From 7bac1e57ee8a4cfb49644a0ceabbafd63af9d3e4 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: May 23 2023 19:07:07 +0000 Subject: [PATCH 1/2] Add custom logging patches --- diff --git a/bash.spec b/bash.spec index 479a928..84f9e35 100644 --- a/bash.spec +++ b/bash.spec @@ -1,12 +1,13 @@ #% define beta_tag rc2 %define patchleveltag .8 %define baseversion 5.1 +%define hyperscale_rel 1 %bcond_without tests Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 6%{?dist} +Release: 6.%{hyperscale_rel}%{?dist} License: GPLv3+ Url: https://www.gnu.org/software/bash Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz @@ -93,6 +94,11 @@ Patch129: bash-5.1-mbrtowc.patch # 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform Patch130: bash-5.2-check-xform.patch +%if 0%{?facebook} +Patch0: fb-Configure-bash-to-log-the-commands-to-authpriv.patch +Patch12: fb-Add-SSH-session-ID-to-bash-syslog-logging.patch +%endif + BuildRequires: gcc BuildRequires: texinfo bison BuildRequires: ncurses-devel @@ -140,7 +146,11 @@ autoconf # Recycles pids is neccessary. When bash's last fork's pid was X # and new fork's pid is also X, bash has to wait for this same pid. # Without Recycles pids bash will not wait. +%if 0%{?facebook} +MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY" +%else MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY -DSYSLOG_SHOPT=0" +%endif # work around missing deps in Makefiles make "$MFLAGS" version.h @@ -324,6 +334,10 @@ end %{_libdir}/pkgconfig/%{name}.pc %changelog +* Mon May 23 2023 Raymond Colebaugh - 5.1.8-6.1 +- Add SSH session ID to bash syslog logging +- Configure bash to log the commands to authpriv + * Tue Nov 22 2022 Siteshwar Vashisht - 5.1.8-6 - Add a null check in parameter_brace_transform() function Resolves: CVE-2022-3715 diff --git a/fb-Add-SSH-session-ID-to-bash-syslog-logging.patch b/fb-Add-SSH-session-ID-to-bash-syslog-logging.patch new file mode 100644 index 0000000..214bee1 --- /dev/null +++ b/fb-Add-SSH-session-ID-to-bash-syslog-logging.patch @@ -0,0 +1,79 @@ +Index: b/bashhist.c +=================================================================== +--- a/bashhist.c ++++ b/bashhist.c +@@ -266,6 +266,44 @@ bash_history_inhibit_expansion (string, i) + } + #endif + ++#if defined (SYSLOG_HISTORY) ++#define SESSION_ID_MAXLEN 100 ++ ++static char *session_id = NULL; ++ ++static void ++bash_initialize_session_id () ++{ ++ const char *env_var = get_string_value ("LOG_SESSION_ID"); ++ if (!env_var) { ++ session_id = ""; ++ return; ++ } ++ const int env_var_len = strlen(env_var); ++ if (env_var_len == 0) { ++ session_id = ""; ++ return; ++ } ++ const int size = env_var_len < SESSION_ID_MAXLEN ? (env_var_len + 1) : SESSION_ID_MAXLEN; ++ char *trunc = (char *)malloc (size); ++ strncpy (trunc, env_var, size - 1); ++ trunc[size - 1] = '\0'; ++ session_id = trunc; ++} ++ ++static const char * ++bash_get_session_id () { ++ if (!session_id) bash_initialize_session_id (); ++ return session_id; ++} ++ ++static void ++bash_cleanup_session_id () { ++ if (session_id && *session_id) free(session_id); ++ session_id = NULL; ++} ++#endif ++ + void + bash_initialize_history () + { +@@ -275,6 +313,9 @@ bash_initialize_history () + history_inhibit_expansion_function = bash_history_inhibit_expansion; + sv_histchars ("histchars"); + #endif ++#if defined (SYSLOG_HISTORY) ++ bash_initialize_session_id (); ++#endif + } + + void +@@ -509,6 +550,9 @@ maybe_save_shell_history () + sv_histsize ("HISTFILESIZE"); + } + } ++#if defined (SYSLOG_HISTORY) ++ bash_cleanup_session_id (); ++#endif + return (result); + } + +@@ -879,7 +879,8 @@ bash_syslog_history (line) + first = 0; + } + +- hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d", getpid(), current_user.uid); ++ const char *user_name = current_user.user_name ?: ""; ++ hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d USER=%s LOG_SESSION_ID=%s", getpid(), current_user.uid, user_name, bash_get_session_id()); + msglen = strlen (line); + + if ((msglen + hdrlen + 1) < SYSLOG_MAXLEN) diff --git a/fb-Configure-bash-to-log-the-commands-to-authpriv.patch b/fb-Configure-bash-to-log-the-commands-to-authpriv.patch new file mode 100644 index 0000000..8378a4e --- /dev/null +++ b/fb-Configure-bash-to-log-the-commands-to-authpriv.patch @@ -0,0 +1,16 @@ +Index: b/config-top.h +=================================================================== +--- a/config-top.h ++++ b/config-top.h +@@ -117,9 +117,9 @@ + + /* Define if you want each line saved to the history list in bashhist.c: + bash_add_history() to be sent to syslog(). */ +-/* #define SYSLOG_HISTORY */ ++#define SYSLOG_HISTORY + #if defined (SYSLOG_HISTORY) +-# define SYSLOG_FACILITY LOG_USER ++# define SYSLOG_FACILITY LOG_AUTHPRIV + # define SYSLOG_LEVEL LOG_INFO + # define OPENLOG_OPTS LOG_PID + #endif From 61f98bb21a7d0fc870cf94b470da2de49ffa85b1 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: May 24 2023 16:37:54 +0000 Subject: [PATCH 2/2] fix and bump changelog date --- diff --git a/bash.spec b/bash.spec index 84f9e35..900b025 100644 --- a/bash.spec +++ b/bash.spec @@ -334,7 +334,7 @@ end %{_libdir}/pkgconfig/%{name}.pc %changelog -* Mon May 23 2023 Raymond Colebaugh - 5.1.8-6.1 +* Wed May 24 2023 Raymond Colebaugh - 5.1.8-6.1 - Add SSH session ID to bash syslog logging - Configure bash to log the commands to authpriv