[Medium] Patch netplan for CVE-2022-4968 (#12470)

kevin-b-lockwood · jslobodzian · jslobodzian · commit 5591826e2ff4 · 2025-02-27T11:17:40.000-05:00
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/netplan/CVE-2022-4968.patch b/SPECS/netplan/CVE-2022-4968.patch
@@ -0,0 +1,340 @@
+From d9355a0deafcb0b25b43b0a1de8fa6d83ed844a9 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Fri, 14 Feb 2025 09:25:29 -0800
+Subject: [PATCH] [Medium] Patch netplan for CVE-2022-4968
+
+Link: https://github.com/canonical/netplan/commit/4c39b75b5c6ae7d976bda6da68da60d9a7f085ee.patch
+---
+ src/networkd.c                | 28 +++---------
+ src/networkd.h                |  2 +
+ src/nm.c                      |  4 +-
+ src/util.c                    | 47 +++++++++++++++++++
+ src/util.h                    |  2 +
+ tests/generator/test_wifis.py |  2 +-
+ tests/integration/base.py     | 86 ++++++++++++++++++++++++++++++++++-
+ 7 files changed, 146 insertions(+), 25 deletions(-)
+
+diff --git a/src/networkd.c b/src/networkd.c
+index 41c2998..ea29470 100644
+--- a/src/networkd.c
++++ b/src/networkd.c
+@@ -125,7 +125,6 @@ static void
+ write_link_file(net_definition* def, const char* rootdir, const char* path)
+ {
+     GString* s = NULL;
+-    mode_t orig_umask;
+ 
+     /* Don't write .link files for virtual devices; they use .netdev instead */
+     if (def->type >= ND_VIRTUAL)
+@@ -150,9 +149,7 @@ write_link_file(net_definition* def, const char* rootdir, const char* path)
+         g_string_append_printf(s, "MACAddress=%s\n", def->set_mac);
+ 
+ 
+-    orig_umask = umask(022);
+-    g_string_free_to_file(s, rootdir, path, ".link");
+-    umask(orig_umask);
++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".link", "root", "root", 0640);
+ }
+ 
+ 
+@@ -314,11 +311,7 @@ write_netdev_file(net_definition* def, const char* rootdir, const char* path)
+         // LCOV_EXCL_STOP
+     }
+ 
+-    /* these do not contain secrets and need to be readable by
+-     * systemd-networkd - LP: #1736965 */
+-    orig_umask = umask(022);
+-    g_string_free_to_file(s, rootdir, path, ".netdev");
+-    umask(orig_umask);
++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".netdev", "root", NETWORKD_GROUP, 0640);
+ }
+ 
+ static void
+@@ -420,7 +413,6 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
+     GString* network = NULL;
+     GString* link = NULL;
+     GString* s = NULL;
+-    mode_t orig_umask;
+ 
+     /* Prepare the [Link] section of the .network file. */
+     link = g_string_sized_new(200);
+@@ -590,9 +582,9 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
+ 
+         /* these do not contain secrets and need to be readable by
+          * systemd-networkd - LP: #1736965 */
+-        orig_umask = umask(022);
+-        g_string_free_to_file(s, rootdir, path, ".network");
+-        umask(orig_umask);
++       /* This should allow systemd-networkd access to the file, but still
++         * protect against malicious use */
++        _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, ".network", "root", NETWORKD_GROUP, 0640);
+     }
+ }
+ 
+@@ -601,7 +593,6 @@ write_rules_file(net_definition* def, const char* rootdir)
+ {
+     GString* s = NULL;
+     g_autofree char* path = g_strjoin(NULL, "run/udev/rules.d/99-netplan-", def->id, ".rules", NULL);
+-    mode_t orig_umask;
+ 
+     /* do we need to write a .rules file?
