diff options
| author | Niclas Zeising <zeising@FreeBSD.org> | 2020-08-18 23:23:22 +0000 |
|---|---|---|
| committer | Niclas Zeising <zeising@FreeBSD.org> | 2020-08-18 23:23:22 +0000 |
| commit | 7671dd5ccb2e735ec6bf154e8ac29fd98ae1483a (patch) | |
| tree | 70b10b3799286e89cf97192ef35ce4d3cb033761 /security/trousers/files/patch-10b33821.c | |
| parent | vuxml: Document security issues in security/trousers (diff) | |
security/trousers: fix security issues
Fix three security issues in security/trousers:
* CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks
* CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed
* CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file
Add patches to fix potential use-after-free
Fix build with -fno-common
MFH: 2020Q3
Security: e37a0a7b-e1a7-11ea-9538-0c9d925bbbc0
Notes
Notes:
svn path=/head/; revision=545264
Diffstat (limited to 'security/trousers/files/patch-10b33821.c')
| -rw-r--r-- | security/trousers/files/patch-10b33821.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/security/trousers/files/patch-10b33821.c b/security/trousers/files/patch-10b33821.c new file mode 100644 index 000000000000..813d0fa3ea17 --- /dev/null +++ b/security/trousers/files/patch-10b33821.c @@ -0,0 +1,41 @@ +commit 10b33821cfd79375cfdbe05123b2f7f6329eac3e +Author: Jerry Snitselaar <jsnitsel@redhat.com> +Date: Wed Jan 16 14:00:43 2019 -0700 + + trousers: clean up use after free in Transport_TerminateHandle + + Clean up possible use after free. The value of the handles pointer + may change, but if it doesn't then free is being called twice on + the same address. + + Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com> + +diff --git src/tspi/tsp_auth.c src/tspi/tsp_auth.c +index d538079..5a97e6e 100755 +--- src/tspi/tsp_auth.c ++++ src/tspi/tsp_auth.c +@@ -1221,17 +1221,17 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */ + } + + *handles = handle; +- handles_track = handles; ++ handles_track = handles; + +- // Since the call tree of this function can possibly alloc memory +- // (check RPC_ExecuteTransport_TP function), its better to keep track of +- // the handle. ++ // Since the call tree of this function can possibly alloc memory ++ // (check RPC_ExecuteTransport_TP function), its better to keep track of ++ // the handle. + result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL, + NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL); + +- free(handles); +- handles = NULL; +- free(handles_track); ++ if (handles != handles_track) ++ free(handles); ++ free(handles_track); + + return result; + } |