meta-security: subtree update:066a04425c..787ba6faea
Armin Kuster (10):
lynis: update to 3.0.0
security images: Move to recipe-core
security packagegroups: move to recipes-core
packagegroup-security-tpm: add more packages for building
packagegroup-core-security: remove clamav for riscv*
libsecomp: rv32/rv64 target builds are not supported yet
packagegroup-core-security: remove libseccomp for riscv*
libseccomp: update to 2.5.0
packagegroup-core-security: restore riscv64 for libssecomp
trousers: Several Security fixes
Charlie Davies (1):
clamav: add INSTALL_CLAMAV_CVD flag to do_install
Kai Kang (1):
libseccomp: fix cross compile error for mips
Yi Zhao (1):
ibmswtpm2: upgrade 1563 -> 1628
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
new file mode 100644
index 0000000..72c81d1
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
@@ -0,0 +1,94 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH] Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+
+Patch fixes the following 3 CVEs:
+
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-24332
+CVE: CVE-2020-24330
+CVE: CVE-2020-24331
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tcs/ps/tcsps.c | 2 +-
+ src/tcsd/svrside.c | 1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+Index: git/src/tcs/ps/tcsps.c
+===================================================================
+--- git.orig/src/tcs/ps/tcsps.c
++++ git/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ }
+
+ /* open and lock the file */
+- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ if (system_ps_fd < 0) {
+ LogError("system PS: open() of %s failed: %s",
+ tcsd_options.system_ps_file, strerror(errno));
+Index: git/src/tcsd/svrside.c
+===================================================================
+--- git.orig/src/tcsd/svrside.c
++++ git/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ }
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
++ setgid(pwd->pw_gid);
+ setuid(pwd->pw_uid);
+ #endif
+ #endif
+Index: git/src/tcsd/tcsd_conf.c
+===================================================================
+--- git.orig/src/tcsd/tcsd_conf.c
++++ git/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ struct group *grp;
+ struct passwd *pw;
+- mode_t mode = (S_IRUSR|S_IWUSR);
++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ TSS_RESULT result;
+
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ }
+
+ /* make sure user/group TSS owns the conf file */
+- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+- TSS_USER_NAME, TSS_GROUP_NAME);
++ "root", TSS_GROUP_NAME);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+
+- /* make sure only the tss user can manipulate the config file */
++ /* make sure only the tss user can read (but not manipulate) the config file */
+ if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+ #endif /* SOLARIS */
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index fe8f557..95e821b 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -16,6 +16,7 @@
file://tcsd.service \
file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
+ file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
"
S = "${WORKDIR}/git"