Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332

2020-12-28 16:04:24 +08:00 · 2020-12-28 16:04:24 +08:00 · 7c3f853b56
commit 7c3f853b56
parent dbc858dda3
2 changed files with 98 additions and 5 deletions
--- a/backport-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332-Correct-multiple-security-issues.patch
+++ b/backport-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332-Correct-multiple-security-issues.patch
@ -0,0 +1,89 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH] Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+
+Patch fixes the following 3 CVEs:
+
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+---
+ src/tcs/ps/tcsps.c   |  2 +-
+ src/tcsd/svrside.c   |  1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
+index e47154b..85d45a9 100644
+--- a/src/tcs/ps/tcsps.c
+++ b/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ 	}
+ 
+ 	/* open and lock the file */
+-	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ 	if (system_ps_fd < 0) {
+ 		LogError("system PS: open() of %s failed: %s",
+ 				tcsd_options.system_ps_file, strerror(errno));
+diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
+index 1ae1636..1c12ff3 100644
+--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ 		}
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+	setgid(pwd->pw_gid);
+ 	setuid(pwd->pw_uid);
+ #endif
+ #endif
+diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
+index a31503d..ea8ea13 100644
+--- a/src/tcsd/tcsd_conf.c
+++ b/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ 	struct group *grp;
+ 	struct passwd *pw;
+-	mode_t mode = (S_IRUSR|S_IWUSR);
+	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ 	TSS_RESULT result;
+ 
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ 	}
+ 
+ 	/* make sure user/group TSS owns the conf file */
+-	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+-				TSS_USER_NAME, TSS_GROUP_NAME);
+				"root", TSS_GROUP_NAME);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ 
+-	/* make sure only the tss user can manipulate the config file */
+	/* make sure only the tss user can read (but not manipulate) the config file */
+ 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+-		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ #endif /* SOLARIS */
+-- 
+1.8.3.1
+
--- a/trousers.spec
+++ b/trousers.spec
@ -1,12 +1,13 @@
 Name:         trousers
 Version:      0.3.14
-Release:      3
+Release:      4
 Summary:      The open-source TCG Software Stack
 License:      BSD
 Url:          http://trousers.sourceforge.net
 Source0:      https://sourceforge.net/projects/trousers/files/trousers/0.3.14/trousers-0.3.14.tar.gz
 #Acknowledge Source1 from Fedora.
 Source1:      tcsd.service
+Patch0:       backport-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332-Correct-multiple-security-issues.patch

 BuildRequires:    libtool openssl-devel systemd
 Requires(pre):    shadow-utils
@ -73,7 +74,7 @@ exit 0
 %doc README ChangeLog AUTHORS
 %license LICENSE
 %{_sbindir}/tcsd
-%config(noreplace) %attr(0600, tss, tss) %{_sysconfdir}/tcsd.conf
+%config(noreplace) %attr(0640, root, tss) %{_sysconfdir}/tcsd.conf
 %attr(0644,root,root) %{_unitdir}/tcsd.service
 %attr(0700, tss, tss) %{_localstatedir}/lib/tpm/
 %{_libdir}/libtspi.so.*
@ -92,13 +93,16 @@ exit 0


 %changelog
-* Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-3
+* Mon Dec 28 2020 Hugel <gengqihu1@huawei.com> - 0.3.14-4
+- Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332
+
+* Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-3
 - Add tss account used by the trousers package to sandbox the tcsd daemon

-* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-2
+* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-2
 - Modify requires

-* Mon Oct 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-1
+* Mon Oct 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-1
 - update to 0.3.13

 * Wed Sep 4 2019 Zaiwang Li<lizaiwang1@huawei.com> - 0.3.13-12