+      * It's only required for reliably setting the name of a physical device
+@@ -635,9 +626,7 @@ write_rules_file(net_definition* def, const char* rootdir)
+ 
+     g_string_append_printf(s, "NAME=\"%s\"\n", def->set_name);
+ 
+-    orig_umask = umask(022);
+-    g_string_free_to_file(s, rootdir, path, NULL);
+-    umask(orig_umask);
++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0640);
+ }
+ 
+ static void
+@@ -711,7 +700,6 @@ write_wpa_conf(net_definition* def, const char* rootdir)
+     GHashTableIter iter;
+     GString* s = g_string_new("ctrl_interface=/run/wpa_supplicant\n\n");
+     g_autofree char* path = g_strjoin(NULL, "run/netplan/wpa-", def->id, ".conf", NULL);
+-    mode_t orig_umask;
+ 
+     g_debug("%s: Creating wpa_supplicant configuration file %s", def->id, path);
+     if (def->type == ND_WIFI) {
+@@ -749,9 +737,7 @@ write_wpa_conf(net_definition* def, const char* rootdir)
+     }
+ 
+     /* use tight permissions as this contains secrets */
+-    orig_umask = umask(077);
+-    g_string_free_to_file(s, rootdir, path, NULL);
+-    umask(orig_umask);
++    _netplan_g_string_free_to_file_with_permissions(s, rootdir, path, NULL, "root", "root", 0600);
+ }
+ 
+ /**
+diff --git a/src/networkd.h b/src/networkd.h
+index 6660f9c..9bcfb55 100644
+--- a/src/networkd.h
++++ b/src/networkd.h
+@@ -19,6 +19,8 @@
+ 
+ #include "parse.h"
+ 
++#define NETWORKD_GROUP "systemd-network"
++
+ gboolean write_networkd_conf(net_definition* def, const char* rootdir);
+ void cleanup_networkd_conf(const char* rootdir);
+ void enable_networkd(const char* generator_dir);
+diff --git a/src/nm.c b/src/nm.c
+index d8a6a7c..156b199 100644
+--- a/src/nm.c
++++ b/src/nm.c
+@@ -666,13 +666,13 @@ write_nm_conf_finish(const char* rootdir)
+     len = s->len;
+     g_hash_table_foreach(netdefs, nd_append_non_nm_ids, s);
+     if (s->len > len)
+-        g_string_free_to_file(s, rootdir, "run/NetworkManager/conf.d/netplan.conf", NULL);
++        _netplan_g_string_free_to_file_with_permissions(s, rootdir, "run/NetworkManager/conf.d/netplan.conf", NULL, "root", "root", 0640);
+     else
+         g_string_free(s, TRUE);
+ 
+     /* write generated udev rules */
+     if (udev_rules)
+-        g_string_free_to_file(udev_rules, rootdir, "run/udev/rules.d/90-netplan.rules", NULL);
++        _netplan_g_string_free_to_file_with_permissions(udev_rules, rootdir, "run/udev/rules.d/90-netplan.rules", NULL, "root", "root", 0640);
+ }
+ 
+ /**
+diff --git a/src/util.c b/src/util.c
+index e3441d5..2a5c4bb 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -18,6 +18,9 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <glob.h>
++#include <sys/types.h>
++#include <pwd.h>
++#include <grp.h>
+ 
+ #include <glib.h>
+ #include <glib/gprintf.h>
+@@ -65,6 +68,50 @@ void g_string_free_to_file(GString* s, const char* rootdir, const char* path, co
+     }
+ }
+ 
++void _netplan_g_string_free_to_file_with_permissions(GString* s, const char* rootdir, const char* path, const char* suffix, const char* owner, const char* group, mode_t mode)
++{
++    g_autofree char* full_path = NULL;
++    g_autofree char* path_suffix = NULL;
++    g_autofree char* contents = g_string_free(s, FALSE);
++    GError* error = NULL;
++    struct passwd* pw = NULL;
++    struct group* gr = NULL;
++    int ret = 0;
++
++    path_suffix = g_strjoin(NULL, path, suffix, NULL);
++    full_path = g_build_path(G_DIR_SEPARATOR_S, rootdir ?: G_DIR_SEPARATOR_S, path_suffix, NULL);
++    safe_mkdir_p_dir(full_path);
++    if (!g_file_set_contents_full(full_path, contents, -1, G_FILE_SET_CONTENTS_CONSISTENT | G_FILE_SET_CONTENTS_ONLY_EXISTING, mode, &error)) {
++        /* the mkdir() just succeeded, there is no sensible
++         * method to test this without root privileges, bind mounts, and
++         * simulating ENOSPC */
++        // LCOV_EXCL_START
++        g_fprintf(stderr, "ERROR: cannot create file %s: %s\n", path, error->message);
++        exit(1);
++        // LCOV_EXCL_STOP
++    }
++
++    /* Here we take the owner and group names and look up for their IDs in the passwd and group files.
