trousers: Several Security fixes

Fixes: CVE-2020-24332 CVE-2020-24330 CVE-2020-24331 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster@mvista.com> 2020-08-17 21:50:28 +0000
committer: Armin Kuster <akuster808@gmail.com> 2020-08-17 15:08:14 -0700
commit: 787ba6faeaa8823a4d87e5edd15581cb4e12fa70 (patch)
tree: c70eb379cfee36769d311f90f71ce9f5013a98a7
parent: 98e0a3ecf8161b678a224bc7b06abae9dc9d9039 (diff)
download: meta-security-787ba6faeaa8823a4d87e5edd15581cb4e12fa70.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
new file mode 100644
index 0000000..72c81d1
--- /dev/null
+++ b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
@@ -0,0 +1,94 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH] Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+Patch fixes the following 3 CVEs:
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+Upstream-Status: Backport
+CVE: CVE-2020-24332
+CVE: CVE-2020-24330
+CVE: CVE-2020-24331
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/tcs/ps/tcsps.c   |  2 +-
+ src/tcsd/svrside.c   |  1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+Index: git/src/tcs/ps/tcsps.c
+===================================================================
+--- git.orig/src/tcs/ps/tcsps.c
+++ git/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+        }
+ 
+        /* open and lock the file */
+-       system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+       system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+        if (system_ps_fd < 0) {
+                LogError("system PS: open() of %s failed: %s",
+                                tcsd_options.system_ps_file, strerror(errno));
+Index: git/src/tcsd/svrside.c
+===================================================================
+--- git.orig/src/tcsd/svrside.c
+++ git/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+                }
+                return TCSERR(TSS_E_INTERNAL_ERROR);
+        }
+       setgid(pwd->pw_gid);
+        setuid(pwd->pw_uid);
+ #endif
+ #endif
+Index: git/src/tcsd/tcsd_conf.c
+===================================================================
+--- git.orig/src/tcsd/tcsd_conf.c
+++ git/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+        struct group *grp;
+        struct passwd *pw;
+-       mode_t mode = (S_IRUSR|S_IWUSR);
+       mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+        TSS_RESULT result;
+ 
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+        }
+ 
+        /* make sure user/group TSS owns the conf file */
+-       if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+       if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+                LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+-                               TSS_USER_NAME, TSS_GROUP_NAME);
+                               "root", TSS_GROUP_NAME);
+                return TCSERR(TSS_E_INTERNAL_ERROR);
+        }
+ 
+-       /* make sure only the tss user can manipulate the config file */
+       /* make sure only the tss user can read (but not manipulate) the config file */
+        if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+-               LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+               LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+                return TCSERR(TSS_E_INTERNAL_ERROR);
+        }
+ #endif /* SOLARIS */
diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index fe8f557..95e821b 100644
--- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
        file://tcsd.service \
        file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
        file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
+        file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
        "
 S = "${WORKDIR}/git"
author	Armin Kuster <akuster@mvista.com>	2020-08-17 21:50:28 +0000
committer	Armin Kuster <akuster808@gmail.com>	2020-08-17 15:08:14 -0700
commit	787ba6faeaa8823a4d87e5edd15581cb4e12fa70 (patch)
tree	c70eb379cfee36769d311f90f71ce9f5013a98a7
parent	98e0a3ecf8161b678a224bc7b06abae9dc9d9039 (diff)
download	meta-security-787ba6faeaa8823a4d87e5edd15581cb4e12fa70.tar.gz

diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch new file mode 100644 index 0000000..72c81d1 --- /dev/null +++ b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
@@ -0,0 +1,94 @@
		1	From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
		2	From: Matthias Gerstner <mgerstner@suse.de>
		3	Date: Fri, 14 Aug 2020 22:14:36 -0700
		4	Subject: [PATCH] Correct multiple security issues that are present if the tcsd
		5	is started by root instead of the tss user.
		6
		7	Patch fixes the following 3 CVEs:
		8
		9	CVE-2020-24332
		10	If the tcsd daemon is started with root privileges,
		11	the creation of the system.data file is prone to symlink attacks
		12
		13	CVE-2020-24330
		14	If the tcsd daemon is started with root privileges,
		15	it fails to drop the root gid after it is no longer needed
		16
		17	CVE-2020-24331
		18	If the tcsd daemon is started with root privileges,
		19	the tss user has read and write access to the /etc/tcsd.conf file
		20
		21	Authored-by: Matthias Gerstner <mgerstner@suse.de>
		22	Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
		23
		24	Upstream-Status: Backport
		25	CVE: CVE-2020-24332
		26	CVE: CVE-2020-24330
		27	CVE: CVE-2020-24331
		28
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30
		31	---
		32	src/tcs/ps/tcsps.c \| 2 +-
		33	src/tcsd/svrside.c \| 1 +
		34	src/tcsd/tcsd_conf.c \| 10 +++++-----
		35	3 files changed, 7 insertions(+), 6 deletions(-)
		36
		37	Index: git/src/tcs/ps/tcsps.c
		38	===================================================================
		39	--- git.orig/src/tcs/ps/tcsps.c
		40	+++ git/src/tcs/ps/tcsps.c
		41	@@ -72,7 +72,7 @@ get_file()
		42	}
		43
		44	/* open and lock the file */
		45	- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT\|O_RDWR, 0600);
		46	+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT\|O_RDWR\|O_NOFOLLOW, 0600);
		47	if (system_ps_fd < 0) {
		48	LogError("system PS: open() of %s failed: %s",
		49	tcsd_options.system_ps_file, strerror(errno));
		50	Index: git/src/tcsd/svrside.c
		51	===================================================================
		52	--- git.orig/src/tcsd/svrside.c
		53	+++ git/src/tcsd/svrside.c
		54	@@ -473,6 +473,7 @@ main(int argc, char **argv)
		55	}
		56	return TCSERR(TSS_E_INTERNAL_ERROR);
		57	}
		58	+ setgid(pwd->pw_gid);
		59	setuid(pwd->pw_uid);
		60	#endif
		61	#endif
		62	Index: git/src/tcsd/tcsd_conf.c
		63	===================================================================
		64	--- git.orig/src/tcsd/tcsd_conf.c
		65	+++ git/src/tcsd/tcsd_conf.c
		66	@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
		67	#ifndef SOLARIS
		68	struct group *grp;
		69	struct passwd *pw;
		70	- mode_t mode = (S_IRUSR\|S_IWUSR);
		71	+ mode_t mode = (S_IRUSR\|S_IWUSR\|S_IRGRP);
		72	#endif /* SOLARIS */
		73	TSS_RESULT result;
		74
		75	@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
		76	}
		77
		78	/* make sure user/group TSS owns the conf file */
		79	- if (pw->pw_uid != stat_buf.st_uid \|\| grp->gr_gid != stat_buf.st_gid) {
		80	+ if (stat_buf.st_uid != 0 \|\| grp->gr_gid != stat_buf.st_gid) {
		81	LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
		82	- TSS_USER_NAME, TSS_GROUP_NAME);
		83	+ "root", TSS_GROUP_NAME);
		84	return TCSERR(TSS_E_INTERNAL_ERROR);
		85	}
		86
		87	- /* make sure only the tss user can manipulate the config file */
		88	+ /* make sure only the tss user can read (but not manipulate) the config file */
		89	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
		90	- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
		91	+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
		92	return TCSERR(TSS_E_INTERNAL_ERROR);
		93	}
		94	#endif /* SOLARIS */


diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm/trousers/trousers_git.bb index fe8f557..95e821b 100644 --- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
16	file://tcsd.service \	16	file://tcsd.service \
17	file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \	17	file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
18	file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \	18	file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
		19	file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
19	"	20	"
20		21
21	S = "${WORKDIR}/git"	22	S = "${WORKDIR}/git"