openSUSE Security Update: Security update for permissions
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1520-1
Rating:             moderate
References:         #1028975 #1029961 #1093414 #1133678 #1148788 
                    #1150345 #1150366 #1151190 #1157498 #1160285 
                    #1160764 #1161335 #1161779 #1163588 #1167163 
                    #1169614 #1171164 #1171173 #1171569 #1171580 
                    #1171686 #1171879 #1171882 #1173221 #1174504 
                    #1175720 #1175867 #1178475 #1178476 #1183669 
                    
Cross-References:   CVE-2019-3687 CVE-2019-3688 CVE-2020-8013
                   
CVSS scores:
                    CVE-2019-3687 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2019-3687 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2019-3688 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
                    CVE-2019-3688 (SUSE): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
                    CVE-2020-8013 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
                    CVE-2020-8013 (SUSE): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected Products:
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that solves three vulnerabilities and has 27
   fixes is now available.

Description:

   This update for permissions fixes the following issues:

   Update to version 20200127:

   * Makefile: Leap 15.3 still uses /etc, so adjust the installation setup

   Update to version 20181225:

   * mgetty: faxq-helper now finally reside in /usr/libexec
   * libksysguard5: Updated path for ksgrd_network_helper
   * kdesu: Updated path for kdesud
   * sbin_dirs cleanup: these binaries have already been moved to /usr/sbin
   * mariadb: revert auth_pam_tool to /usr/lib{,64} again
   * cleanup: revert virtualbox back to plain /usr/lib
   * cleanup: remove deprecated /etc/ssh/sshd_config
   * hawk_invoke is not part of newer hawk2 packages anymore
   * cleanup: texlive-filesystem: public now resides in libexec
   * cleanup: authbind: helper now resides in libexec
   * cleanup: polkit: the agent now also resides in libexec
   * libexec cleanup: 'inn' news binaries now reside in libexec
   * whitelist please (boo#1183669)
   * Fix enlightenment paths
   * usbauth: drop compatibility variable for libexec
   * usbauth: Updated path for usbauth-npriv
   * profiles: finish usage of variable for polkit-agent-helper-1
   * Makefile: fix custom flags support when using make command line variables
   * added information about know limitations of this approach
   * Makefile: compile with LFO support to fix 32-bit emulation on 64-bit
     hosts (boo#1178476)
   * Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env
     variables (boo#1178475)
   * profiles: prepare /usr/sbin versions of profile entries (boo#1029961)
   * profiles: use new variables feature to remove redundant entries
   * profiles: remove now superfluous squid pinger paths (boo#1171569)
   * tests: implement basic tests for new the new variable feature
   * tests: avoid redundant specification of test names by using class names
   * regtests: split up base types and actual test implementation
   * man pages: add documentation about variables, update copyrights
   * chkstat: implement support for variables in profile paths
   * chkstat: prepare reuse of config file locations
   * chkstat: fix some typos and whitespace
   * etc/permissions: remove unnecessary, duplicate, outdated entries
   * etc/permissions: remove trailing whitespace
   * ksgrd_network_helper: remove obviously wrong path
   * adjust squid pinger path (boo#1171569)
   * mgetty: remove long dead (or never existing) locks directory
     (boo#1171882)
   * squid: remove basic_pam_auth which doesn't need special perms
     (boo#1171569)
   * cleanup now useless /usr/lib entries after move to /usr/libexec
     (boo#1171164)
   * drop (f)ping capabilities in favor of ICMP_PROTO sockets (boo#1174504)
   * whitelist Xorg setuid-root wrapper (boo#1175867)
   * screen: remove /run/uscreens covered by systemd-tmpfiles (boo#1171879)
   * Add /usr/libexec for cockpit-session as new path
   * physlock: whitelist with tight restrictions (boo#1175720)
   * mtr-packet: stop requiring dialout group
   * etc/permissions: fix mtr permission
   * list_permissions: improve output format
   * list_permissions: support globbing in --path argument
   * list_permissions: implement simplifications suggested in PR#92
   * list_permissions: new tool for better path configuration overview
   * regtest: support new getcap output format in libcap-2.42
   * regtest: print individual test case errors to stderr
   * etc/permissions: remove static /var/spool/* dirs
   * etc/permissions: remove outdated entries
   * etc/permissions: remove unnecessary static dirs and devices
   * screen: remove now unused /var/run/uscreens
   * Revert "etc/permissions: remove entries for bind-chrootenv"
   * rework permissions.local text (boo#1173221)
   * dbus-1: adjust to new libexec dir location (boo#1171164)
   * permission profiles: reinstate kdesud for kde5
   * etc/permissions: remove entries for bind-chrootenv
   * etc/permissions: remove traceroute entry
   * VirtualBox: remove outdated entry which is only a symlink any more
   * /bin/su: remove path refering to symlink
   * etc/permissions: remove legacy RPM directory entries
   * /etc/permissions: remove outdated sudo directories
   * singularity: remove outdated setuid-binary entries
   * chromium: remove now unneeded chrome_sandbox entry (boo#1163588)
   * dbus-1: remove deprecated alternative paths
   * PolicyKit: remove outdated entries last used in SLE-11
