rpms/tang
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix race condition when creating/rotating keys

Browse Source 
Resolves: rhbz#2182410
Resolves: CVE-2023-1672

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
This commit is contained in:
Sergio Arroutbi 2023-06-28 13:12:02 +02:00
parent 21c59292b5
commit 2c45aeb9a3
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
0003-Fix-permissions-race-condition.patch Normal file
View File

@ -0,0 +1,31 @@
--- tang-7.ori/src/tangd-keygen 2017-06-10 15:29:39.000000000 +0200
+++ tang-7/src/tangd-keygen 2023-06-28 11:40:01.700819479 +0200
@@ -27,6 +27,8 @@
[ $# -eq 3 ] && sig=$2 && exc=$3
+# Set default umask for file creation.
+umask 0337
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$sig.jwk
--- tang-7.ori/src/keys.c 2023-06-28 09:57:08.706712410 +0200
+++ tang-7/src/keys.c 2023-06-28 11:43:41.742247417 +0200
@@ -23,6 +23,7 @@
#include <jose/io.h>
#include <jansson.h>
#include <string.h>
+#include <sys/stat.h>
#include "util.h"
#include "keys.h"
@@ -557,6 +558,9 @@
/* At this point, there are no keys, so let's create them. */
const char *alg[] = {"ES512", "ECMR", NULL};
char path[PATH_MAX];
+
+ /* Set default umask for file creation. */
+ umask(0337);
for (int i = 0; alg[i] != NULL; i++) {
struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
if (!jwk) {

8
tang.spec
View File

@ -1,6 +1,6 @@
Name: tang Name: tang
Version: 7 Version: 7
Release: 6%{?dist} Release: 7%{?dist}
Summary: Network Presence Binding Daemon Summary: Network Presence Binding Daemon
License: GPLv3+ License: GPLv3+
@ -8,6 +8,7 @@ URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
Patch1: 0001-Move-key-generation-to-tang.patch Patch1: 0001-Move-key-generation-to-tang.patch
Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
Patch3: 0003-Fix-permissions-race-condition.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: autoconf BuildRequires: autoconf
@ -89,6 +90,11 @@ exit 0
%{_mandir}/man1/tang-show-keys.1* %{_mandir}/man1/tang-show-keys.1*
%changelog %changelog
* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
- Fix race condition when creating/rotating keys
Resolves: rhbz#2182410
Resolves: CVE-2023-1672
* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6 * Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
- Exit with success unless the issue was with with tangd itself - Exit with success unless the issue was with with tangd itself
Resolves: rhbz#1828558 Resolves: rhbz#1828558