.tang.metadata

@@ -1 +0,0 @@
-e08a9fec3760328fd263a347b497898fb3c0e891 SOURCES/tang-7.tar.bz2

SOURCES/0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch

@@ -0,0 +1,38 @@
+From ea43ca02cf52d0455c6949683692a95e38ccdf70 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Fri, 4 Dec 2020 09:05:19 -0300
+Subject: [PATCH 2/2] Exit with success unless the issue was with with tangd
+ itself
+
+When an HTTP parser error happens, tangd is currently exiting with an
+error status, which may cause trouble in some scenarios [1].
+
+However, we don't exit with an error in situations where we try requests
+that do not exist, for instance. It makes sense to only exit with an
+error when the error was with tangd itself, e.g.: when we are unable to
+read the directory with the keys, not when the actual HTTP operation
+does not succeed for some reason.
+
+Upstream: https://github.com/latchset/tang/pull/55
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828558
+---
+ src/tangd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tangd.c b/src/tangd.c
+index b569f38..d40201f 100644
+--- a/src/tangd.c
++++ b/src/tangd.c
+@@ -225,7 +225,7 @@ main(int argc, char *argv[])
+         if (parser.http_errno != 0) {
+             fprintf(stderr, "HTTP Parsing Error: %s\n",
+                     http_errno_description(parser.http_errno));
+-            return EXIT_FAILURE;
++            return EXIT_SUCCESS;
+         }
+ 
+         memmove(req, &req[r], rcvd - r);
+-- 
+2.27.0
+

SOURCES/0003-Fix-permissions-race-condition.patch

@@ -0,0 +1,31 @@
+--- tang-7.ori/src/tangd-keygen	2017-06-10 15:29:39.000000000 +0200
++++ tang-7/src/tangd-keygen	2023-06-28 11:40:01.700819479 +0200
+@@ -27,6 +27,8 @@
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
++# Set default umask for file creation.
++umask 0337
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
+--- tang-7.ori/src/keys.c	2023-06-28 09:57:08.706712410 +0200
++++ tang-7/src/keys.c	2023-06-28 11:43:41.742247417 +0200
+@@ -23,6 +23,7 @@
+ #include <jose/io.h>
+ #include <jansson.h>
+ #include <string.h>
++#include <sys/stat.h>
+ 
+ #include "util.h"
+ #include "keys.h"
+@@ -557,6 +558,9 @@
+     /* At this point, there are no keys, so let's create them. */
+     const char *alg[] = {"ES512", "ECMR", NULL};
+     char path[PATH_MAX];
++
++    /* Set default umask for file creation. */
++    umask(0337);
+     for (int i = 0; alg[i] != NULL; i++) {
+         struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
+         if (!jwk) {

SOURCES/0004-Set-tang-owner-group.patch

@@ -0,0 +1,26 @@
+--- tang-7.ori/src/tangd-keygen	2023-07-21 11:45:39.091100369 +0200
++++ tang-7/src/tangd-keygen	2023-07-21 11:47:58.813612221 +0200
+@@ -20,6 +20,13 @@
+ 
+ trap 'exit' ERR
+ 
++set_perms() {
++    chmod -- 0440 "${1}"
++    if ! chown -- "tang:tang" "${1}" 2>/dev/null; then
++        echo "Unable to change owner/group for ${1} to tang:tang" >&2
++    fi
++}
++
+ if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
+     echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
+     exit 1
+@@ -32,7 +39,9 @@
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
++set_perms "$1/$sig.jwk"
+ 
+ jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
+ [ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$exc.jwk
++set_perms "$1/$exc.jwk"

SPECS/tang.spec

@@ -1,12 +1,15 @@
 Name:           tang
 Version:        7
-Release:        5%{?dist}
+Release:        8%{?dist}
 Summary:        Network Presence Binding Daemon
 
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
 Patch1: 0001-Move-key-generation-to-tang.patch
+Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
+Patch3: 0003-Fix-permissions-race-condition.patch
+Patch4: 0004-Set-tang-owner-group.patch
 
 BuildRequires:  gcc
 BuildRequires:  autoconf
@@ -27,6 +30,7 @@ BuildRequires:  asciidoc
 BuildRequires:  coreutils
 BuildRequires:  grep
 BuildRequires:  sed
+BuildRequires:  git-core
 
 %{?systemd_requires}
 Requires:       coreutils
@@ -40,8 +44,7 @@ Requires(pre):  shadow-utils
 Tang is a small daemon for binding data to the presence of a third party.
 
 %prep
-%setup -q
-%patch1 -p1
+%autosetup -S git
 
 %build
 autoreconf -i
@@ -88,6 +91,19 @@ exit 0
 %{_mandir}/man1/tang-show-keys.1*
 
 %changelog
+* Fri Jul 21 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-8
+- Set correct user/group (tang/tang) in tangd-keygen
+  Resolves: rhbz#2188743
+
+* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
+- Fix race condition when creating/rotating keys
+  Resolves: rhbz#2182410
+  Resolves: CVE-2023-1672
+
+* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
+- Exit with success unless the issue was with with tangd itself
+  Resolves: rhbz#1828558
+
 * Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
 - Permissions of /var/db/tang set to 0700
 - Home dir of user tang is /var/cache/tang