From: "Enrico Jörns" <ejo@pengutronix.de>
To: rauc@pengutronix.de
Subject: [RAUC] [ANNOUNCE] RAUC v1.5 released (includes fix for CVE-2020-25860)
Date: Mon, 21 Dec 2020 13:09:57 +0100 [thread overview]
Message-ID: <2b5c2f5e05fb3306aa208ee3c8d9db7f61c9c2ec.camel@pengutronix.de> (raw)
Hi RAUC users,
today a new RAUC release was published that you should pay attention to
(even if it is right before Christmas). Besides some other minor bug
fixes and enhancements its main purpose is to provide a fix for the
vulnerability CVE-2020-25860 that was published today:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25860
Please read the advisory carefully to evaluate if this affectes your
system and upgrade to RAUC v1.5 if necessary:
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
Beside the mitigation, the release also introduces the new "verity"
bundle format (the old format is now called "plain"). The verity format
was added to prepare for future use cases (such as network streaming
and encryption), for better parallelization of installation with hash
verification and to detect modification of the bundle during
installation (CVE-2020-25860). The bundle format is detected when
reading a bundle and checked against the set of allowed formats
configured in the system.conf.
As the old plain format does not offer protection against modification
during the installation process, RAUC now takes ownership of the bundle
file, removes write permissions and checks for existing open file
descriptors. This is intended as a mitigation to protect against a
compromised update service running as a non-root user, which would
otherwise be able to modify the bundle between signature check and
actual bundle installation.
You can find a complete list of all (other) changes since v1.4 below.
After the integration, it is important to check that the new bundle
access protection has no false positives with RAUC 1.5 on your system.
Otherwise, after a successful update to 1.5, no further updates would
be installable.
We would appreciate your feedback on the new format and the mitigation
fix. Please let us know if you encounter any problems during upgrading
to v1.5.
So far from our side, it was a lot of work in the last weeks,
thus we now wish you all relaxing Holidays and a Happy New Year!
Stay healthy and do not go outside if you can update remotely. ;)
Best wishes from The RAUC Team
---
CHANGES: Release 1.5 (released Dec 14, 2020)
============================================
Note:
This version introduces the new ``verity`` bundle format (the old
format is now called ``plain``).
The ``verity`` format was added to prepare for future use cases (such
as network streaming and encryption), for better parallelization of
installation with hash verification and to detect modification of the
bundle during installation (CVE-2020-25860).
The bundle format is detected when reading a bundle and checked
against the set of allowed formats configured in the system.conf
(see https://rauc.readthedocs.io/en/latest/reference.html#sec-ref-formats).
As the old ``plain`` format does not offer protection against
modification during the installation process, RAUC now takes
ownership of the bundle file, removes write permissions and checks
for existing open file descriptors.
This is intended as a mitigation to protect against a compromised
update service running as a non-root user, which would otherwise be
able to modify the bundle between signature check and actual bundle
installation.
See https://rauc.readthedocs.io/en/latest/integration.html#bundle-format-migration
for more details on how to switch to the ``verity`` format.
Enhancements
------------
* Add support for the ``verity`` bundle format. See the
https://rauc.readthedocs.io/en/latest/reference.html#verity-format
for details.
* Support resolving the `root=PARTLABEL=xxx` kernel command line
option. (by Gaël PORTAY)
* Disable the unneccessary SMIMECapabilities information in the bundle
signature, saving ~100 bytes.
* Remove redundant checksum verification for source images during
installation. The RAUC bundle is already verified at this point, so
there is no need to verify the checksum of each file individually.
(by Bastian Krause)
Security
--------
* Take ownership of bundle files if they are not owned by root and
remove write permissions. Then check that no writable file
descriptors are open for the bundle file (using the ``F_SETLEASE``
fcntl). This fixes CVE-2020-25860. See the advisory for more details:
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
Note:
The https://github.com/rauc/rauc-1.5-integration repository contains
examples to simplify integrating the RAUC update into existing
projects.
You can subscribe to
https://github.com/rauc/rauc-1.5-integration/issues/1 to
receive notifications of important updates to this repository and of
integration into the upstream build systems.
Bug fixes
---------
* Fix install handler selection for *.img files for boot-* slots when
used with casync. (by Martin Schwan)
* Fix checking for unknown keys in the slot configuration.
* Fix some corner cases related to stopping the D-Bus daemon.
* Propagate error if unable to save manifest. (by Stefan Wahren)
* Apply `--handler-args` only during installation (and not during
bundle creation).
Testing
-------
* Ship `test/minimal-test.conf` to fix testing when running as root.
(by Uwe Kleine-König)
* Increase usage of g_autofree/g_autoptr in the test suite.
Code
----
* Remove unused code for signed manifests (outside of a bundle).
* Add G_GNUC_WARN_UNUSED_RESULT to many functions.
Documentation
-------------
* Fix multiple smaller errors. (by Christoph Steiger, Christopher
Obbard and Michael Heimpold)
* Improve documentation related to u-boot scripting and environment
storage.
Contributions from: Bastian Krause, Christoph Steiger, Christopher
Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael
Heimpold, Stefan Wahren, Uwe Kleine-König
--
Pengutronix e.K. | Enrico Jörns |
Embedded Linux Consulting & Support | https://www.pengutronix.de/ |
Steuerwalder Str. 21 | Phone: +49-5121-206917-180 |
31137 Hildesheim, Germany | Fax: +49-5121-206917-9 |
_______________________________________________
RAUC mailing list
reply other threads:[~2020-12-21 12:09 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b5c2f5e05fb3306aa208ee3c8d9db7f61c9c2ec.camel@pengutronix.de \
--to=ejo@pengutronix.de \
--cc=rauc@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox