat treewide: add PKG_CPE_ID for better cvescanner coverage 2019-09-17 12:40:26 +02:00
tang tang: do not build manpages 2019-08-14 17:41:24 -03:00
tar tar: Add zstd capability 2019-07-22 19:46:20 -07:00
taskwarrior taskwarrior: Update to 2.5.1 2019-02-09 09:54:58 -08:00
tcsh tcsh: Update to 6.22.02 2020-01-05 17:11:46 -08:00
telldus-core telldus-core: Doxygen in-file was not found. 2019-10-29 11:19:54 +01:00
temperusb temperusb: package upgrade 2019-05-02 21:46:30 +02:00
tessdata tessdata: reorganize menu 2019-07-24 08:47:01 -03:00
tesseract tesseract: add package 2019-07-18 11:38:04 +02:00
tini tini: Added tini init utility 2019-07-20 19:43:35 +08:00
tio treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
tmux tmux: update to 3.0a 2019-12-09 17:51:14 +02:00
tracertools treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
tree tree: Update to 1.8.0 2018-11-18 13:18:24 -08:00
triggerhappy triggerhappy: update to upstream version 0.5.0 2017-07-07 23:30:14 +02:00
ttyd ttyd: add reload trigger 2019-12-03 09:17:12 +08:00
uledd uledd: bump to latest version 1.0.1 2019-12-11 22:46:56 +01:00
unrar unrar: Update to 5.8.4 2019-12-04 10:14:29 -08:00
unzip unzip: fix PKG_CPE_ID 2019-01-17 21:58:54 +08:00
usbmuxd usbmuxd: Update to latest master 2019-12-16 12:36:23 -08:00
uvcdynctrl uvcdynctrl: Fix compilation with uClibc-ng 2019-06-20 16:46:06 -07:00
vim vim: install vimdiff symlink for vim-fuller 2020-01-27 18:23:48 -08:00
watchcat watchcat: make compatible with updated busybox ash array handling 2019-10-01 19:41:56 +02:00
wifitoggle treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
wipe wipe: add new package 2019-09-14 14:52:51 +02:00
xz treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
yara yara: Update to 3.11.0 2019-10-31 18:37:12 -07:00
ykclient treewide: Use default PKG_BUILD_DIR when possible 2019-10-13 02:01:34 +08:00
ykpers ykpers: Update to 1.20.0 2019-07-15 12:51:43 -07:00
yunbridge yunbridge: fix PKG_BUILD_DIR 2018-08-30 07:57:55 -03:00
zile treewide: Change .*GPL.*+ licenses to SPDX compatible identifier 2019-09-10 07:45:15 +02:00
zoneinfo zoneinfo: Updated to the latest release. 2019-09-16 18:23:13 +03:00
zsh zsh: Update to 5.7.1 2020-01-08 16:01:18 -08:00
zstd zstd: Fix compilation with uClibc-ng 2019-12-01 20:52:04 -08:00