RAUC v1.5 Released
This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.
In summary, the vulnerability is that the during installation, the RAUC bundle signature is checked first and then the payload data is used for the installation. If an attacker is able to change or replace the bundle file between the signature check and the actual installation, he can inject his own data.
To protect against attempts to modify or replace the bundle during installation, RAUC 1.5 takes ownership of bundle files if they are not owned by root and removes write permissions. RAUC then checks that no writable file descriptors are open for the bundle file (using the F_SETLEASE fcntl) and performs all further installation steps using the single file descriptor. This protects against file replacement and concurrent writes to the open bundle.
New Bundle Format
This version introduces the new verity bundle format (the old format is now called plain). The verity format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf (see here).
See here for more details on how to switch to the verity format.
- Support resolving the root=PARTLABEL=xxx kernel command line option. (by Gaël PORTAY)
- Disable the unnecessary SMIMECapabilities information in the bundle signature, saving ~100 bytes.
- Remove redundant checksum verification for source images during installation. The RAUC bundle is already verified at this point, so there is no need to verify the checksum of each file individually. (by Bastian Krause)
- Fix install handler selection for *.img files for boot-* slots when used with casync. (by Martin Schwan)
- Fix checking for unknown keys in the slot configuration.
- Fix some corner cases related to stopping the D-Bus daemon.
- Propagate error if unable to save manifest. (by Stefan Wahren)
- Apply --handler-args only during installation (and not during bundle creation).
- Remove unused code for signed manifests (outside of a bundle).
- Add G_GNUC_WARN_UNUSED_RESULT to many functions to let the compiler verify that the caller uses the functions return value (and thus checks for errors).
Again, thanks to all contributors since v1.4: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König
"Getting things off the ground" could be the motto for the v1.9 release of RAUC. The support for custom metadata in the manifest got a step further, a new, more flexible, D-Bus API for bundle inspection paved the way for obtaining more detailed information, and a new manifest hash marks the first of several planned changes for configurable event logging. However, one of the most invasive changes happened under the hood: We have started the transition from autotools to meson as a build system.