From 7e22b671a36cfffc2d0961aedeb33c51033c530b Mon Sep 17 00:00:00 2001
From: yu_boyun <1215979730@qq.com>
Date: Sat, 19 Sep 2020 16:12:59 +0800
Subject: [PATCH] fix CVE-2020-14367

---
 ...create-new-file-when-writing-pidfile.patch | 207 ++++++++++++++++++
 chrony.spec                                   |   7 +-
 2 files changed, 213 insertions(+), 1 deletion(-)
 create mode 100644 0001-main-create-new-file-when-writing-pidfile.patch

diff --git a/0001-main-create-new-file-when-writing-pidfile.patch b/0001-main-create-new-file-when-writing-pidfile.patch
new file mode 100644
index 0000000..316d26c
--- /dev/null
+++ b/0001-main-create-new-file-when-writing-pidfile.patch
@@ -0,0 +1,207 @@
+From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 6 Aug 2020 09:31:11 +0200
+Subject: [PATCH] main: create new file when writing pidfile
+
+When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
+to avoid following a symlink and writing the PID to an unexpected file,
+when chronyd still has the root privileges.
+
+The Linux open(2) man page warns about O_EXCL not working as expected on
+NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
+a distributed filesystem like NFS is not generally expected, but if
+there is a reason to do that, these old kernel and NFS versions are not
+considered to be supported for saving files by chronyd.
+
+This is a minimal backport specific to this issue of the following
+commits:
+- commit 2fc8edacb810 ("use PATH_MAX")
+- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
+- commit 7a4c396bba8f ("util: add functions for common file operations")
+- commit e18903a6b563 ("switch to new util file functions")
+
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+---
+ logging.c |  1 +
+ main.c    | 10 ++-----
+ sysincl.h |  1 +
+ util.c    | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ util.h    | 11 ++++++++
+ 5 files changed, 111 insertions(+), 7 deletions(-)
+
+diff --git a/logging.c b/logging.c
+index d2296e0..fd7f900 100644
+--- a/logging.c
++++ b/logging.c
+@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
+         system_log = 0;
+         log_message(1, severity, buf);
+       }
++      exit(1);
+       break;
+     default:
+       assert(0);
+diff --git a/main.c b/main.c
+index 6ccf32e..8edb2e1 100644
+--- a/main.c
++++ b/main.c
+@@ -281,13 +281,9 @@ write_pidfile(void)
+   if (!pidfile[0])
+     return;
+ 
+-  out = fopen(pidfile, "w");
+-  if (!out) {
+-    LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
+-  } else {
+-    fprintf(out, "%d\n", (int)getpid());
+-    fclose(out);
+-  }
++  out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
++  fprintf(out, "%d\n", (int)getpid());
++  fclose(out);
+ }
+ 
+ /* ================================================== */
+diff --git a/sysincl.h b/sysincl.h
+index 296c5e6..873a3bd 100644
+--- a/sysincl.h
++++ b/sysincl.h
+@@ -37,6 +37,7 @@
+ #include <glob.h>
+ #include <grp.h>
+ #include <inttypes.h>
++#include <limits.h>
+ #include <math.h>
+ #include <netinet/in.h>
+ #include <pwd.h>
+diff --git a/util.c b/util.c
+index e7e3442..83b3b20 100644
+--- a/util.c
++++ b/util.c
+@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
+ 
+ /* ================================================== */
+ 
++static int
++join_path(const char *basedir, const char *name, const char *suffix,
++          char *buffer, size_t length, LOG_Severity severity)
++{
++  const char *sep;
++
++  if (!basedir) {
++    basedir = "";
++    sep = "";
++  } else {
++    sep = "/";
++  }
++
++  if (!suffix)
++    suffix = "";
++
++  if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
++    LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
++    return 0;
++  }
++
++  return 1;
++}
++
++/* ================================================== */
++
