From owner-svn-ports-all@freebsd.org Tue Aug 18 23:23:24 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 012EC3AABB0; Tue, 18 Aug 2020 23:23:24 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BWRmW6H1Sz3b62; Tue, 18 Aug 2020 23:23:23 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BBBF819C80; Tue, 18 Aug 2020 23:23:23 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07INNN4V036707; Tue, 18 Aug 2020 23:23:23 GMT (envelope-from zeising@FreeBSD.org) Received: (from zeising@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07INNMNw036701; Tue, 18 Aug 2020 23:23:22 GMT (envelope-from zeising@FreeBSD.org) Message-Id: <202008182323.07INNMNw036701@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: zeising set sender to zeising@FreeBSD.org using -f From: Niclas Zeising Date: Tue, 18 Aug 2020 23:23:22 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r545264 - in head/security/trousers: . files X-SVN-Group: ports-head X-SVN-Commit-Author: zeising X-SVN-Commit-Paths: in head/security/trousers: . files X-SVN-Commit-Revision: 545264 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2020 23:23:24 -0000 Author: zeising Date: Tue Aug 18 23:23:22 2020 New Revision: 545264 URL: https://svnweb.freebsd.org/changeset/ports/545264 Log: security/trousers: fix security issues Fix three security issues in security/trousers: * CVE-2020-24332 If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks * CVE-2020-24330 If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed * CVE-2020-24331 If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file Add patches to fix potential use-after-free Fix build with -fno-common MFH: 2020Q3 Security: e37a0a7b-e1a7-11ea-9538-0c9d925bbbc0 Added: head/security/trousers/files/patch-0a14b979.c (contents, props changed) head/security/trousers/files/patch-10b33821.c (contents, props changed) head/security/trousers/files/patch-c9b8c443.c (contents, props changed) head/security/trousers/files/patch-e74dd1d9.c (contents, props changed) Modified: head/security/trousers/Makefile head/security/trousers/files/patch-src_tcsd_svrside.c Modified: head/security/trousers/Makefile ============================================================================== --- head/security/trousers/Makefile Tue Aug 18 23:17:17 2020 (r545263) +++ head/security/trousers/Makefile Tue Aug 18 23:23:22 2020 (r545264) @@ -3,7 +3,7 @@ PORTNAME= trousers PORTVERSION= 0.3.14 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= SF Added: head/security/trousers/files/patch-0a14b979.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/trousers/files/patch-0a14b979.c Tue Aug 18 23:23:22 2020 (r545264) @@ -0,0 +1,25 @@ +commit 0a14b979064052d3263054488602fba3bf97883b +Author: Jerry Snitselaar +Date: Wed Jan 16 14:00:43 2019 -0700 + + trousers: clean up use after free in Transport_TerminateHandle + + Clean up possible use after free. The value of the handles pointer + may change, but if it doesn't then free is being called twice on + the same address. + + Signed-off-by: Jerry Snitselaar + Signed-off-by: Debora Velarde Babb + +diff --git src/tcs/tcs_evlog_imaem.c src/tcs/tcs_evlog_imaem.c +index d158330..33af283 100644 +--- src/tcs/tcs_evlog_imaem.c ++++ src/tcs/tcs_evlog_imaem.c +@@ -259,6 +259,7 @@ ima_get_entry(FILE *handle, UINT32 pcr_index, UINT32 *num, TSS_PCR_EVENT **ppEve + if (event->rgbPcrValue == NULL) { + LogError("malloc of %d bytes failed.", 20); + free(event); ++ event = NULL; + result = TCSERR(TSS_E_OUTOFMEMORY); + goto done; + } Added: head/security/trousers/files/patch-10b33821.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/trousers/files/patch-10b33821.c Tue Aug 18 23:23:22 2020 (r545264) @@ -0,0 +1,41 @@ +commit 10b33821cfd79375cfdbe05123b2f7f6329eac3e +Author: Jerry Snitselaar +Date: Wed Jan 16 14:00:43 2019 -0700 + + trousers: clean up use after free in Transport_TerminateHandle + + Clean up possible use after free. The value of the handles pointer + may change, but if it doesn't then free is being called twice on + the same address. + + Signed-off-by: Jerry Snitselaar + +diff --git src/tspi/tsp_auth.c src/tspi/tsp_auth.c +index d538079..5a97e6e 100755 +--- src/tspi/tsp_auth.c ++++ src/tspi/tsp_auth.c +@@ -1221,17 +1221,17 @@ Transport_TerminateHandle(TSS_HCONTEXT tspContext, /* in */ + } + + *handles = handle; +- handles_track = handles; ++ handles_track = handles; + +- // Since the call tree of this function can possibly alloc memory +- // (check RPC_ExecuteTransport_TP function), its better to keep track of +- // the handle. ++ // Since the call tree of this function can possibly alloc memory ++ // (check RPC_ExecuteTransport_TP function), its better to keep track of ++ // the handle. + result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL, + NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL); + +- free(handles); +- handles = NULL; +- free(handles_track); ++ if (handles != handles_track) ++ free(handles); ++ free(handles_track); + + return result; + } Added: head/security/trousers/files/patch-c9b8c443.