- update to new upstream version 0.3.15:
- Corrected mutliple security issues that existed if the tcsd is started by
root instead of the tss user. CVE-2020-24332, CVE-2020-24330, CVE-2020-24331
- Replaced use of _no_optimize with asm memory barrier
- Fixed multiple potential instances of use after free memory handling
- Removed unused global variables which caused build issue on some distros
- drop gcc-10.patch: now contained in upstream tarball
- drop bsc1164472.patch: now contained in upstream tarball
- adjusted %setup macro invocation which seemed to be wrong
OBS-URL: https://build.opensuse.org/request/show/846199
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trousers?expand=0&rev=48
- Corrected mutliple security issues that existed if the tcsd is started by
root instead of the tss user. CVE-2020-24332, CVE-2020-24330, CVE-2020-24331
- Replaced use of _no_optimize with asm memory barrier
- Fixed multiple potential instances of use after free memory handling
- Removed unused global variables which caused build issue on some distros
- drop gcc-10.patch: now contained in upstream tarball
- drop bsc1164472.patch: now contained in upstream tarball
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=79
- get rid of %pre/%post logic that fixes the old packaging bug. Turns out
%pretrans and %posttrans had their purpose before, because the logic needed
to run before old files owned by the package got deleted. But I'm not
reimplementing this strange logic in Lua ... users that didn't get the fix
yet will have to live with it.
- fix a potential tss user to root privilege escalation when running tcsd
(bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
badly designed privilege drop and initialization code to run.
- add bsc1164472.patch: additionally harden operation of tcsd when running as
root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
require /etc/tcsd.conf to be owned by root:tss mode 0640.
- add correct Requires(pre) and change %pretrans and %posttrans into %pre and
%post. %pretrans can't have any dependencies and therefore can only be
%implemented in lua. This currently leads to build errors "/bin/sh: no such
file or directory".
OBS-URL: https://build.opensuse.org/request/show/807580
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trousers?expand=0&rev=45
%pretrans and %posttrans had their purpose before, because the logic needed
to run before old files owned by the package got deleted. But I'm not
reimplementing this strange logic in Lua ... users that didn't get the fix
yet will have to live with it.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=72
(bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
badly designed privilege drop and initialization code to run.
- add bsc1164472.patch: additionally harden operation of tcsd when running as
root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
A 91-trousers.rules
A bsc1164472.patch
M tcsd.service
M trousers.changes
M trousers.spec
Diff for working copy: .
Index: tcsd.service
===================================================================
--- tcsd.service (revision 52e99d6d567f9aa64944f2e901493413)
+++ tcsd.service (working copy)
@@ -4,6 +4,7 @@
[Service]
Type=forking
ExecStart=/usr/sbin/tcsd
+User=tss
[Install]
WantedBy=multi-user.target
Index: trousers.changes
===================================================================
--- trousers.changes (revision 52e99d6d567f9aa64944f2e901493413)
+++ trousers.changes (working copy)
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 20 08:59:54 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- fix a potential tss user to root privilege escalation when running tcsd
+ (bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
+ badly designed privilege drop and initialization code to run.
+- add bsc1164472.patch: additionally harden operation of tcsd when running as
+ root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
+
-------------------------------------------------------------------
Wed May 13 12:14:32 UTC 2020 - matthias.gerstner@suse.com
Index: trousers.spec
===================================================================
--- trousers.spec (revision 52e99d6d567f9aa64944f2e901493413)
+++ trousers.spec (working copy)
@@ -27,12 +27,15 @@
Source0: http://downloads.sf.net/trousers/%{name}-%{version}.tar.gz
Source1: tcsd.service
Source2: baselibs.conf
+Source3: 91-trousers.rules
Patch0: fix-lto.patch
+Patch1: bsc1164472.patch
BuildRequires: gtk2-devel
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkg-config
BuildRequires: systemd-rpm-macros
+BuildRequires: udev
# for 'stat' for the hack in %pre
Requires(pre): coreutils
Requires(pre): user(tss)
@@ -81,6 +84,7 @@
%prep
%setup -q -c %{name}-%{version}
%patch0 -p1
+%patch1 -p1
%build
CC=gcc
@@ -106,6 +110,14 @@
ln -s -v /%{_lib}/$(readlink %{buildroot}/%{_lib}/libtspi.so) %{buildroot}%{_libdir}/libtspi.so
rm -v %{buildroot}/%{_lib}/libtspi.{so,la}
mv -v %{buildroot}/%{_lib}/*.a %{buildroot}%{_libdir}
+
+# we want to run tcsd as tss user right away. therefore we need to install a
+# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both
+# rules files are compatible at the moment. trousers has a lower priority than
+# tpm2-0-tss in case both should be installed. The tss user is shared between
+# both packages anyways already.
