packages/trousers
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!11 openEuler-20.03-LTS-Next: Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332

Browse Source 
From: @hugel
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2020-12-31 18:36:07 +08:00 committed by Gitee
commit bef4429c37
2 changed files with 98 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
backport-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332-Correct-multiple-security-issues.patch Normal file
View File

@ -0,0 +1,89 @@
From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <mgerstner@suse.de>
Date: Fri, 14 Aug 2020 22:14:36 -0700
Subject: [PATCH] Correct multiple security issues that are present if the tcsd
is started by root instead of the tss user.
Patch fixes the following 3 CVEs:
CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks
CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed
CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file
Authored-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
---
src/tcs/ps/tcsps.c | 2 +-
src/tcsd/svrside.c | 1 +
src/tcsd/tcsd_conf.c | 10 +++++-----
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
index e47154b..85d45a9 100644
--- a/src/tcs/ps/tcsps.c
+++ b/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
}
/* open and lock the file */
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
if (system_ps_fd < 0) {
LogError("system PS: open() of %s failed: %s",
tcsd_options.system_ps_file, strerror(errno));
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index 1ae1636..1c12ff3 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
}
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+ setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
#endif
#endif
diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
index a31503d..ea8ea13 100644
--- a/src/tcsd/tcsd_conf.c
+++ b/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
#ifndef SOLARIS
struct group *grp;
struct passwd *pw;
- mode_t mode = (S_IRUSR|S_IWUSR);
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
#endif /* SOLARIS */
TSS_RESULT result;
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
}
/* make sure user/group TSS owns the conf file */
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
- TSS_USER_NAME, TSS_GROUP_NAME);
+ "root", TSS_GROUP_NAME);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- /* make sure only the tss user can manipulate the config file */
+ /* make sure only the tss user can read (but not manipulate) the config file */
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */
--
1.8.3.1

14
trousers.spec
View File

@ -1,12 +1,13 @@
Name: trousers Name: trousers
Version: 0.3.14 Version: 0.3.14
Release: 3 Release: 4
Summary: The open-source TCG Software Stack Summary: The open-source TCG Software Stack
License: BSD License: BSD
Url: http://trousers.sourceforge.net Url: http://trousers.sourceforge.net
Source0: https://sourceforge.net/projects/trousers/files/trousers/0.3.14/trousers-0.3.14.tar.gz Source0: https://sourceforge.net/projects/trousers/files/trousers/0.3.14/trousers-0.3.14.tar.gz
#Acknowledge Source1 from Fedora. #Acknowledge Source1 from Fedora.
Source1: tcsd.service Source1: tcsd.service
Patch0: backport-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332-Correct-multiple-security-issues.patch
BuildRequires: libtool openssl-devel systemd BuildRequires: libtool openssl-devel systemd
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -73,7 +74,7 @@ exit 0
%doc README ChangeLog AUTHORS %doc README ChangeLog AUTHORS
%license LICENSE %license LICENSE
%{_sbindir}/tcsd %{_sbindir}/tcsd
%config(noreplace) %attr(0600, tss, tss) %{_sysconfdir}/tcsd.conf %config(noreplace) %attr(0640, root, tss) %{_sysconfdir}/tcsd.conf
%attr(0644,root,root) %{_unitdir}/tcsd.service %attr(0644,root,root) %{_unitdir}/tcsd.service
%attr(0700, tss, tss) %{_localstatedir}/lib/tpm/ %attr(0700, tss, tss) %{_localstatedir}/lib/tpm/
%{_libdir}/libtspi.so.* %{_libdir}/libtspi.so.*
@ -92,13 +93,16 @@ exit 0
%changelog %changelog
* Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-3 * Mon Dec 28 2020 Hugel <gengqihu1@huawei.com> - 0.3.14-4
- Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332
* Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-3
- Add tss account used by the trousers package to sandbox the tcsd daemon - Add tss account used by the trousers package to sandbox the tcsd daemon
* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-2 * Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-2
- Modify requires - Modify requires
* Mon Oct 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-1 * Mon Oct 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.14-1
- update to 0.3.13 - update to 0.3.13
* Wed Sep 4 2019 Zaiwang Li<lizaiwang1@huawei.com> - 0.3.13-12 * Wed Sep 4 2019 Zaiwang Li<lizaiwang1@huawei.com> - 0.3.13-12