packages/tang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-1672

Browse Source
This commit is contained in:
wk333 2023-06-30 16:53:38 +08:00
parent 43faf8a7d1
commit e68dae4f08
2 changed files with 58 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2023-1672.patch Normal file
View File

@ -0,0 +1,51 @@
From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 14 Jun 2023 10:53:20 -0300
Subject: [PATCH] Fix race condition when creating/rotating keys (#123)
When we create/rotate keys using either the tangd-keygen and
tangd-rotate-keys helpers, there is a small window between the
keys being created and then the proper ownership permissions being
set. This also happens when there are no keys and tang creates a
pair of keys itself.
In certain situations, such as the keys directory having wide open
permissions, a user with local access could exploit this race
condition and read the keys before they are set to more restrictive
permissions.
To prevent this issue, we now set the default umask to 0337 before
creating the files, so that they are already created with restrictive
permissions; afterwards, we set the proper ownership as usual.
Issue reported by Brian McDermott of CENSUS labs.
Fixes CVE-2023-1672
Refer:
https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
https://ubuntu.com/security/CVE-2023-1672
Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
src/tangd-keygen | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tangd-keygen b/src/tangd-keygen
index 20d498e..d894ece 100755
--- a/src/tangd-keygen
+++ b/src/tangd-keygen
@@ -27,6 +27,9 @@ fi
[ $# -eq 3 ] && sig=$2 && exc=$3
+# Set default umask for file creation.
+umask 0337
+
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$sig.jwk
--
2.33.0

10
tang.spec
View File

@ -1,10 +1,11 @@
Name: tang Name: tang
Version: 7 Version: 7
Release: 2 Release: 3
Summary: Server for binding data to network presence Summary: Server for binding data to network presence
License: GPLv3+ License: GPLv3+
URL: https://github.com/latchset/%{name} URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
Patch0: CVE-2023-1672.patch
BuildRequires: gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel BuildRequires: gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel
BuildRequires: http-parser-devel systemd-devel pkgconfig systemd curl BuildRequires: http-parser-devel systemd-devel pkgconfig systemd curl
@ -31,7 +32,7 @@ the encryption key. This process is the recovery step.
%package_help %package_help
%prep %prep
%autosetup -n %{name}-%{version} %autosetup -n %{name}-%{version} -p1
%build %build
%configure %configure
@ -97,5 +98,8 @@ exit 0
%{_mandir}/man1/tang-show-keys.1* %{_mandir}/man1/tang-show-keys.1*
%changelog %changelog
* Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-3
- Fix CVE-2023-1672
* Thu Dec 5 2019 openEuler Buildteam <buildteam@openeuler.org> - 7-2 * Thu Dec 5 2019 openEuler Buildteam <buildteam@openeuler.org> - 7-2
- Package init - Package init