packages/trousers
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332

Browse Source
This commit is contained in:
wangchen2020 2020-09-14 19:06:49 +08:00
parent 6d53f443c2
commit f2d67ddd1e
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Fix-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332.patch Normal file
View File

@ -0,0 +1,58 @@
Index: trousers-0.3.14/src/tcs/ps/tcsps.c
===================================================================
--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
+++ trousers-0.3.14/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
}
/* open and lock the file */
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
if (system_ps_fd < 0) {
LogError("system PS: open() of %s failed: %s",
tcsd_options.system_ps_file, strerror(errno));
Index: trousers-0.3.14/src/tcsd/svrside.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/svrside.c
+++ trousers-0.3.14/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
}
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+ setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
#endif
#endif
Index: trousers-0.3.14/src/tcsd/tcsd_conf.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c
+++ trousers-0.3.14/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
#ifndef SOLARIS
struct group *grp;
struct passwd *pw;
- mode_t mode = (S_IRUSR|S_IWUSR);
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
#endif /* SOLARIS */
TSS_RESULT result;
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
}
/* make sure user/group TSS owns the conf file */
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
- TSS_USER_NAME, TSS_GROUP_NAME);
+ "root", TSS_GROUP_NAME);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- /* make sure only the tss user can manipulate the config file */
+ /* make sure only the tss user can read (but not manipulate) the config file */
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */

6
trousers.spec
View File

@ -1,12 +1,13 @@
Name: trousers Name: trousers
Version: 0.3.14 Version: 0.3.14
Release: 3 Release: 4
Summary: The open-source TCG Software Stack Summary: The open-source TCG Software Stack
License: BSD License: BSD
Url: http://trousers.sourceforge.net Url: http://trousers.sourceforge.net
Source0: https://sourceforge.net/projects/trousers/files/trousers/0.3.14/trousers-0.3.14.tar.gz Source0: https://sourceforge.net/projects/trousers/files/trousers/0.3.14/trousers-0.3.14.tar.gz
#Acknowledge Source1 from Fedora. #Acknowledge Source1 from Fedora.
Source1: tcsd.service Source1: tcsd.service
Patch0: Fix-CVE-2020-24330-CVE-2020-24331-CVE-2020-24332.patch
BuildRequires: libtool openssl-devel systemd BuildRequires: libtool openssl-devel systemd
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -92,6 +93,9 @@ exit 0
%changelog %changelog
* Mon Sep 14 2020 wangchen <wangchen137@huawei.com> - 1.9.8-4
- Fix CVE-2020-24330 CVE-2020-24331 CVE-2020-24332
* Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-3 * Sat Mar 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.9.8-3
- Add tss account used by the trousers package to sandbox the tcsd daemon - Add tss account used by the trousers package to sandbox the tcsd daemon