trousers: security fixes
Fixes for the following CVEs, plus a fix for an annocheck warning. - Fix for CVE-2020-24330 (RHBZ#1874824) - Fix for CVE-2020-24331 (RHBZ#1870057) - Fix for CVE-2020-24332 (RHBZ#1870053) Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
This commit is contained in:
Jerry Snitselaar
parent
ba65b02d14
commit
3459d0cdf6
89
trousers-0.3.14-correct-security-issues.patch
Normal file
89
trousers-0.3.14-correct-security-issues.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
|
||||
From: Matthias Gerstner <mgerstner@suse.de>
|
||||
Date: Fri, 14 Aug 2020 22:14:36 -0700
|
||||
Subject: [PATCH 1/2] Correct multiple security issues that are present if the
|
||||
tcsd is started by root instead of the tss user.
|
||||
|
||||
Patch fixes the following 3 CVEs:
|
||||
|
||||
CVE-2020-24332
|
||||
If the tcsd daemon is started with root privileges,
|
||||
the creation of the system.data file is prone to symlink attacks
|
||||
|
||||
CVE-2020-24330
|
||||
If the tcsd daemon is started with root privileges,
|
||||
it fails to drop the root gid after it is no longer needed
|
||||
|
||||
CVE-2020-24331
|
||||
If the tcsd daemon is started with root privileges,
|
||||
the tss user has read and write access to the /etc/tcsd.conf file
|
||||
|
||||
Authored-by: Matthias Gerstner <mgerstner@suse.de>
|
||||
Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
|
||||
---
|
||||
src/tcs/ps/tcsps.c | 2 +-
|
||||
src/tcsd/svrside.c | 1 +
|
||||
src/tcsd/tcsd_conf.c | 10 +++++-----
|
||||
3 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
|
||||
index e47154b20612..85d45a96b7c3 100644
|
||||
--- a/src/tcs/ps/tcsps.c
|
||||
+++ b/src/tcs/ps/tcsps.c
|
||||
@@ -72,7 +72,7 @@ get_file()
|
||||
}
|
||||
|
||||
/* open and lock the file */
|
||||
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
|
||||
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
|
||||
if (system_ps_fd < 0) {
|
||||
LogError("system PS: open() of %s failed: %s",
|
||||
tcsd_options.system_ps_file, strerror(errno));
|
||||
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
|
||||
index 1ae1636f8730..1c12ff3afdd0 100644
|
||||
--- a/src/tcsd/svrside.c
|
||||
+++ b/src/tcsd/svrside.c
|
||||
@@ -473,6 +473,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
+ setgid(pwd->pw_gid);
|
||||
setuid(pwd->pw_uid);
|
||||
#endif
|
||||
#endif
|
||||
diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
|
||||
index a31503df3f1f..ea8ea13f5f16 100644
|
||||
--- a/src/tcsd/tcsd_conf.c
|
||||
+++ b/src/tcsd/tcsd_conf.c
|
||||
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
|
||||
#ifndef SOLARIS
|
||||
struct group *grp;
|
||||
struct passwd *pw;
|
||||
- mode_t mode = (S_IRUSR|S_IWUSR);
|
||||
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
#endif /* SOLARIS */
|
||||
TSS_RESULT result;
|
||||
|
||||
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
|
||||
}
|
||||
|
||||
/* make sure user/group TSS owns the conf file */
|
||||
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
|
||||
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
|
||||
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
|
||||
- TSS_USER_NAME, TSS_GROUP_NAME);
|
||||
+ "root", TSS_GROUP_NAME);
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
- /* make sure only the tss user can manipulate the config file */
|
||||
+ /* make sure only the tss user can read (but not manipulate) the config file */
|
||||
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
|
||||
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
|
||||
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
#endif /* SOLARIS */
|
||||
--
|
||||
2.27.0
|
||||
|
||||
49
trousers-0.3.14-no-optimize.patch
Normal file
49
trousers-0.3.14-no-optimize.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 6edef3777f9b9a26e63168bb81c8d4f4ddb17017 Mon Sep 17 00:00:00 2001