   * pcp: remove no longer needed / conflicting entries
   * gnats: remove entries for package removed from Factory
   * kdelibs4: remove entries for package removed from Factory
   * v4l-base: remove entries for package removed from Factory
   * mailman: remove entries for package deleted from Factory
   * gnome-pty-helper: remove dead entry no longer part of the vte package
   * gnokii: remove entries for package no longer in Factory
   * xawtv (v4l-conf): correct group ownership in easy profile
   * systemd-journal: remove unnecessary profile entries
   * thttps: make makeweb entry usable in the secure profile (boo#1171580)
   * profiles: add entries for enlightenment (boo#1171686)
   * permissions fixed profile: utempter: reinstate libexec compatibility
     entry
   * chkstat: fix sign conversion warnings on non 32-bit architectures
   * chkstat: allow simultaneous use of `--set` and `--system`
   * regtest: adjust TestUnkownOwnership test to new warning output behaviour
   * whitelist texlive public binary (boo#1171686)
   * fixed permissions: adjust to new libexec dir location (boo#1171164)
   * chkstat: don't print warning about unknown user/group by default
   * Makefile: link with --as-needed, move libs to the end of the command line
   * setuid bit for cockpit (boo#1169614)
   * Fix paranoid mode for newgidmap and newuidmap (boo#1171173)
   * chkstat: collectProfilePaths(): use directory_iterator to simplify code
   * chkstat: collectProfilePaths(): prefer /usr over /etc
   * regtest: add relative symlink corner case to TestSymlinkBehaviour
   * Chkstat::parseProfile(): avoid use of raw pointer
   * parseSysconfig(): only emmit warning if value is non-empty
   * incorporate a bunch of PR #56 review comments
   * regtest: add test for correct ownership change
   * chkstat: final pass over refactored code
   * chkstat: finish refactoring of safeOpen()
   * chkstat: improve/fix output of mismatches
   * chkstat: support numerical owner/group specification in profiles
   * chkstat: safeOpen: simplify path handling by using a std::string
   * chkstat regtest: support debug build
   * chkstat: start refactoring of safe_open() -> safeOpen()
   * chkstat: processEntries: pull out change logic into applyChanges()
   * chkstat: processEntries: pull out safety check logic
   * chkstat: processEntries: separate printing code and simplify ownership
     flags
   * chkstat: processEntries: also add file_status and *_ok flags to
     EntryContext
   * chkstat: processEntries: also add caps to EntryContext
   * chkstat: also move fd_path into EntryContext
   * chkstat: processEntries(): introduce EntryContext data structure
   * chkstat: introduce class type to deal with capabilities
   * chkstat: overhaul of the main entry processing loop
   * chkstat: smaller cleanup of Chkstat::run()
   * chkstat: remove last global variables `root` and `rootl`
   * chkstat: refactor parsing of permission profiles
   * chkstat: replace global `permlist` by STL map
   * chkstat: remove now obsolete usage() function
   * chkstat: refactor collection of permission files
   * regtest: support --after-test-enter-shell
   * chkstat: change global euid variable into const class member
   * chkstat: replace global level, nlevel by a vector data structure
   * chkstat: refactor check_fscaps_enabled()
   * chkstat: refactor parse_sysconfig as a member function
     Chkstat::parseSysconfig
   * chkstat: introduce separate processArguments() and refactor --files logic
   * chkstat: replace C style chkecklist by std::set
   * chkstat: refactor command line parsing
   * allow /usr/libexec in addition to /usr/lib (boo#1171164)
   * whitelist s390-tools setgid bit on log directory (boo#1167163)
   * whitelist WMP (boo#1161335)
   * regtest: improve readability of path variables by using literals
   * regtest: adjust test suite to new path locations in
     /usr/share/permissions
   * regtest: only catch explicit FileNotFoundError
   * regtest: provide valid home directory in /root
   * regtest: mount permissions src repository in /usr/src/permissions
   * regtest: move initialialization of TestBase paths into the prepare()
     function
   * chkstat: suppport new --config-root command line option
   * fix spelling of icingacmd group
   * chkstat: fix readline() on platforms with unsigned char
   * remove capability whitelisting for radosgw
   * whitelist ceph log directory (boo#1150366)
   * adjust testsuite to post CVE-2020-8013 link handling
   * testsuite: add option to not mount /proc
   * do not follow symlinks that are the final path element: CVE-2020-8013
   * add a test for symlinked directories
   * fix relative symlink handling
   * include cpp compat headers, not C headers
   * Move permissions and permissions.* except .local to
     /usr/share/permissions
   * regtest: fix the static PATH list which was missing /usr/bin
   * regtest: also unshare the PID namespace to support /proc mounting
   * regtest: bindMount(): explicitly reject read-only recursive mounts
   * Makefile: force remove upon clean target to prevent bogus errors
   * regtest: by default automatically (re)build chkstat before testing
   * regtest: add test for symlink targets
   * regtest: make capability setting tests optional
   * regtest: fix capability assertion helper logic
   * regtests: add another test case that catches set*id or caps in
     world-writable sub-trees
   * regtest: add another test that catches when privilege bits are set for
     special files
   * regtest: add test case for user owned symlinks
   * regtest: employ subuid and subgid feature in user namespace
