RAUC v1.5 Released

Download

Download v1.5 release of RAUC

This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.

In summary, the vulnerability is that the during installation, the RAUC bundle signature is checked first and then the payload data is used for the installation. If an attacker is able to change or replace the bundle file between the signature check and the actual installation, he can inject his own data.

The vulnerability is tracked as CVE-2020-25860. Please read our security advisory, which contains the background information necessary to evaluate whether your system is affected or not.

Security Fix

To protect against attempts to modify or replace the bundle during installation, RAUC 1.5 takes ownership of bundle files if they are not owned by root and removes write permissions. RAUC then checks that no writable file descriptors are open for the bundle file (using the F_SETLEASE fcntl) and performs all further installation steps using the single file descriptor. This protects against file replacement and concurrent writes to the open bundle.

Integration

The rauc/rauc-1.5-integration repository contains examples to simplify integrating the RAUC update into existing projects. You can subscribe to this issue to receive notifications of important updates to this repository and of integration into the upstream build systems.

New Bundle Format

This version introduces the new verity bundle format (the old format is now called plain). The verity format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf (see here).

See here for more details on how to switch to the verity format.

Other Enhancements

  • Support resolving the root=PARTLABEL=xxx kernel command line option. (by Gaël PORTAY)
  • Disable the unnecessary SMIMECapabilities information in the bundle signature, saving ~100 bytes.
  • Remove redundant checksum verification for source images during installation. The RAUC bundle is already verified at this point, so there is no need to verify the checksum of each file individually. (by Bastian Krause)

Bug fixes

  • Fix install handler selection for *.img files for boot-* slots when used with casync. (by Martin Schwan)
  • Fix checking for unknown keys in the slot configuration.
  • Fix some corner cases related to stopping the D-Bus daemon.
  • Propagate error if unable to save manifest. (by Stefan Wahren)
  • Apply --handler-args only during installation (and not during bundle creation).
Changes

Code

  • Remove unused code for signed manifests (outside of a bundle).
  • Add G_GNUC_WARN_UNUSED_RESULT to many functions to let the compiler verify that the caller uses the functions return value (and thus checks for errors).

Documentation

Beside some smaller typo and errors fixes, mainly the u-boot integration documentation related to scripting and (fail-save) environment storage was extended and clarified.

Again, thanks to all contributors since v1.4: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König


Weiterführende Links

RAUC v1.11 Released

Ho Ho ho! As the year's progress bar approaches 99%, another update is already completed: RAUC v1.11 is here!


RAUC v1.10 Released

Just in time for the EOSS 2023 in Prague, we have released v1.10 of RAUC. Just-in-time means the release was actually finalized by Jan Lübbe in the train to Prague (like I finally wrote the majority of this blog post on the train back).


RAUC v1.9 Released

"Getting things off the ground" could be the motto for the v1.9 release of RAUC. The support for custom metadata in the manifest got a step further, a new, more flexible, D-Bus API for bundle inspection paved the way for obtaining more detailed information, and a new manifest hash marks the first of several planned changes for configurable event logging. However, one of the most invasive changes happened under the hood: We have started the transition from autotools to meson as a build system.