++FILE *
++UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++             char mode, mode_t perm)
++{
++  const char *file_mode;
++  char path[PATH_MAX];
++  LOG_Severity severity;
++  int fd, flags;
++  FILE *file;
++
++  severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
++
++  if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
++    return NULL;
++
++  switch (mode) {
++    case 'r':
++    case 'R':
++      flags = O_RDONLY;
++      file_mode = "r";
++      if (severity != LOGS_FATAL)
++        severity = LOGS_DEBUG;
++      break;
++    case 'w':
++    case 'W':
++      flags = O_WRONLY | O_CREAT | O_EXCL;
++      file_mode = "w";
++      break;
++    case 'a':
++    case 'A':
++      flags = O_WRONLY | O_CREAT | O_APPEND;
++      file_mode = "a";
++      break;
++    default:
++      assert(0);
++      return NULL;
++  }
++
++try_again:
++  fd = open(path, flags, perm);
++  if (fd < 0) {
++    if (errno == EEXIST) {
++      if (unlink(path) < 0) {
++        LOG(severity, "Could not remove %s : %s", path, strerror(errno));
++        return NULL;
++      }
++      DEBUG_LOG("Removed %s", path);
++      goto try_again;
++    }
++    LOG(severity, "Could not open %s : %s", path, strerror(errno));
++    return NULL;
++  }
++
++  UTI_FdSetCloexec(fd);
++
++  file = fdopen(fd, file_mode);
++  if (!file) {
++    LOG(severity, "Could not open %s : %s", path, strerror(errno));
++    close(fd);
++    return NULL;
++  }
++
++  DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
++
++  return file;
++}
++
++/* ================================================== */
++
+ void
+ UTI_DropRoot(uid_t uid, gid_t gid)
+ {
+diff --git a/util.h b/util.h
+index e3d6767..a2481cc 100644
+--- a/util.h
++++ b/util.h
+@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
+    permissions and its uid/gid must match the specified values. */
+ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
+ 
++/* Open a file.  The full path of the file is constructed from the basedir
++   (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
++   Created files have specified permissions (umasked).  Returns NULL on error.
++   The following modes are supported (if the mode is an uppercase character,
++   errors are fatal):
++   r/R - open an existing file for reading
++   w/W - open a new file for writing (remove existing file)
++   a/A - open an existing file for appending (create if does not exist) */
++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++                          char mode, mode_t perm);
++
+ /* Set process user/group IDs and drop supplementary groups */
+ extern void UTI_DropRoot(uid_t uid, gid_t gid);
+ 
+-- 
+1.8.3.1
+
diff --git a/chrony.spec b/chrony.spec
index 394f3e6..dec2ee5 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -2,7 +2,7 @@
 
 Name:      chrony
 Version:   3.5
-Release:   1
+Release:   2
 Summary:   An NTP client/server
 License:   GPLv2
 URL:       https://chrony.tuxfamily.org
@@ -17,6 +17,7 @@ Source6:   https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknet
 #patch0 form fedora
 Patch0:    chrony-service-helper.patch
 Patch1:	   chrony-packettest.patch  
+Patch2:	   0001-main-create-new-file-when-writing-pidfile.patch
 BuildRequires: gcc gcc-c++ bison systemd libcap-devel libedit-devel nettle-devel pps-tools-devel libseccomp-devel
 
 Requires:      shadow-utils systemd timedatex
@@ -35,6 +36,7 @@ service to other computers in the network.
 %setup -q -n  %{name}-%{version} -a 6
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
 
 %build
@@ -135,6 +137,9 @@ fi
 %{_mandir}/man[158]/%{name}*.[158]*
 
 %changelog
+* Sat Sep 19 2020 yuboyun <yuboyun@huawei.com> - 3.5-2
+- fix CVE-2020-14367
+
 * Sat Jun 28 2020 hanzhijun <hanzhijun1@huawei.com> - 3.5-1
 - update to 3.5-1
 
-- 
Gitee