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/trousers/files/patch-c9b8c443.c Tue Aug 18 23:23:22 2020 (r545264) @@ -0,0 +1,33 @@ +commit c9b8c4434f3b11bae4f7e72c3aec5b4f3459eecc +Author: Jerry Snitselaar +Date: Wed Mar 18 14:10:35 2020 -0700 + + trousers: resolve build failure + + The global variables tcsd_sa_chld and tcsd_sa_int in tcsd.h are + causing build failures in latest Fedora release: + + /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:169: multiple definition of `tcsd_sa_chld'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:169: first defined here + /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:168: multiple definition of `tcsd_sa_int'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:168: first defined here + + They are no longer used since 9b40e581470b ("Improved daemon's signal + handling") so just remove them. + + Signed-off-by: Jerry Snitselaar + Signed-off-by: Debora Velarde Babb + +diff --git src/include/tcsd.h src/include/tcsd.h +index 5b9462b..f5c286e 100644 +--- src/include/tcsd.h ++++ src/include/tcsd.h +@@ -164,10 +164,4 @@ TSS_RESULT tcsd_thread_create(int, char *); + void *tcsd_thread_run(void *); + void thread_signal_init(); + +-/* signal handling */ +-#ifndef __APPLE__ +-struct sigaction tcsd_sa_int; +-struct sigaction tcsd_sa_chld; +-#endif +- + #endif Added: head/security/trousers/files/patch-e74dd1d9.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/trousers/files/patch-e74dd1d9.c Tue Aug 18 23:23:22 2020 (r545264) @@ -0,0 +1,82 @@ +commit e74dd1d96753b0538192143adf58d04fcd3b242b +Author: Matthias Gerstner +Date: Fri Aug 14 22:14:36 2020 -0700 + + Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + + Patch fixes the following 3 CVEs: + + CVE-2020-24332 + If the tcsd daemon is started with root privileges, + the creation of the system.data file is prone to symlink attacks + + CVE-2020-24330 + If the tcsd daemon is started with root privileges, + it fails to drop the root gid after it is no longer needed + + CVE-2020-24331 + If the tcsd daemon is started with root privileges, + the tss user has read and write access to the /etc/tcsd.conf file + + Authored-by: Matthias Gerstner + Signed-off-by: Debora Velarde Babb + +diff --git src/tcs/ps/tcsps.c src/tcs/ps/tcsps.c +index e47154b..85d45a9 100644 +--- src/tcs/ps/tcsps.c ++++ src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +diff --git src/tcsd/svrside.c src/tcsd/svrside.c +index 1ae1636..1c12ff3 100644 +--- src/tcsd/svrside.c ++++ src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +diff --git src/tcsd/tcsd_conf.c src/tcsd/tcsd_conf.c +index a31503d..ea8ea13 100644 +--- src/tcsd/tcsd_conf.c ++++ src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ Modified: head/security/trousers/files/patch-src_tcsd_svrside.c ============================================================================== --- head/security/trousers/files/patch-src_tcsd_svrside.c Tue Aug 18 23:17:17 2020 (r545263) +++ head/security/trousers/files/patch-src_tcsd_svrside.c Tue Aug 18 23:23:22 2020 (r545264) @@ -1,6 +1,6 @@ ---- src/tcsd/svrside.c.orig 2016-11-19 03:09:49 UTC +--- src/tcsd/svrside.c.orig 2014-12-20 02:37:46 UTC +++ src/tcsd/svrside.c -@@ -92,12 +92,19 @@ tcsd_signal_term(int signal) +@@ -92,20 +92,36 @@ tcsd_signal_term(int signal) term = 1; } @@ -21,8 +21,10 @@ static TSS_RESULT signals_init(void) { -@@ -106,6 +113,14 @@ signals_init(void) + int rc; + sigset_t sigmask; struct sigaction sa; ++ struct sigaction tcsd_sa_chld; sigemptyset(&sigmask); + if ((rc = sigaddset(&sigmask, SIGCHLD))) { @@ -36,7 +38,7 @@ if ((rc = sigaddset(&sigmask, SIGTERM))) { LogError("sigaddset: %s", strerror(errno)); return TCSERR(TSS_E_INTERNAL_ERROR); -@@ -128,12 +143,24 @@ signals_init(void) +@@ -128,9 +144,21 @@ signals_init(void) return TCSERR(TSS_E_INTERNAL_ERROR); } @@ -48,16 +50,13 @@ sa.sa_handler = tcsd_signal_hup; if ((rc = sigaction(SIGHUP, &sa, NULL))) { LogError("signal SIGHUP not registered: %s", strerror(errno)); - return TCSERR(TSS_E_INTERNAL_ERROR); - } - -+ sa.sa_flags = SA_RESTART; -+ sa.sa_handler = tcsd_signal_chld; -+ if ((rc = sigaction(SIGCHLD, &tcsd_sa_chld, NULL))) { -+ LogError("signal SIGCHLD not registered: %s", strerror(errno)); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + - return TSS_SUCCESS; - } ++ tcsd_sa_chld.sa_flags = SA_RESTART; ++ tcsd_sa_chld.sa_handler = tcsd_signal_chld; ++ if ((rc = sigaction(SIGCHLD, &tcsd_sa_chld, NULL))) { ++ LogError("signal SIGCHLD not registered: %s", strerror(errno)); + return TCSERR(TSS_E_INTERNAL_ERROR); + }