Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 774465 (CVE-2021-27098, CVE-2021-27099) - <app-misc/spire-1.1.0: multiple vulnerabilities (CVE-2021-{27098,27099})
Summary: <app-misc/spire-1.1.0: multiple vulnerabilities (CVE-2021-{27098,27099})
Status: RESOLVED FIXED
Alias: CVE-2021-27098, CVE-2021-27099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/spiffe/spire/secur...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-06 15:05 UTC by John Helmert III
Modified: 2022-02-22 00:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-06 15:05:11 UTC 
CVE-2021-27099:

In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the value of an EC2 tag prior to attestation, and the attestor is configured for agent ID templating where the tag value is the last element in the path. This issue has been fixed in SPIRE versions 0.11.3 and 0.12.1


Going off the versions we have in tree, we need a bump to at least 0.8.5,
0.10.2, and 0.11.3. Thanks!
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-06 15:38:50 UTC 
CVE-2021-27098:

In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1.


Same fixed versions.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:23:43 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:32:07 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:40:01 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:48:11 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:04:08 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:12:25 UTC 
Package list is empty or all packages have requested keywords.
Comment 8 Larry the Git Cow gentoo-dev 2022-02-22 00:20:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b8aa0e8b5ef79d8d808042dc31370e38e21cc2

commit 65b8aa0e8b5ef79d8d808042dc31370e38e21cc2
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-02-22 00:19:15 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-22 00:19:52 +0000

    app-misc/spire: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/774465
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-misc/spire/Manifest            | 408 ---------------
 app-misc/spire/spire-0.10.0.ebuild | 523 --------------------
 app-misc/spire/spire-0.11.1.ebuild | 981 -------------------------------------
 app-misc/spire/spire-0.8.1.ebuild  |  61 ---
 4 files changed, 1973 deletions(-)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-22 00:23:35 UTC 
All done, thanks!