Fix CVE-2023-1672

2023-06-30 16:53:38 +08:00 · 2023-06-30 16:53:38 +08:00 · e68dae4f08
commit e68dae4f08
parent 43faf8a7d1
2 changed files with 58 additions and 3 deletions
--- a/CVE-2023-1672.patch
+++ b/CVE-2023-1672.patch
@ -0,0 +1,51 @@
+From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Wed, 14 Jun 2023 10:53:20 -0300
+Subject: [PATCH] Fix race condition when creating/rotating keys (#123)
+
+When we create/rotate keys using either the tangd-keygen and
+tangd-rotate-keys helpers, there is a small window between the
+keys being created and then the proper ownership permissions being
+set. This also happens when there are no keys and tang creates a
+pair of keys itself.
+
+In certain situations, such as the keys directory having wide open
+permissions, a user with local access could exploit this race
+condition and read the keys before they are set to more restrictive
+permissions.
+
+To prevent this issue, we now set the default umask to 0337 before
+creating the files, so that they are already created with restrictive
+permissions; afterwards, we set the proper ownership as usual.
+
+Issue reported by Brian McDermott of CENSUS labs.
+
+Fixes CVE-2023-1672
+
+Refer: 
+   https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
+   https://ubuntu.com/security/CVE-2023-1672
+
+Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ src/tangd-keygen | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tangd-keygen b/src/tangd-keygen
+index 20d498e..d894ece 100755
+--- a/src/tangd-keygen
+++ b/src/tangd-keygen
+@@ -27,6 +27,9 @@ fi
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
+# Set default umask for file creation.
+umask 0337
+
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
+-- 
+2.33.0
+
--- a/tang.spec
+++ b/tang.spec
@ -1,10 +1,11 @@
 Name:           tang
 Version:        7
-Release:        2
+Release:        3
 Summary:        Server for binding data to network presence
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2023-1672.patch

 BuildRequires:  gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel
 BuildRequires:  http-parser-devel systemd-devel pkgconfig systemd curl
@ -31,7 +32,7 @@ the encryption key. This process is the recovery step.
 %package_help

 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1

 %build
 %configure
@ -97,5 +98,8 @@ exit 0
 %{_mandir}/man1/tang-show-keys.1*

 %changelog
+* Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-3
+- Fix CVE-2023-1672
+
 * Thu Dec 5 2019 openEuler Buildteam <buildteam@openeuler.org> - 7-2
- Package init
+- Package init