Compare commits
No commits in common. "imports/c8s/tang-7-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
@ -1 +0,0 @@
|
|||||||
e08a9fec3760328fd263a347b497898fb3c0e891 SOURCES/tang-7.tar.bz2
|
|
@ -0,0 +1,38 @@
|
|||||||
|
From ea43ca02cf52d0455c6949683692a95e38ccdf70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Fri, 4 Dec 2020 09:05:19 -0300
|
||||||
|
Subject: [PATCH 2/2] Exit with success unless the issue was with with tangd
|
||||||
|
itself
|
||||||
|
|
||||||
|
When an HTTP parser error happens, tangd is currently exiting with an
|
||||||
|
error status, which may cause trouble in some scenarios [1].
|
||||||
|
|
||||||
|
However, we don't exit with an error in situations where we try requests
|
||||||
|
that do not exist, for instance. It makes sense to only exit with an
|
||||||
|
error when the error was with tangd itself, e.g.: when we are unable to
|
||||||
|
read the directory with the keys, not when the actual HTTP operation
|
||||||
|
does not succeed for some reason.
|
||||||
|
|
||||||
|
Upstream: https://github.com/latchset/tang/pull/55
|
||||||
|
|
||||||
|
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828558
|
||||||
|
---
|
||||||
|
src/tangd.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/tangd.c b/src/tangd.c
|
||||||
|
index b569f38..d40201f 100644
|
||||||
|
--- a/src/tangd.c
|
||||||
|
+++ b/src/tangd.c
|
||||||
|
@@ -225,7 +225,7 @@ main(int argc, char *argv[])
|
||||||
|
if (parser.http_errno != 0) {
|
||||||
|
fprintf(stderr, "HTTP Parsing Error: %s\n",
|
||||||
|
http_errno_description(parser.http_errno));
|
||||||
|
- return EXIT_FAILURE;
|
||||||
|
+ return EXIT_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
memmove(req, &req[r], rcvd - r);
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
31
SOURCES/0003-Fix-permissions-race-condition.patch
Normal file
31
SOURCES/0003-Fix-permissions-race-condition.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
--- tang-7.ori/src/tangd-keygen 2017-06-10 15:29:39.000000000 +0200
|
||||||
|
+++ tang-7/src/tangd-keygen 2023-06-28 11:40:01.700819479 +0200
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
|
||||||
|
[ $# -eq 3 ] && sig=$2 && exc=$3
|
||||||
|
|
||||||
|
+# Set default umask for file creation.
|
||||||
|
+umask 0337
|
||||||
|
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
|
||||||
|
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
|
||||||
|
echo "$jwe" > $1/$sig.jwk
|
||||||
|
--- tang-7.ori/src/keys.c 2023-06-28 09:57:08.706712410 +0200
|
||||||
|
+++ tang-7/src/keys.c 2023-06-28 11:43:41.742247417 +0200
|
||||||
|
@@ -23,6 +23,7 @@
|
||||||
|
#include <jose/io.h>
|
||||||
|
#include <jansson.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
|
||||||
|
#include "util.h"
|
||||||
|
#include "keys.h"
|
||||||
|
@@ -557,6 +558,9 @@
|
||||||
|
/* At this point, there are no keys, so let's create them. */
|
||||||
|
const char *alg[] = {"ES512", "ECMR", NULL};
|
||||||
|
char path[PATH_MAX];
|
||||||
|
+
|
||||||
|
+ /* Set default umask for file creation. */
|
||||||
|
+ umask(0337);
|
||||||
|
for (int i = 0; alg[i] != NULL; i++) {
|
||||||
|
struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
|
||||||
|
if (!jwk) {
|
26
SOURCES/0004-Set-tang-owner-group.patch
Normal file
26
SOURCES/0004-Set-tang-owner-group.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
--- tang-7.ori/src/tangd-keygen 2023-07-21 11:45:39.091100369 +0200
|
||||||
|
+++ tang-7/src/tangd-keygen 2023-07-21 11:47:58.813612221 +0200
|
||||||
|
@@ -20,6 +20,13 @@
|
||||||
|
|
||||||
|
trap 'exit' ERR
|
||||||
|
|
||||||
|
+set_perms() {
|
||||||
|
+ chmod -- 0440 "${1}"
|
||||||
|
+ if ! chown -- "tang:tang" "${1}" 2>/dev/null; then
|
||||||
|
+ echo "Unable to change owner/group for ${1} to tang:tang" >&2
|
||||||
|
+ fi
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
|
||||||
|
echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
|
||||||
|
exit 1
|
||||||
|
@@ -32,7 +39,9 @@
|
||||||
|
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
|
||||||
|
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
|
||||||
|
echo "$jwe" > $1/$sig.jwk
|
||||||
|
+set_perms "$1/$sig.jwk"
|
||||||
|
|
||||||
|
jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
|
||||||
|
[ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-`
|
||||||
|
echo "$jwe" > $1/$exc.jwk
|
||||||
|
+set_perms "$1/$exc.jwk"
|
@ -1,12 +1,15 @@
|
|||||||
Name: tang
|
Name: tang
|
||||||
Version: 7
|
Version: 7
|
||||||
Release: 5%{?dist}
|
Release: 8%{?dist}
|
||||||
Summary: Network Presence Binding Daemon
|
Summary: Network Presence Binding Daemon
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: https://github.com/latchset/%{name}
|
URL: https://github.com/latchset/%{name}
|
||||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
|
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
|
||||||
Patch1: 0001-Move-key-generation-to-tang.patch
|
Patch1: 0001-Move-key-generation-to-tang.patch
|
||||||
|
Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
|
||||||
|
Patch3: 0003-Fix-permissions-race-condition.patch
|
||||||
|
Patch4: 0004-Set-tang-owner-group.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
@ -27,6 +30,7 @@ BuildRequires: asciidoc
|
|||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
BuildRequires: grep
|
BuildRequires: grep
|
||||||
BuildRequires: sed
|
BuildRequires: sed
|
||||||
|
BuildRequires: git-core
|
||||||
|
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -40,8 +44,7 @@ Requires(pre): shadow-utils
|
|||||||
Tang is a small daemon for binding data to the presence of a third party.
|
Tang is a small daemon for binding data to the presence of a third party.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%autosetup -S git
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
@ -88,6 +91,19 @@ exit 0
|
|||||||
%{_mandir}/man1/tang-show-keys.1*
|
%{_mandir}/man1/tang-show-keys.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 21 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-8
|
||||||
|
- Set correct user/group (tang/tang) in tangd-keygen
|
||||||
|
Resolves: rhbz#2188743
|
||||||
|
|
||||||
|
* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
|
||||||
|
- Fix race condition when creating/rotating keys
|
||||||
|
Resolves: rhbz#2182410
|
||||||
|
Resolves: CVE-2023-1672
|
||||||
|
|
||||||
|
* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
|
||||||
|
- Exit with success unless the issue was with with tangd itself
|
||||||
|
Resolves: rhbz#1828558
|
||||||
|
|
||||||
* Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
|
* Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
|
||||||
- Permissions of /var/db/tang set to 0700
|
- Permissions of /var/db/tang set to 0700
|
||||||
- Home dir of user tang is /var/cache/tang
|
- Home dir of user tang is /var/cache/tang
|
||||||
|
Loading…
Reference in New Issue
Block a user