|
||||
From: Jerry Snitselaar <jsnitsel@redhat.com>
|
||||
Date: Wed, 5 Jun 2019 11:51:33 -0700
|
||||
Subject: [PATCH 2/2] trousers: don't use __no_optimize
|
||||
|
||||
The trousers is failing annocheck hardened check due to
|
||||
__no_optimize being used for __tspi_memset(). Instead of
|
||||
__no_optimize use a asm memory barrier.
|
||||
|
||||
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
|
||||
Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
|
||||
---
|
||||
src/include/spi_utils.h | 2 +-
|
||||
src/tspi/tsp_context_mem.c | 6 ++++--
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/include/spi_utils.h b/src/include/spi_utils.h
|
||||
index 11255b20a21d..6ef21ce0cc83 100644
|
||||
--- a/src/include/spi_utils.h
|
||||
+++ b/src/include/spi_utils.h
|
||||
@@ -53,7 +53,7 @@ MUTEX_DECLARE_EXTERN(mem_cache_lock);
|
||||
void *calloc_tspi(TSS_HCONTEXT, UINT32);
|
||||
TSS_RESULT free_tspi(TSS_HCONTEXT, void *);
|
||||
TSS_RESULT __tspi_add_mem_entry(TSS_HCONTEXT, void *);
|
||||
-void * __no_optimize __tspi_memset(void *, int, size_t);
|
||||
+void * __tspi_memset(void *, int, size_t);
|
||||
|
||||
/* secrets.c */
|
||||
|
||||
diff --git a/src/tspi/tsp_context_mem.c b/src/tspi/tsp_context_mem.c
|
||||
index 2982df9fed06..2769af3662b9 100644
|
||||
--- a/src/tspi/tsp_context_mem.c
|
||||
+++ b/src/tspi/tsp_context_mem.c
|
||||
@@ -258,8 +258,10 @@ free_tspi(TSS_HCONTEXT tspContext, void *memPointer)
|
||||
}
|
||||
|
||||
/* definition for a memset that cannot be optimized away */
|
||||
-void * __no_optimize
|
||||
+void *
|
||||
__tspi_memset(void *s, int c, size_t n)
|
||||
{
|
||||
- return memset(s, c, n);
|
||||
+ memset(s, c, n);
|
||||
+ asm volatile("" ::: "memory");
|
||||
+ return s;
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Name: trousers
|
||||
Summary: TCG's Software Stack v1.2
|
||||
Version: 0.3.14
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: BSD
|
||||
Url: http://trousers.sourceforge.net
|
||||
|
||||
@ -14,6 +14,8 @@ Patch3: trousers-0.3.14-fix-indent-obj_policy.patch
|
||||
Patch4: trousers-0.3.14-double-free.patch
|
||||
Patch5: trousers-0.3.14-fix-indent-tspi_key.patch
|
||||
Patch6: trousers-0.3.14-tcsd-header-fix.patch
|
||||
Patch7: trousers-0.3.14-correct-security-issues.patch
|
||||
Patch8: trousers-0.3.14-no-optimize.patch
|
||||
|
||||
BuildRequires: libtool, openssl-devel
|
||||
BuildRequires: systemd
|
||||
@ -95,7 +97,7 @@ exit 0
|
||||
%files
|
||||
%doc README ChangeLog
|
||||
%{_sbindir}/tcsd
|
||||
%config(noreplace) %attr(0600, tss, tss) %{_sysconfdir}/tcsd.conf
|
||||
%config(noreplace) %attr(0640, root, tss) %{_sysconfdir}/tcsd.conf
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man8/*
|
||||
%attr(644,root,root) %{_unitdir}/tcsd.service
|
||||
@ -118,6 +120,11 @@ exit 0
|
||||
%{_libdir}/libtddl.a
|
||||
|
||||
%changelog
|
||||
* Thu Oct 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 0.3.14-4
|
||||
- Fix for CVE-2020-24330 (RHBZ#1874824)
|
||||
- Fix for CVE-2020-24331 (RHBZ#1870057)
|
||||
- Fix for CVE-2020-24332 (RHBZ#1870053)
|
||||
|
||||
* Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.3.14-3
|
||||
- Update user creation to latest guidelines
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user