mail archive of the rauc mailing list
 help / color / mirror / Atom feed
From: "Enrico Jörns" <ejo@pengutronix.de>
To: rauc@pengutronix.de
Subject: [RAUC] [ANNOUNCE] RAUC v1.5 released (includes fix for CVE-2020-25860)
Date: Mon, 21 Dec 2020 13:09:57 +0100	[thread overview]
Message-ID: <2b5c2f5e05fb3306aa208ee3c8d9db7f61c9c2ec.camel@pengutronix.de> (raw)

Hi RAUC users,

today a new RAUC release was published that you should pay attention to
(even if it is right before Christmas). Besides some other minor bug
fixes and enhancements its main purpose is to provide a fix for the
vulnerability CVE-2020-25860 that was published today:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25860

Please read the advisory carefully to evaluate if this affectes your
system and upgrade to RAUC v1.5 if necessary:
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv

Beside the mitigation, the release also introduces the new "verity"
bundle format (the old format is now called "plain"). The verity format
was added to prepare for future use cases (such as network streaming
and encryption), for better parallelization of installation with hash
verification and to detect modification of the bundle during
installation (CVE-2020-25860). The bundle format is detected when
reading a bundle and checked against the set of allowed formats
configured in the system.conf.

As the old plain format does not offer protection against modification
during the installation process, RAUC now takes ownership of the bundle
file, removes write permissions and checks for existing open file
descriptors. This is intended as a mitigation to protect against a
compromised update service running as a non-root user, which would
otherwise be able to modify the bundle between signature check and
actual bundle installation.

You can find a complete list of all (other) changes since v1.4 below.

After the integration, it is important to check that the new bundle
access protection has no false positives with RAUC 1.5 on your system.
Otherwise, after a successful update to 1.5, no further updates would
be installable.

We would appreciate your feedback on the new format and the mitigation
fix. Please let us know if you encounter any problems during upgrading
to v1.5.

So far from our side, it was a lot of work in the last weeks,
thus we now wish you all relaxing Holidays and a Happy New Year!
Stay healthy and do not go outside if you can update remotely. ;)

Best wishes from The RAUC Team

---

CHANGES: Release 1.5 (released Dec 14, 2020)
============================================

Note:

  This version introduces the new ``verity`` bundle format (the old
  format is now called ``plain``).
  The ``verity`` format was added to prepare for future use cases (such
  as network streaming and encryption), for better parallelization of
  installation with hash verification and to detect modification of the
  bundle during installation (CVE-2020-25860).
  The bundle format is detected when reading a bundle and checked 
  against the set of allowed formats configured in the system.conf
  (see https://rauc.readthedocs.io/en/latest/reference.html#sec-ref-formats).

  As the old ``plain`` format does not offer protection against
  modification during the installation process, RAUC now takes   
  ownership of the bundle file, removes write permissions and checks 
  for existing open file descriptors.
  This is intended as a mitigation to protect against a compromised
  update service running as a non-root user, which would otherwise be
  able to modify the bundle between signature check and actual bundle
  installation.

  See https://rauc.readthedocs.io/en/latest/integration.html#bundle-format-migration
  for more details on how to switch to the ``verity`` format.

Enhancements
------------

* Add support for the ``verity`` bundle format. See the    
  https://rauc.readthedocs.io/en/latest/reference.html#verity-format
  for details.
* Support resolving the `root=PARTLABEL=xxx` kernel command line 
  option. (by Gaël PORTAY)
* Disable the unneccessary SMIMECapabilities information in the bundle
  signature, saving ~100 bytes.
* Remove redundant checksum verification for source images during 
  installation. The RAUC bundle is already verified at this point, so 
  there is no need to verify the checksum of each file individually. 
  (by Bastian Krause)

Security
--------

* Take ownership of bundle files if they are not owned by root and 
  remove write permissions. Then check that no writable file 
  descriptors are open for the bundle file (using the ``F_SETLEASE`` 
  fcntl). This fixes CVE-2020-25860. See the advisory for more details:
  https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv

Note:

  The https://github.com/rauc/rauc-1.5-integration repository contains 
  examples to simplify integrating the RAUC update into existing 
  projects.
  You can subscribe to
  https://github.com/rauc/rauc-1.5-integration/issues/1 to
  receive notifications of important updates to this repository and of
  integration into the upstream build systems.

Bug fixes
---------

* Fix install handler selection for *.img files for boot-* slots when 
  used with casync. (by Martin Schwan)
* Fix checking for unknown keys in the slot configuration.
* Fix some corner cases related to stopping the D-Bus daemon.
* Propagate error if unable to save manifest. (by Stefan Wahren)
* Apply `--handler-args` only during installation (and not during 
  bundle creation).

Testing
-------

* Ship `test/minimal-test.conf` to fix testing when running as root. 
  (by Uwe Kleine-König)
* Increase usage of g_autofree/g_autoptr in the test suite.

Code
----

* Remove unused code for signed manifests (outside of a bundle).
* Add G_GNUC_WARN_UNUSED_RESULT to many functions.

Documentation
-------------

* Fix multiple smaller errors. (by Christoph Steiger, Christopher 
  Obbard and Michael Heimpold)
* Improve documentation related to u-boot scripting and environment 
  storage.

Contributions from: Bastian Krause, Christoph Steiger, Christopher
Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael
Heimpold, Stefan Wahren, Uwe Kleine-König

-- 
Pengutronix e.K.                           | Enrico Jörns                |
Embedded Linux Consulting & Support        | https://www.pengutronix.de/ |
Steuerwalder Str. 21                       | Phone: +49-5121-206917-180  |
31137 Hildesheim, Germany                  | Fax:   +49-5121-206917-9    |


_______________________________________________
RAUC mailing list

                 reply	other threads:[~2020-12-21 12:09 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2b5c2f5e05fb3306aa208ee3c8d9db7f61c9c2ec.camel@pengutronix.de \
    --to=ejo@pengutronix.de \
    --cc=rauc@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox