diff options
author | Armin Kuster <akuster808@gmail.com> | 2020-08-27 16:34:24 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2020-08-29 07:25:10 -0700 |
commit | 55cbb636340ed7da08a0ae338b54d72c66d41242 (patch) | |
tree | b4400ee21b0f181be4005782b219a63460be0445 | |
parent | 787ba6faeaa8823a4d87e5edd15581cb4e12fa70 (diff) | |
download | meta-security-55cbb636340ed7da08a0ae338b54d72c66d41242.tar.gz |
trousers: update to tip
Many for compile issue now being seen.
rpc/tcstp/.libs/libtspi_la-rpc_cmk.o:/usr/src/debug/trousers/0.3.14+gitAUTOINC+4b9a70d578-r0/build/src/tspi/../../../git/src/include/tcsd.h:169: multiple definition of `tcsd_sa_int'; .libs/libtspi_la-tspi_context.o:/usr/src/debug/trousers/0.3.14+gitAUTOINC+4b9a70d578-r0/build/src/tspi/../../../git/src/include/tcsd.h:169: first defined here
| collect2: error: ld returned 1 exit status
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch | 94 | ||||
-rw-r--r-- | meta-tpm/recipes-tpm/trousers/trousers_git.bb | 3 |
2 files changed, 1 insertions, 96 deletions
diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch deleted file mode 100644 index 72c81d1..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthias Gerstner <mgerstner@suse.de> | ||
3 | Date: Fri, 14 Aug 2020 22:14:36 -0700 | ||
4 | Subject: [PATCH] Correct multiple security issues that are present if the tcsd | ||
5 | is started by root instead of the tss user. | ||
6 | |||
7 | Patch fixes the following 3 CVEs: | ||
8 | |||
9 | CVE-2020-24332 | ||
10 | If the tcsd daemon is started with root privileges, | ||
11 | the creation of the system.data file is prone to symlink attacks | ||
12 | |||
13 | CVE-2020-24330 | ||
14 | If the tcsd daemon is started with root privileges, | ||
15 | it fails to drop the root gid after it is no longer needed | ||
16 | |||
17 | CVE-2020-24331 | ||
18 | If the tcsd daemon is started with root privileges, | ||
19 | the tss user has read and write access to the /etc/tcsd.conf file | ||
20 | |||
21 | Authored-by: Matthias Gerstner <mgerstner@suse.de> | ||
22 | Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | CVE: CVE-2020-24332 | ||
26 | CVE: CVE-2020-24330 | ||
27 | CVE: CVE-2020-24331 | ||
28 | |||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | src/tcs/ps/tcsps.c | 2 +- | ||
33 | src/tcsd/svrside.c | 1 + | ||
34 | src/tcsd/tcsd_conf.c | 10 +++++----- | ||
35 | 3 files changed, 7 insertions(+), 6 deletions(-) | ||
36 | |||
37 | Index: git/src/tcs/ps/tcsps.c | ||
38 | =================================================================== | ||
39 | --- git.orig/src/tcs/ps/tcsps.c | ||
40 | +++ git/src/tcs/ps/tcsps.c | ||
41 | @@ -72,7 +72,7 @@ get_file() | ||
42 | } | ||
43 | |||
44 | /* open and lock the file */ | ||
45 | - system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); | ||
46 | + system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); | ||
47 | if (system_ps_fd < 0) { | ||
48 | LogError("system PS: open() of %s failed: %s", | ||
49 | tcsd_options.system_ps_file, strerror(errno)); | ||
50 | Index: git/src/tcsd/svrside.c | ||
51 | =================================================================== | ||
52 | --- git.orig/src/tcsd/svrside.c | ||
53 | +++ git/src/tcsd/svrside.c | ||
54 | @@ -473,6 +473,7 @@ main(int argc, char **argv) | ||
55 | } | ||
56 | return TCSERR(TSS_E_INTERNAL_ERROR); | ||
57 | } | ||
58 | + setgid(pwd->pw_gid); | ||
59 | setuid(pwd->pw_uid); | ||
60 | #endif | ||
61 | #endif | ||
62 | Index: git/src/tcsd/tcsd_conf.c | ||
63 | =================================================================== | ||
64 | --- git.orig/src/tcsd/tcsd_conf.c | ||
65 | +++ git/src/tcsd/tcsd_conf.c | ||
66 | @@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) | ||
67 | #ifndef SOLARIS | ||
68 | struct group *grp; | ||
69 | struct passwd *pw; | ||
70 | - mode_t mode = (S_IRUSR|S_IWUSR); | ||
71 | + mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); | ||
72 | #endif /* SOLARIS */ | ||
73 | TSS_RESULT result; | ||
74 | |||
75 | @@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) | ||
76 | } | ||
77 | |||
78 | /* make sure user/group TSS owns the conf file */ | ||
79 | - if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { | ||
80 | + if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { | ||
81 | LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, | ||
82 | - TSS_USER_NAME, TSS_GROUP_NAME); | ||
83 | + "root", TSS_GROUP_NAME); | ||
84 | return TCSERR(TSS_E_INTERNAL_ERROR); | ||
85 | } | ||
86 | |||
87 | - /* make sure only the tss user can manipulate the config file */ | ||
88 | + /* make sure only the tss user can read (but not manipulate) the config file */ | ||
89 | if (((stat_buf.st_mode & 0777) ^ mode) != 0) { | ||
90 | - LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); | ||
91 | + LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); | ||
92 | return TCSERR(TSS_E_INTERNAL_ERROR); | ||
93 | } | ||
94 | #endif /* SOLARIS */ | ||
diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm/trousers/trousers_git.bb index 95e821b..992e7f2 100644 --- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-tpm/recipes-tpm/trousers/trousers_git.bb | |||
@@ -6,7 +6,7 @@ SECTION = "security/tpm" | |||
6 | 6 | ||
7 | DEPENDS = "openssl" | 7 | DEPENDS = "openssl" |
8 | 8 | ||
9 | SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0" | 9 | SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b" |
10 | PV = "0.3.14+git${SRCPV}" | 10 | PV = "0.3.14+git${SRCPV}" |
11 | 11 | ||
12 | SRC_URI = " \ | 12 | SRC_URI = " \ |
@@ -16,7 +16,6 @@ SRC_URI = " \ | |||
16 | file://tcsd.service \ | 16 | file://tcsd.service \ |
17 | file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ | 17 | file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ |
18 | file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ | 18 | file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ |
19 | file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ | ||
20 | " | 19 | " |
21 | 20 | ||
22 | S = "${WORKDIR}/git" | 21 | S = "${WORKDIR}/git" |