From 7671dd5ccb2e735ec6bf154e8ac29fd98ae1483a Mon Sep 17 00:00:00 2001 From: Niclas Zeising Date: Tue, 18 Aug 2020 23:23:22 +0000 Subject: security/trousers: fix security issues Fix three security issues in security/trousers: * CVE-2020-24332 If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks * CVE-2020-24330 If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed * CVE-2020-24331 If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file Add patches to fix potential use-after-free Fix build with -fno-common MFH: 2020Q3 Security: e37a0a7b-e1a7-11ea-9538-0c9d925bbbc0 --- security/trousers/files/patch-e74dd1d9.c | 82 ++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 security/trousers/files/patch-e74dd1d9.c (limited to 'security/trousers/files/patch-e74dd1d9.c') diff --git a/security/trousers/files/patch-e74dd1d9.c b/security/trousers/files/patch-e74dd1d9.c new file mode 100644 index 000000000000..064e13797f68 --- /dev/null +++ b/security/trousers/files/patch-e74dd1d9.c @@ -0,0 +1,82 @@ +commit e74dd1d96753b0538192143adf58d04fcd3b242b +Author: Matthias Gerstner +Date: Fri Aug 14 22:14:36 2020 -0700 + + Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + + Patch fixes the following 3 CVEs: + + CVE-2020-24332 + If the tcsd daemon is started with root privileges, + the creation of the system.data file is prone to symlink attacks + + CVE-2020-24330 + If the tcsd daemon is started with root privileges, + it fails to drop the root gid after it is no longer needed + + CVE-2020-24331 + If the tcsd daemon is started with root privileges, + the tss user has read and write access to the /etc/tcsd.conf file + + Authored-by: Matthias Gerstner + Signed-off-by: Debora Velarde Babb + +diff --git src/tcs/ps/tcsps.c src/tcs/ps/tcsps.c +index e47154b..85d45a9 100644 +--- src/tcs/ps/tcsps.c ++++ src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +diff --git src/tcsd/svrside.c src/tcsd/svrside.c +index 1ae1636..1c12ff3 100644 +--- src/tcsd/svrside.c ++++ src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +diff --git src/tcsd/tcsd_conf.c src/tcsd/tcsd_conf.c +index a31503d..ea8ea13 100644 +--- src/tcsd/tcsd_conf.c ++++ src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ -- cgit v1.2.3