mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-11 15:00:34 +00:00
trousers: update to tip
Many for compile issue now being seen. rpc/tcstp/.libs/libtspi_la-rpc_cmk.o:/usr/src/debug/trousers/0.3.14+gitAUTOINC+4b9a70d578-r0/build/src/tspi/../../../git/src/include/tcsd.h:169: multiple definition of `tcsd_sa_int'; .libs/libtspi_la-tspi_context.o:/usr/src/debug/trousers/0.3.14+gitAUTOINC+4b9a70d578-r0/build/src/tspi/../../../git/src/include/tcsd.h:169: first defined here | collect2: error: ld returned 1 exit status Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Armin Kuster
@@ -1,94 +0,0 @@
|
||||
From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
|
||||
From: Matthias Gerstner <mgerstner@suse.de>
|
||||
Date: Fri, 14 Aug 2020 22:14:36 -0700
|
||||
Subject: [PATCH] Correct multiple security issues that are present if the tcsd
|
||||
is started by root instead of the tss user.
|
||||
|
||||
Patch fixes the following 3 CVEs:
|
||||
|
||||
CVE-2020-24332
|
||||
If the tcsd daemon is started with root privileges,
|
||||
the creation of the system.data file is prone to symlink attacks
|
||||
|
||||
CVE-2020-24330
|
||||
If the tcsd daemon is started with root privileges,
|
||||
it fails to drop the root gid after it is no longer needed
|
||||
|
||||
CVE-2020-24331
|
||||
If the tcsd daemon is started with root privileges,
|
||||
the tss user has read and write access to the /etc/tcsd.conf file
|
||||
|
||||
Authored-by: Matthias Gerstner <mgerstner@suse.de>
|
||||
Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2020-24332
|
||||
CVE: CVE-2020-24330
|
||||
CVE: CVE-2020-24331
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
src/tcs/ps/tcsps.c | 2 +-
|
||||
src/tcsd/svrside.c | 1 +
|
||||
src/tcsd/tcsd_conf.c | 10 +++++-----
|
||||
3 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
Index: git/src/tcs/ps/tcsps.c
|
||||
===================================================================
|
||||
--- git.orig/src/tcs/ps/tcsps.c
|
||||
+++ git/src/tcs/ps/tcsps.c
|
||||
@@ -72,7 +72,7 @@ get_file()
|
||||
}
|
||||
|
||||
/* open and lock the file */
|
||||
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
|
||||
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
|
||||
if (system_ps_fd < 0) {
|
||||
LogError("system PS: open() of %s failed: %s",
|
||||
tcsd_options.system_ps_file, strerror(errno));
|
||||
Index: git/src/tcsd/svrside.c
|
||||
===================================================================
|
||||
--- git.orig/src/tcsd/svrside.c
|
||||
+++ git/src/tcsd/svrside.c
|
||||
@@ -473,6 +473,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
+ setgid(pwd->pw_gid);
|
||||
setuid(pwd->pw_uid);
|
||||
#endif
|
||||
#endif
|
||||
Index: git/src/tcsd/tcsd_conf.c
|
||||
===================================================================
|
||||
--- git.orig/src/tcsd/tcsd_conf.c
|
||||
+++ git/src/tcsd/tcsd_conf.c
|
||||
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
|
||||
#ifndef SOLARIS
|
||||
struct group *grp;
|
||||
struct passwd *pw;
|
||||
- mode_t mode = (S_IRUSR|S_IWUSR);
|
||||
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
#endif /* SOLARIS */
|
||||
TSS_RESULT result;
|
||||
|
||||
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
|
||||
}
|
||||
|
||||
/* make sure user/group TSS owns the conf file */
|
||||
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
|
||||
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
|
||||
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
|
||||
- TSS_USER_NAME, TSS_GROUP_NAME);
|
||||
+ "root", TSS_GROUP_NAME);
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
- /* make sure only the tss user can manipulate the config file */
|
||||
+ /* make sure only the tss user can read (but not manipulate) the config file */
|
||||
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
|
||||
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
|
||||
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
|
||||
return TCSERR(TSS_E_INTERNAL_ERROR);
|
||||
}
|
||||
#endif /* SOLARIS */
|
||||
@@ -6,7 +6,7 @@ SECTION = "security/tpm"
|
||||
|
||||
DEPENDS = "openssl"
|
||||
|
||||
SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
|
||||
SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b"
|
||||
PV = "0.3.14+git${SRCPV}"
|
||||
|
||||
SRC_URI = " \
|
||||
@@ -16,7 +16,6 @@ SRC_URI = " \
|
||||
file://tcsd.service \
|
||||
file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
|
||||
file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
|
||||
file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
Reference in New Issue
Block a user