svn commit: r545264 - in head/security/trousers: . files
Niclas Zeising
zeising at FreeBSD.org
Tue Aug 18 23:23:24 UTC 2020
Author: zeising
Date: Tue Aug 18 23:23:22 2020
New Revision: 545264
URL: https://svnweb.freebsd.org/changeset/ports/545264
Log:
security/trousers: fix security issues
Fix three security issues in security/trousers:
* CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks
* CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed
* CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file
Add patches to fix potential use-after-free
Fix build with -fno-common
MFH: 2020Q3
Security: e37a0a7b-e1a7-11ea-9538-0c9d925bbbc0
Added:
head/security/trousers/files/patch-0a14b979.c (contents, props changed)
head/security/trousers/files/patch-10b33821.c (contents, props changed)
head/security/trousers/files/patch-c9b8c443.c (contents, props changed)
head/security/trousers/files/patch-e74dd1d9.c (contents, props changed)
Modified:
head/security/trousers/Makefile
head/security/trousers/files/patch-src_tcsd_svrside.c
Modified: head/security/trousers/Makefile
==============================================================================
--- head/security/trousers/Makefile Tue Aug 18 23:17:17 2020 (r545263)
+++ head/security/trousers/Makefile Tue Aug 18 23:23:22 2020 (r545264)
@@ -3,7 +3,7 @@
PORTNAME= trousers
PORTVERSION= 0.3.14
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security
MASTER_SITES= SF
Added: head/security/trousers/files/patch-0a14b979.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/trousers/files/patch-0a14b979.c Tue Aug 18 23:23:22 2020 (r545264)
@@ -0,0 +1,25 @@
+commit 0a14b979064052d3263054488602fba3bf97883b
+Author: Jerry Snitselaar <jsnitsel at redhat.com>
+Date: Wed Jan 16 14:00:43 2019 -0700
+
+ trousers: clean up use after free in Transport_TerminateHandle
+
+ Clean up possible use after free. The value of the handles pointer
+ may change, but if it doesn't then free is being called twice on
+ the same address.
+
+ Signed-off-by: Jerry Snitselaar <jsnitsel at redhat.com>
+ Signed-off-by: Debora Velarde Babb <debora at linux.ibm.com>
+
+diff --git src/tcs/tcs_evlog_imaem.c src/tcs/tcs_evlog_imaem.c
+index d158330..33af283 100644
+--- src/tcs/tcs_evlog_imaem.c
++++ src/tcs/tcs_evlog_imaem.c
+@@ -259,6 +259,7 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve
+ if (event->rgbPcrValue == NULL) {
+ LogError("malloc of %d bytes failed.", 20);
+ free(event);
++ event = NULL;
+ result = TCSERR(TSS_E_OUTOFMEMORY);
+ goto done;
+ }
Added: head/security/trousers/files/patch-10b33821.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/trousers/files/patch-10b33821.c Tue Aug 18 23:23:22 2020 (r545264)
@@ -0,0 +1,41 @@
+commit 10b33821cfd79375cfdbe05123b2f7f6329eac3e
+Author: Jerry Snitselaar <jsnitsel at redhat.com>
+Date: Wed Jan 16 14:00:43 2019 -0700
+
+ trousers: clean up use after free in Transport_TerminateHandle
+
+ Clean up possible use after free. The value of the handles pointer
+ may change, but if it doesn't then free is being called twice on
+ the same address.
+
+ Signed-off-by: Jerry Snitselaar <jsnitsel at redhat.com>
+
+diff --git src/tspi/tsp_auth.c src/tspi/tsp_auth.c
+index d538079..5a97e6e 100755
+--- src/tspi/tsp_auth.c
++++ src/tspi/tsp_auth.c
+@@ -1221,17 +1221,17 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */
+ }
+
+ *handles = handle;
+- handles_track = handles;
++ handles_track = handles;
+
+- // Since the call tree of this function can possibly alloc memory
+- // (check RPC_ExecuteTransport_TP function), its better to keep track of
+- // the handle.
++ // Since the call tree of this function can possibly alloc memory
++ // (check RPC_ExecuteTransport_TP function), its better to keep track of
++ // the handle.
+ result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL,
+ NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL);
+
+- free(handles);
+- handles = NULL;
+- free(handles_track);
++ if (handles != handles_track)
++ free(handles);
++ free(handles_track);
+
+ return result;
+ }
Added: head/security/trousers/files/patch-c9b8c443.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/trousers/files/patch-c9b8c443.c Tue Aug 18 23:23:22 2020 (r545264)
@@ -0,0 +1,33 @@
+commit c9b8c4434f3b11bae4f7e72c3aec5b4f3459eecc
+Author: Jerry Snitselaar <jsnitsel at redhat.com>
+Date: Wed Mar 18 14:10:35 2020 -0700
+
+ trousers: resolve build failure
+
+ The global variables tcsd_sa_chld and tcsd_sa_int in tcsd.h are
+ causing build failures in latest Fedora release:
+
+ /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:169: multiple definition of `tcsd_sa_chld'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:169: first defined here
+ /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:168: multiple definition of `tcsd_sa_int'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:168: first defined here
+
+ They are no longer used since 9b40e581470b ("Improved daemon's signal
+ handling") so just remove them.