   * regtest: add another test case that covers unknown user/group config
   * regtest: add another test that checks rejection of insecure mixed-owner
     paths
   * regtest: add test that checks for rejection of world-writable paths
   * regtest: add test for detection of unexpected parent directory ownership
   * regtest: add further helper functions, allow access to main instance
   * regtest: introduce some basic coloring support to improve readability
   * regtest: sort imports, another piece of rationale
   * regtest: add capability test case
   * regtest: improve error flagging of test cases and introduce warnings
   * regtest: support caps
   * regtest: add a couple of command line parameter test cases
   * regtest: add another test that checks whether the default profile works
   * regtests: add tests for correct application of local profiles
   * regtest: add further test cases that test correct profile application
   * regtest: simplify test implementation and readability
   * regtest: add helpers for permissions.d per package profiles
   * regtest: support read-only bind mounts, also bind-mount permissions repo
   * tests: introduce a regression test suite for chkstat
   * Makefile: allow to build test version programmatically
   * README.md: add basic readme file that explains the repository's purpose
   * chkstat: change and harmonize coding style
   * chkstat: switch to C++ compilation unit
   * remove obsolete/broken entries for rcp/rsh/rlogin
   * chkstat: handle symlinks in final path elements correctly
   * Revert "Revert "mariadb: settings for new auth_pam_tool (boo#1160285)""
   * Revert "mariadb: settings for new auth_pam_tool (boo#1160285)"
   * mariadb: settings for new auth_pam_tool (boo#1160285)
   *  add read-only fallback when /proc is not mounted (boo#1160764)
   * capability handling fixes (boo#1161779)
   * better error message when refusing to fix dir perms (#32)
   * fix paths of ksysguard whitelisting
   * fix zero-termination of error message for overly long paths
   * fix misleading indendation
   * fix changing of capabilities
   * fix warning text for unlisted files
   * fix error message with insecure sym links
   * remove useless if around realloc()
   * fix invalid free() when permfiles points to argv
   * use path-based operations with /proc/self/fd/X to avoid errors due to
     O_PATH
   * add .gitignore for chkstat binary
   * add/fix compiler warnings, free memory at exit
   * only open regular files/directories without O_PATH, fix stat buffer
     initialization
   * update
   * rewrite while protecting against symlinks and races
   * fix whitespace
   * faxq-helper: correct "secure" permission for trusted group (boo#1157498)
   * whitelist ksysguard network helper (boo#1151190)
   * fix syntax of paranoid profile
   * fix squid permissions (boo#1093414, CVE-2019-3688)
   * setgid bit for nagios directory (boo#1028975, boo#1150345)
   * global: removal of unneeded SuSEconfig file and directory
   * global: restructure repository layout
   * dumpcap: remove 'other' executable bit because of capabilities
     (boo#1148788, CVE-2019-3687)
   * add one more missing slash for icinga2
   * fix more missing slashes for directories
   * cron directory permissions: add slashes
   * iputils: Add capability permissions for clockdiff
   * iputils/ping: Drop effective capability
   * iputils/ping6: Remove definitions
   * singluarity: Add starter-suid for version 3.2.0
   * removed entry for /var/cache/man. Conflicts with packaging and man:man
     is the better setting anyway (boo#1133678)
   * fixed error in description of permissions.paranoid. Make it clear that
     this is not a usable profile, but intended as a base for own developments
   * Misleading comment fix
   * removed old entry for wodim
   * removed old entry for netatalk
   * removed old entry for suidperl
   * removed old entriy for utempter
   * removed old entriy for hostname
   * removed old directory entries
   * removed old entry for qemu-bridge-helper
   * removed old entries for pccardctl
   * removed old entries for isdnctrl
   * removed old entries for unix(2)_chkpwd
   * removed old entries for mount.nfs
   * removed old entries for (u)mount
   * removed old entry for fileshareset
   * removed old entries for KDE
   * removed old entry for heartbeat
   * removed old entry for gnome-control-center
   * removed old entry for pcp
   * removed old entry for lpdfilter
   * removed old entry for scotty
   * removed old entry for ia32el
   * removed old entry for squid
   * removed old qpopper whitelist
   * removed pt_chown entries. Not needed anymore and a bad idea anyway
   * removed old majordomo entry
   * removed stale entries for old ncpfs tools
   * removed old entry for rmtab
   * Fixed type in icinga2 whitelist entry
   * New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale
     entries for VirtualBox
   * Removed whitelist for /usr/bin/su.core. According to comment a temporary
     hack introduced 2012 to help moving su from coretuils to util-linux. I
     couldn't find it anywhere, so we don't need it anymore
   * Remove entry for /usr/bin/yaps. We don't ship it anymore and the group
     that is used doesn't exists anymore starting with Leap 15, so it will
     not work there anyway. Users using this (old) package can do this
     individually
   * removed entry for /etc/ftpaccess. We currently don't have it anywhere
     (and judging from my search this has been the case for quite a while)
   * Ensure consistency of entries, otherwise switching between settings
     becomes problematic
   * Fix spelling of SUSE
   * adjust settings for amanda to current binary layout


