- Corrected mutliple security issues that existed if the tcsd is started by
root instead of the tss user. CVE-2020-24332, CVE-2020-24330, CVE-2020-24331
- Replaced use of _no_optimize with asm memory barrier
- Fixed multiple potential instances of use after free memory handling
- Removed unused global variables which caused build issue on some distros
- drop gcc-10.patch: now contained in upstream tarball
- drop bsc1164472.patch: now contained in upstream tarball
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=79
%pretrans and %posttrans had their purpose before, because the logic needed
to run before old files owned by the package got deleted. But I'm not
reimplementing this strange logic in Lua ... users that didn't get the fix
yet will have to live with it.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=72
(bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
badly designed privilege drop and initialization code to run.
- add bsc1164472.patch: additionally harden operation of tcsd when running as
root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
A 91-trousers.rules
A bsc1164472.patch
M tcsd.service
M trousers.changes
M trousers.spec
Diff for working copy: .
Index: tcsd.service
===================================================================
--- tcsd.service (revision 52e99d6d567f9aa64944f2e901493413)
+++ tcsd.service (working copy)
@@ -4,6 +4,7 @@
[Service]
Type=forking
ExecStart=/usr/sbin/tcsd
+User=tss
[Install]
WantedBy=multi-user.target
Index: trousers.changes
===================================================================
--- trousers.changes (revision 52e99d6d567f9aa64944f2e901493413)
+++ trousers.changes (working copy)
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 20 08:59:54 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- fix a potential tss user to root privilege escalation when running tcsd
+ (bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
+ badly designed privilege drop and initialization code to run.
+- add bsc1164472.patch: additionally harden operation of tcsd when running as
+ root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
+
-------------------------------------------------------------------
Wed May 13 12:14:32 UTC 2020 - matthias.gerstner@suse.com
Index: trousers.spec
===================================================================
--- trousers.spec (revision 52e99d6d567f9aa64944f2e901493413)
+++ trousers.spec (working copy)
@@ -27,12 +27,15 @@
Source0: http://downloads.sf.net/trousers/%{name}-%{version}.tar.gz
Source1: tcsd.service
Source2: baselibs.conf
+Source3: 91-trousers.rules
Patch0: fix-lto.patch
+Patch1: bsc1164472.patch
BuildRequires: gtk2-devel
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkg-config
BuildRequires: systemd-rpm-macros
+BuildRequires: udev
# for 'stat' for the hack in %pre
Requires(pre): coreutils
Requires(pre): user(tss)
@@ -81,6 +84,7 @@
%prep
%setup -q -c %{name}-%{version}
%patch0 -p1
+%patch1 -p1
%build
CC=gcc
@@ -106,6 +110,14 @@
ln -s -v /%{_lib}/$(readlink %{buildroot}/%{_lib}/libtspi.so) %{buildroot}%{_libdir}/libtspi.so
rm -v %{buildroot}/%{_lib}/libtspi.{so,la}
mv -v %{buildroot}/%{_lib}/*.a %{buildroot}%{_libdir}
+
+# we want to run tcsd as tss user right away. therefore we need to install a
+# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both
+# rules files are compatible at the moment. trousers has a lower priority than
+# tpm2-0-tss in case both should be installed. The tss user is shared between
+# both packages anyways already.
+mkdir -p %{buildroot}%{_udevrulesdir}
+install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}
%pre
%service_add_pre tcsd.service
@@ -134,6 +146,7 @@
%post
%service_add_post tcsd.service
+%_bindir/udevadm trigger -s tpm || :
# see pre for an explanation of this
for data in system.data.auth system.data.noauth; do
@@ -148,6 +161,14 @@
chown --no-dereference tss:tss "${file}"
done
+# bsc#1164472: adjust potential root ownership to allow tcsd to open the file
+# as unprivileged user. Be careful not to follow a symlink target.