+
+ Signed-off-by: Jerry Snitselaar <jsnitsel at redhat.com>
+ Signed-off-by: Debora Velarde Babb <debora at linux.ibm.com>
+
+diff --git src/include/tcsd.h src/include/tcsd.h
+index 5b9462b..f5c286e 100644
+--- src/include/tcsd.h
++++ src/include/tcsd.h
+@@ -164,10 +164,4 @@ TSS_RESULT tcsd_thread_create(int, char *);
+ void *tcsd_thread_run(void *);
+ void thread_signal_init();
+
+-/* signal handling */
+-#ifndef __APPLE__
+-struct sigaction tcsd_sa_int;
+-struct sigaction tcsd_sa_chld;
+-#endif
+-
+ #endif
Added: head/security/trousers/files/patch-e74dd1d9.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/trousers/files/patch-e74dd1d9.c Tue Aug 18 23:23:22 2020 (r545264)
@@ -0,0 +1,82 @@
+commit e74dd1d96753b0538192143adf58d04fcd3b242b
+Author: Matthias Gerstner <mgerstner at suse.de>
+Date: Fri Aug 14 22:14:36 2020 -0700
+
+ Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+
+ Patch fixes the following 3 CVEs:
+
+ CVE-2020-24332
+ If the tcsd daemon is started with root privileges,
+ the creation of the system.data file is prone to symlink attacks
+
+ CVE-2020-24330
+ If the tcsd daemon is started with root privileges,
+ it fails to drop the root gid after it is no longer needed
+
+ CVE-2020-24331
+ If the tcsd daemon is started with root privileges,
+ the tss user has read and write access to the /etc/tcsd.conf file
+
+ Authored-by: Matthias Gerstner <mgerstner at suse.de>
+ Signed-off-by: Debora Velarde Babb <debora at linux.ibm.com>
+
+diff --git src/tcs/ps/tcsps.c src/tcs/ps/tcsps.c
+index e47154b..85d45a9 100644
+--- src/tcs/ps/tcsps.c
++++ src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ }
+
+ /* open and lock the file */
+- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ if (system_ps_fd < 0) {
+ LogError("system PS: open() of %s failed: %s",
+ tcsd_options.system_ps_file, strerror(errno));
+diff --git src/tcsd/svrside.c src/tcsd/svrside.c
+index 1ae1636..1c12ff3 100644
+--- src/tcsd/svrside.c
++++ src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ }
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
++ setgid(pwd->pw_gid);
+ setuid(pwd->pw_uid);
+ #endif
+ #endif
+diff --git src/tcsd/tcsd_conf.c src/tcsd/tcsd_conf.c
+index a31503d..ea8ea13 100644
+--- src/tcsd/tcsd_conf.c
++++ src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ struct group *grp;
+ struct passwd *pw;
+- mode_t mode = (S_IRUSR|S_IWUSR);
++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ TSS_RESULT result;
+
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ }
+
+ /* make sure user/group TSS owns the conf file */
+- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+- TSS_USER_NAME, TSS_GROUP_NAME);
++ "root", TSS_GROUP_NAME);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+
+- /* make sure only the tss user can manipulate the config file */
++ /* make sure only the tss user can read (but not manipulate) the config file */
+ if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+ #endif /* SOLARIS */
Modified: head/security/trousers/files/patch-src_tcsd_svrside.c
==============================================================================
--- head/security/trousers/files/patch-src_tcsd_svrside.c Tue Aug 18 23:17:17 2020 (r545263)
+++ head/security/trousers/files/patch-src_tcsd_svrside.c Tue Aug 18 23:23:22 2020 (r545264)
@@ -1,6 +1,6 @@
---- src/tcsd/svrside.c.orig 2016-11-19 03:09:49 UTC
+--- src/tcsd/svrside.c.orig 2014-12-20 02:37:46 UTC
+++ src/tcsd/svrside.c
-@@ -92,12 +92,19 @@ tcsd_signal_term(int signal)
+@@ -92,20 +92,36 @@ tcsd_signal_term(int signal)
term = 1;
}
@@ -21,8 +21,10 @@
static TSS_RESULT
signals_init(void)
{
-@@ -106,6 +113,14 @@ signals_init(void)
+ int rc;
+ sigset_t sigmask;
struct sigaction sa;
++ struct sigaction tcsd_sa_chld;
sigemptyset(&sigmask);
+ if ((rc = sigaddset(&sigmask, SIGCHLD))) {
@@ -36,7 +38,7 @@
if ((rc = sigaddset(&sigmask, SIGTERM))) {
LogError("sigaddset: %s", strerror(errno));
return TCSERR(TSS_E_INTERNAL_ERROR);
-@@ -128,12 +143,24 @@ signals_init(void)
+@@ -128,9 +144,21 @@ signals_init(void)
return TCSERR(TSS_E_INTERNAL_ERROR);
}
@@ -48,16 +50,13 @@
sa.sa_handler = tcsd_signal_hup;
if ((rc = sigaction(SIGHUP, &sa, NULL))) {
LogError("signal SIGHUP not registered: %s", strerror(errno));
- return TCSERR(TSS_E_INTERNAL_ERROR);
- }
-
-+ sa.sa_flags = SA_RESTART;
-+ sa.sa_handler = tcsd_signal_chld;
-+ if ((rc = sigaction(SIGCHLD, &tcsd_sa_chld, NULL))) {
-+ LogError("signal SIGCHLD not registered: %s", strerror(errno));
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+
- return TSS_SUCCESS;
- }
++ tcsd_sa_chld.sa_flags = SA_RESTART;
++ tcsd_sa_chld.sa_handler = tcsd_signal_chld;
++ if ((rc = sigaction(SIGCHLD, &tcsd_sa_chld, NULL))) {
++ LogError("signal SIGCHLD not registered: %s", strerror(errno));
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
More information about the svn-ports-head
mailing list