Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Community maintained packages for difos.
17989 commits 8 branches 0 tags 65 MiB
Makefile 54.9%
Shell 29.9%
C 9%
C++ 2%
Lua 1.3%
Other 2.6%
Find a file
Sebastian Kemper 9f5fb8034c mariadb: follow up on CVE-2020-7221 
Today CVE-2020-7221 was publicly discussed on oss-sec [1]. MariaDB
upstream had not mentioned this CVE in their last release notes. The CVE
is related to auth-pam and the possibility of a local mariadb to root
user exploit in the mysql_install_db script.

Upstream has made amendments to the script, but according to the oss-sec
posts the folder permissions were not updated as they should have been.

In OpenWrt the script mysql_install_db is actually patched to never run
the commands in question. This has been this way since MariaDB 10.4 was
made available.

Still, the directory permissions set by the postinstall script are too
lax. To quote the discoverer of the issue, Matthias Gerstner from Suse,
they exhibit "the dangerous situation of a setuid-root binary residing
in a directory owned by an unprivileged user".

This commit fixes this by changing the permissions to the following:

root:mariadb  0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir

This way the setuid-root binary is only available to root and the
mariadb user, while at the same time the mariadb user has no ownership
of the directory.

[1] https://seclists.org/oss-sec/2020/q1/55

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-02-04 20:14:09 +01:00
.circleci circleci: Revert switch to CDN due to breakage 2019-11-22 23:19:56 +01:00
.github repo: Add more information to the issue template 2019-04-07 20:18:55 +00:00
.keys build: move gpg keys into .keys directory 2018-04-30 13:14:25 -07:00
admin backuppc: replace samba36 dependency 2020-01-14 23:16:58 -08:00
devel scons: Switch to standalone version, update to 3.1.2 2020-01-16 20:25:48 +08:00
fonts/dejavu-fonts-ttf [dejavu-fonts] add license info and myself as maintainer 2017-02-22 18:39:54 +01:00
ipv6/tayga treewide: run "make check FIXUP=1" 2017-08-29 21:41:14 -07:00
kernel smbd: update to 3.1.1, rename to "ksmbd", "ksmbd-tools" 2020-01-26 16:32:53 +01:00
lang golang: Improve build isolation from user environment 2020-02-04 04:05:29 +08:00
libs sqlite3: update to version 3.31.1 2020-02-03 11:08:52 +01:00
mail msmtp: Update to 1.8.7 2020-01-02 18:29:04 -08:00
multimedia minidlna: Added support RMVB 2020-02-01 13:04:19 +08:00
net Merge pull request #11233 from neheb/hhg 2020-02-04 03:01:52 -08:00
sound mpd: fix ffmpeg AIFF and AMR support 2020-02-03 21:40:16 -08:00
utils mariadb: follow up on CVE-2020-7221 2020-02-04 20:14:09 +01:00
.travis.yml travis: Use Ubuntu (Bionic Beaver) 18.04 LTS 2019-10-23 15:30:35 +02:00
.travis_do.sh travis: Download SDK from OpenWrt instead of LEDE 2019-10-23 15:30:35 +02:00
CONTRIBUTING.md CONTRIBUTING.md: update Identifier for Licenses 2019-04-18 12:07:48 +02:00
LICENSE Add GPLv2 pro-forma license 2014-06-16 08:14:04 +02:00
README.md README.md - update links to current docs pages 2018-08-31 15:08:17 -04:00

README.md

OpenWrt packages feed

Description

This is the OpenWrt "packages"-feed containing community-maintained build scripts, options and patches for applications, modules and libraries used within OpenWrt.

Installation of pre-built packages is handled directly by the opkg utility within your running OpenWrt system or by using the OpenWrt SDK on a build system.

Usage

This repository is intended to be layered on-top of an OpenWrt buildroot. If you do not have an OpenWrt buildroot installed, see the documentation at: OpenWrt Buildroot Installation on the OpenWrt support site.

This feed is enabled by default. To install all its package definitions, run:

./scripts/feeds update packages
./scripts/feeds install -a -p packages

License

See LICENSE file.

Package Guidelines

See CONTRIBUTING.md file.