++     * It's OK to fail to set the owners and mode as this code will be called from unit tests.
++     * The autopkgtests will check if the owner/group and mode are correctly set.
++     */
++    pw = getpwnam(owner);
++    if (!pw) {
++        g_debug("Failed to determine the UID of user %s: %s", owner, strerror(errno)); // LCOV_EXCL_LINE
++    }
++    gr = getgrnam(group);
++    if (!gr) {
++        g_debug("Failed to determine the GID of group %s: %s", group, strerror(errno)); // LCOV_EXCL_LINE
++    }
++    if (pw && gr) {
++        ret = chown(full_path, pw->pw_uid, gr->gr_gid);
++        if (ret != 0) {
++            g_debug("Failed to set owner and group for file %s: %s", full_path, strerror(errno));
++        }
++    }
++}
++
++
+ /**
+  * Remove all files matching given glob.
+  */
+diff --git a/src/util.h b/src/util.h
+index 4e85a98..bcdfb45 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -19,4 +19,6 @@
+ 
+ void safe_mkdir_p_dir(const char* file_path);
+ void g_string_free_to_file(GString* s, const char* rootdir, const char* path, const char* suffix);
++void _netplan_g_string_free_to_file_with_permissions(GString* s, const char* rootdir, const char* path, const char* suffix, const char* owner, const char* group, mode_t mode);
++
+ void unlink_glob(const char* rootdir, const char* _glob);
+diff --git a/tests/generator/test_wifis.py b/tests/generator/test_wifis.py
+index 6bebe57..becfeae 100644
+--- a/tests/generator/test_wifis.py
++++ b/tests/generator/test_wifis.py
+@@ -65,7 +65,7 @@ network={
+   key_mgmt=NONE
+ }
+ ''')
+-            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o600)
++            self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o640)
+         self.assertTrue(os.path.islink(os.path.join(
+             self.workdir.name, 'run/systemd/system/multi-user.target.wants/netplan-wpa@wl0.service')))
+ 
+diff --git a/tests/integration/base.py b/tests/integration/base.py
+index 1c9de58..e7c89aa 100644
+--- a/tests/integration/base.py
++++ b/tests/integration/base.py
+@@ -28,6 +28,8 @@ import subprocess
+ import tempfile
+ import unittest
+ import shutil
++import pwd
++import grp
+ 
+ test_backends = "networkd NetworkManager" if "NETPLAN_TEST_BACKENDS" not in os.environ else os.environ["NETPLAN_TEST_BACKENDS"]
+ 
+@@ -354,7 +356,89 @@ class IntegrationTestsBase(unittest.TestCase):
+                 self.fail('timed out waiting for networkd to settle down:\n%s\n%s\n%s' % (st, st_e, st_e2))
+ 
+         if subprocess.call(['nm-online', '--quiet', '--timeout=120', '--wait-for-startup']) != 0:
+-            self.fail('timed out waiting for NetworkManager to settle down')
++        # Assert file permissions
++        self.assert_file_permissions()
++
++    def assert_file_permissions(self):
++        """ Check if the generated files have the expected permissions """
++
++        nd_expected_mode = 0o100640
++        nd_expected_owner = 'root'
++        nd_expected_group = 'systemd-network'
++
++        sd_expected_mode = 0o100640
++        sd_expected_owner = 'root'
++        sd_expected_group = 'root'
++
++        udev_expected_mode = 0o100640
++        udev_expected_owner = 'root'
++        udev_expected_group = 'root'
++
++        nm_expected_mode = 0o100600
++        nm_expected_owner = 'root'
++        nm_expected_group = 'root'
++
++        wpa_expected_mode = 0o100600
++        wpa_expected_owner = 'root'
++        wpa_expected_group = 'root'
++
++        # Check systemd-networkd files
++        base_path = '/run/systemd/network'
++        files = glob.glob(f'{base_path}/*.network') + glob.glob(f'{base_path}/*.netdev')
++        for file in files:
++            res = os.stat(file)
++            user = pwd.getpwuid(res.st_uid)
