Update to 14

2023-10-07 14:52:34 +08:00 · 2023-10-07 14:52:34 +08:00 · 24dc8ca2dd
commit 24dc8ca2dd
parent b1bb981821
4 changed files with 27 additions and 85 deletions
--- a/CVE-2023-1672.patch
+++ b/CVE-2023-1672.patch
@ -1,51 +0,0 @@
-From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Wed, 14 Jun 2023 10:53:20 -0300
-Subject: [PATCH] Fix race condition when creating/rotating keys (#123)
-
-When we create/rotate keys using either the tangd-keygen and
-tangd-rotate-keys helpers, there is a small window between the
-keys being created and then the proper ownership permissions being
-set. This also happens when there are no keys and tang creates a
-pair of keys itself.
-
-In certain situations, such as the keys directory having wide open
-permissions, a user with local access could exploit this race
-condition and read the keys before they are set to more restrictive
-permissions.
-
-To prevent this issue, we now set the default umask to 0337 before
-creating the files, so that they are already created with restrictive
-permissions; afterwards, we set the proper ownership as usual.
-
-Issue reported by Brian McDermott of CENSUS labs.
-
-Fixes CVE-2023-1672
-
-Refer: 
-   https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
-   https://ubuntu.com/security/CVE-2023-1672
-
-Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
- src/tangd-keygen | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/tangd-keygen b/src/tangd-keygen
-index 20d498e..d894ece 100755
--- a/src/tangd-keygen
-+++ b/src/tangd-keygen
-@@ -27,6 +27,9 @@ fi
- 
- [ $# -eq 3 ] && sig=$2 && exc=$3
- 
-+# Set default umask for file creation.
-+umask 0337
-+
- jwe=`jose jwk gen -i '{"alg":"ES512"}'`
- [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
- echo "$jwe" > $1/$sig.jwk
-- 
-2.33.0
-
--- a/tang-14.tar.xz
+++ b/tang-14.tar.xz
--- a/tang-7.tar.bz2
+++ b/tang-7.tar.bz2
--- a/tang.spec
+++ b/tang.spec
@ -1,15 +1,14 @@
 Name:           tang
-Version:        7
-Release:        3
+Version:        14
+Release:        1
 Summary:        Server for binding data to network presence
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
-Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
-Patch0:         CVE-2023-1672.patch
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz

-BuildRequires:  gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel
+BuildRequires:  gcc meson jose libjose-devel libjose-zlib-devel libjose-openssl-devel
 BuildRequires:  http-parser-devel systemd-devel pkgconfig systemd curl
-BuildRequires:  asciidoc coreutils grep sed
+BuildRequires:  asciidoc coreutils grep sed iproute

 Requires:       coreutils jose grep sed
 Requires(pre):  shadow-utils
@ -35,24 +34,15 @@ the encryption key. This process is the recovery step.
 %autosetup -n %{name}-%{version} -p1

 %build
-%configure
-%make_build
+%meson
+%meson_build

 %install
-%make_install
-
-%{__sed} -i 's|DirectoryMode=0700||' %{buildroot}/%{_unitdir}/%{name}d-update.path
-%{__sed} -i 's|MakeDirectory=true||' %{buildroot}/%{_unitdir}/%{name}d-update.path
-echo "User=%{name}" >> %{buildroot}/%{_unitdir}/%{name}d-update.service
-echo "User=%{name}" >> %{buildroot}/%{_unitdir}/%{name}d@.service
-install -d %{buildroot}/%{_localstatedir}/cache/%{name}
-install -d %{buildroot}/%{_localstatedir}/db/%{name}
+%meson_install
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}

 %check
-if ! make %{?_smp_mflags} check; then
-    cat test-suite.log
-    false
-fi
+%meson_test

 %pre
 getent group %{name} >/dev/null || groupadd -r %{name}
@ -63,41 +53,44 @@ exit 0

 %post
 %systemd_post %{name}d.socket
-%systemd_post %{name}d-update.path
-%systemd_post %{name}d-update.service
-%systemd_post %{name}d-keygen.service
+
+if [ -d /var/db/tang ]; then
+    for k in /var/db/tang/*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    for k in /var/db/tang/.*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    chown tang:tang -R /var/db/tang
+fi

 %preun
 %systemd_preun %{name}d.socket
-%systemd_preun %{name}d-update.path
-%systemd_preun %{name}d-update.service
-%systemd_preun %{name}d-keygen.service

 %postun
 %systemd_postun_with_restart %{name}d.socket
-%systemd_postun_with_restart %{name}d-update.path
-%systemd_postun_with_restart %{name}d-update.service
-%systemd_postun_with_restart %{name}d-keygen.service

 %files
 %license COPYING
-%attr(0750, %{name}, %{name}) %{_localstatedir}/cache/%{name}
 %attr(2570, %{name}, %{name}) %{_localstatedir}/db/%{name}
-%{_unitdir}/%{name}d-keygen.service
-%{_unitdir}/%{name}d-update.service
-%{_unitdir}/%{name}d-update.path
 %{_unitdir}/%{name}d@.service
 %{_unitdir}/%{name}d.socket
 %{_libexecdir}/%{name}d-keygen
-%{_libexecdir}/%{name}d-update
+%{_libexecdir}/%{name}d-rotate-keys
 %{_libexecdir}/%{name}d
 %{_bindir}/%{name}-show-keys

 %files help
 %{_mandir}/man8/tang.8*
 %{_mandir}/man1/tang-show-keys.1*
+%{_mandir}/man1/tangd-rotate-keys.1.gz

 %changelog
+* Thu Sep 28 2023 wulei <wu_lei@hoperun.com> - 14-1
+- Update to 14
+
 * Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-3
 - Fix CVE-2023-1672