+mkdir -p %{buildroot}%{_udevrulesdir}
+install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}
%pre
%service_add_pre tcsd.service
@@ -134,6 +146,7 @@
%post
%service_add_post tcsd.service
+%_bindir/udevadm trigger -s tpm || :
# see pre for an explanation of this
for data in system.data.auth system.data.noauth; do
@@ -148,6 +161,14 @@
chown --no-dereference tss:tss "${file}"
done
+# bsc#1164472: adjust potential root ownership to allow tcsd to open the file
+# as unprivileged user. Be careful not to follow a symlink target.
+system_data=%{tpmstatedir}/system.data
+
+if [ -e "${system_data}" ]; then
+ chown --no-dereference tss:tss %{tpmstatedir}/system.data
+fi
+
%postun
%service_del_postun tcsd.service
@@ -168,6 +189,7 @@
%{_sbindir}/tcsd
%{_sbindir}/rctcsd
%{_unitdir}/tcsd.service
+%{_udevrulesdir}/91-trousers.rules
%files devel
%defattr(-,root,root)
Index: 91-trousers.rules
===================================================================
--- 91-trousers.rules (revision 0)
+++ 91-trousers.rules (revision 0)
@@ -0,0 +1,1 @@
+KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss"
Index: bsc1164472.patch
===================================================================
--- bsc1164472.patch (revision 0)
+++ bsc1164472.patch (revision 0)
@@ -0,0 +1,25 @@
+Index: trousers-0.3.14/src/tcs/ps/tcsps.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
++++ trousers-0.3.14/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ }
+
+ /* open and lock the file */
+- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ if (system_ps_fd < 0) {
+ LogError("system PS: open() of %s failed: %s",
+ tcsd_options.system_ps_file, strerror(errno));
+Index: trousers-0.3.14/src/tcsd/svrside.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcsd/svrside.c
++++ trousers-0.3.14/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ }
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
++ setgid(pwd->pw_gid);
+ setuid(pwd->pw_uid);
+ #endif
+ #endif
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=71
trousers-devel.x86_64: E: lto-no-text-in-archive (Badness: 10000) /usr/lib64/libtddl.a
objcopy/strip seem not to support the LTO linking and discard the actual
text section from libtddl.a. By passing -ffat-lto-objects the object format
is kept compatible with unaware tools and fixes the error.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=59
version.
- implement a backup and restore logic for /var/lib/tpm/system.data.* to
prevent removal of validly stored trousers state during update. See previous
comment for the packaging error that leads to this requirement.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=54
- fix wrong installation of system.data.{auth,noauth} into /var/lib/tpm. These
files are only sample files that *can* be used to fake that ownership was
already taken by trousers, when other TPM stacks did that already. These
files should not be there by default. Therefore install them into
/usr/share/trousers instead, to allow the user to use them at his own
discretion (fixes bsc#1111381).
OBS-URL: https://build.opensuse.org/request/show/644307
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trousers?expand=0&rev=38
files are only sample files that *can* be used to fake that ownership was
already taken by trousers, when other TPM stacks did that already. These
files should not be there by default. Therefore install them into
/usr/share/trousers instead, to allow the user to use them at his own
discretion (fixes bsc#1111381).
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=51