++            group = grp.getgrgid(res.st_gid)
++            self.assertEqual(res.st_mode, nd_expected_mode, f'file {file}')
++            self.assertEqual(user.pw_name, nd_expected_owner, f'file {file}')
++            self.assertEqual(group.gr_name, nd_expected_group, f'file {file}')
++
++        # Check Network Manager files
++        base_path = '/run/NetworkManager/system-connections'
++        files = glob.glob(f'{base_path}/*.nmconnection')
++        for file in files:
++            res = os.stat(file)
++            user = pwd.getpwuid(res.st_uid)
++            group = grp.getgrgid(res.st_gid)
++            self.assertEqual(res.st_mode, nm_expected_mode, f'file {file}')
++            self.assertEqual(user.pw_name, nm_expected_owner, f'file {file}')
++            self.assertEqual(group.gr_name, nm_expected_group, f'file {file}')
++
++        # Check wpa_supplicant configuration files
++        base_path = '/run/netplan'
++        files = glob.glob(f'{base_path}/wpa-*.conf')
++        for file in files:
++            res = os.stat(file)
++            user = pwd.getpwuid(res.st_uid)
++            group = grp.getgrgid(res.st_gid)
++            self.assertEqual(res.st_mode, wpa_expected_mode, f'file {file}')
++            self.assertEqual(user.pw_name, wpa_expected_owner, f'file {file}')
++            self.assertEqual(group.gr_name, wpa_expected_group, f'file {file}')
++
++        # Check systemd service unit files
++        base_path = '/run/systemd/system/'
++        files = glob.glob(f'{base_path}/netplan-*.service')
++        files += glob.glob(f'{base_path}/systemd-networkd-wait-online.service.d/*.conf')
++        for file in files:
++            res = os.stat(file)
++            user = pwd.getpwuid(res.st_uid)
++            group = grp.getgrgid(res.st_gid)
++            self.assertEqual(res.st_mode, sd_expected_mode, f'file {file}')
++            self.assertEqual(user.pw_name, sd_expected_owner, f'file {file}')
++            self.assertEqual(group.gr_name, sd_expected_group, f'file {file}')
++
++        # Check systemd-udevd files
++        udev_path = '/run/udev/rules.d'
++        link_path = '/run/systemd/network'
++        files = glob.glob(f'{udev_path}/*-netplan*.rules') + glob.glob(f'{link_path}/*.link')
++        for file in files:
++            res = os.stat(file)
++            user = pwd.getpwuid(res.st_uid)
++            group = grp.getgrgid(res.st_gid)
++            self.assertEqual(res.st_mode, udev_expected_mode, f'file {file}')
++            self.assertEqual(user.pw_name, udev_expected_owner, f'file {file}')
++            self.assertEqual(group.gr_name, udev_expected_group, f'file {file}')
++   self.fail('timed out waiting for NetworkManager to settle down')
+ 
+     def nm_wait_connected(self, iface, timeout):
+         for t in range(timeout):
+-- 
+2.34.1
+
diff --git a/SPECS/netplan/netplan.spec b/SPECS/netplan/netplan.spec
@@ -13,7 +13,7 @@
 
 Name:           netplan
 Version:        0.95
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Network configuration tool using YAML
 Group:          System Environment/Base
 Vendor:         Microsoft Corporation
@@ -23,6 +23,7 @@ URL:            https://netplan.io/
 # Source0:      https://github.com/canonical/%{name}/archive/%{version}/%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
 Patch1:         force-bringup-interface-no-ipadd.patch
+Patch2:         CVE-2022-4968.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -105,6 +106,9 @@ make check
 
 
 %changelog
+* Thu Feb 13 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 0.95-3
+- Patch CVE-2022-4968
+
 * Wed Dec 13 2023 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 0.95-2
 - Add patch for force bringing up devices with no IP addresses
 