+system_data=%{tpmstatedir}/system.data
+
+if [ -e "${system_data}" ]; then
+ chown --no-dereference tss:tss %{tpmstatedir}/system.data
+fi
+
%postun
%service_del_postun tcsd.service
@@ -168,6 +189,7 @@
%{_sbindir}/tcsd
%{_sbindir}/rctcsd
%{_unitdir}/tcsd.service
+%{_udevrulesdir}/91-trousers.rules
%files devel
%defattr(-,root,root)
Index: 91-trousers.rules
===================================================================
--- 91-trousers.rules (revision 0)
+++ 91-trousers.rules (revision 0)
@@ -0,0 +1,1 @@
+KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss"
Index: bsc1164472.patch
===================================================================
--- bsc1164472.patch (revision 0)
+++ bsc1164472.patch (revision 0)
@@ -0,0 +1,25 @@
+Index: trousers-0.3.14/src/tcs/ps/tcsps.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
++++ trousers-0.3.14/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ }
+
+ /* open and lock the file */
+- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ if (system_ps_fd < 0) {
+ LogError("system PS: open() of %s failed: %s",
+ tcsd_options.system_ps_file, strerror(errno));
+Index: trousers-0.3.14/src/tcsd/svrside.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcsd/svrside.c
++++ trousers-0.3.14/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ }
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
++ setgid(pwd->pw_gid);
+ setuid(pwd->pw_uid);
+ #endif
+ #endif
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=71
trousers-devel.x86_64: E: lto-no-text-in-archive (Badness: 10000) /usr/lib64/libtddl.a
objcopy/strip seem not to support the LTO linking and discard the actual
text section from libtddl.a. By passing -ffat-lto-objects the object format
is kept compatible with unaware tools and fixes the error.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=59
version.
- implement a backup and restore logic for /var/lib/tpm/system.data.* to
prevent removal of validly stored trousers state during update. See previous
comment for the packaging error that leads to this requirement.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=54
files are only sample files that *can* be used to fake that ownership was
already taken by trousers, when other TPM stacks did that already. These
files should not be there by default. Therefore install them into
/usr/share/trousers instead, to allow the user to use them at his own
discretion (fixes bsc#1111381).
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=51
- Changed exported functions which had a name too common, to avoid
collision
- Assessed daemon security using manual techniques and coverity
- Fixed major security bugs and memory leaks
- Added debug support to run tcsd with a different user/group
- Daemon now properly closes sockets before shutting down
* TROUSERS_0_3_12
- Added new network code for RPC, which supports IPv6
- Users of client applications can configure the hostname of the tcsd
server they want to connect through the TSS_TCSD_HOSTNAME env var
(only works if application didn't set a hostname in the context)
- Added disable_ipv4 and disable_ipv6 config options for server
- removed trousers-wrap_large_key_overflow.patch: upstream
- removed trousers-0.3.11.2.diff: solved upstream now
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=34
- Fix ssl_ui.c overflow
- Handling of TPM_CERTIFY_INFO2 structure special case
- Fix possible obfuscation of obj_migdata.c errors.
- Make 1.2 keys respect the TPM_PCRIGNOREDONREAD flag.
- PCRInfo member allocation in Trspi_Unload_CERTIFY_INFO.
- Add functions for deserializing NVRAM related data structures
- Add NVRAM specific error messages
- Fix spec file so one can build an rpm
- Initialize the tcsd_config_file with NULL.
- support for -c <configfile> command line option
- Establish a .gitignore file
- ENDIAN_H and htole definition fix
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=24
- Fixed a number of warnings during a build with --debug regarding THREAD ID
definition
- Removed htole() dependency, which was included only in glibc 2.9
- Updated to TROUSERS_0_3_5
- Allowed TCD Daemon to run with reduced privileges In Solaris.
- Fixing previous kfreebsd build patch conflict with the current tree.
- TCSD error handling improvements.
- mutex init inclusion.
- pthread_t portability fix
- Owner Evict keys load fix.
- Big- endian issues.
- Memory leak fix.
- Adding missing #include <limits.h>.
- kfreebsd build fixes.
- Fixed usage of syslog().
- 64bits clean
- Fixes the TCP UN and IN socket connection attempt handling
- Fixes logic on opening a hardware TPM.
- Added communication through TCP to software TPMs in TrouSerS.
- Fixed conflicting defines
- Adds missing free()
- Fixed fread() return value check.
- Made the previous fix cleaner and more robust.
- Added missing check in order to avoid freeing buffer that's out of Tspi_Data_Seal() scope.
- Fixed Tspi_TPM_GetRandom 4kb output limit.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=14
- Fixed TrouSerS mishandling of TPM auth sessions
- Enabled hosttable.c "_init" and "_fini" functions to work on Solaris
- Included Solaris in BSD_CONST definition conditional
- Made the init script LSB compliant
- make distcheck improved
- TROUSERS_0_3_3_2
- Fixed logic when filling up RSA keys objects.
- TROUSERS_0_3_3_1
- TCSD now runs as tss and has a better signal handling
- Fixed many memory handling issues
- TROUSERS_0_3_3
- Tspi_ChangeAuth fixed for popup secret use case.
- Prefixed exported functions with common names.
- Fixed issues with accessing the utmp database.
- Migrated the bios parser file handler from open to fopen.
OBS-URL: https://build.opensuse.org/package/show/security/trousers?expand=0&rev=9