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-2021-1520=1



Package List:

   - openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64):

      permissions-20200127-lp153.24.3.1
      permissions-debuginfo-20200127-lp153.24.3.1
      permissions-debugsource-20200127-lp153.24.3.1

   - openSUSE Leap 15.3 (noarch):

      permissions-zypp-plugin-20200127-lp153.24.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-3687.html
   https://www.suse.com/security/cve/CVE-2019-3688.html
   https://www.suse.com/security/cve/CVE-2020-8013.html
   https://bugzilla.suse.com/1028975
   https://bugzilla.suse.com/1029961
   https://bugzilla.suse.com/1093414
   https://bugzilla.suse.com/1133678
   https://bugzilla.suse.com/1148788
   https://bugzilla.suse.com/1150345
   https://bugzilla.suse.com/1150366
   https://bugzilla.suse.com/1151190
   https://bugzilla.suse.com/1157498
   https://bugzilla.suse.com/1160285
   https://bugzilla.suse.com/1160764
   https://bugzilla.suse.com/1161335
   https://bugzilla.suse.com/1161779
   https://bugzilla.suse.com/1163588
   https://bugzilla.suse.com/1167163
   https://bugzilla.suse.com/1169614
   https://bugzilla.suse.com/1171164
   https://bugzilla.suse.com/1171173
   https://bugzilla.suse.com/1171569
   https://bugzilla.suse.com/1171580
   https://bugzilla.suse.com/1171686
   https://bugzilla.suse.com/1171879
   https://bugzilla.suse.com/1171882
   https://bugzilla.suse.com/1173221
   https://bugzilla.suse.com/1174504
   https://bugzilla.suse.com/1175720
   https://bugzilla.suse.com/1175867
   https://bugzilla.suse.com/1178475
   https://bugzilla.suse.com/1178476
   https://bugzilla.suse.com/1183669