Bug 737022 (CVE-2020-24330, CVE-2020-24331, CVE-2020-24332)

Summary:	<app-crypt/trousers-0.3.14-r3: Multiple vulnerabilities (CVE-2020-{24330,24331,24332})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	proxy-maint, salah.coronya
Priority:	Normal	Keywords:	CC-ARCHES, PullRequest
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://sourceforge.net/p/trousers/mailman/message/37015817/
See Also:	https://github.com/gentoo/gentoo/pull/17118
Whiteboard:	C4 [noglsa]
Package list:	app-crypt/trousers-0.3.14-r3	Runtime testing required:	---

Description John Helmert III archtester

2020-08-13 23:46:20 UTC

CVE-2020-24330:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.

CVE-2020-24331:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).

CVE-2020-24332:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.


Patch for the lot: https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch

Maintainer, please add this patch. 


Note: I'm making this C4/trivial because the daemon starts as the tss user by default in Gentoo:

app-crypt/trousers/files/tcsd.initd:
...
start-stop-daemon --start --user tss --exec /usr/sbin/tcsd
...

app-crypt/trousers/files/tcsd:
...
User=tss
...

Comment 1 Larry the Git Cow gentoo-dev

2020-08-15 00:57:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52ec8c626ac6ebec40685ef69c09a41f135b0897

commit 52ec8c626ac6ebec40685ef69c09a41f135b0897
Author:     Salah Coronya <salah.coronya@gmail.com>
AuthorDate: 2020-08-14 02:46:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-15 00:55:57 +0000

    app-crypt/trousers: Add patch for CVE-2020-244{30,31,32}
    
    Bug: https://bugs.gentoo.org/737022
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17118
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/trousers-0.3.14-tcsd-fixes.patch         | 58 ++++++++++++++++++
 app-crypt/trousers/trousers-0.3.14-r3.ebuild       | 69 ++++++++++++++++++++++
 2 files changed, 127 insertions(+)

Comment 2 John Helmert III archtester

2020-08-17 16:46:01 UTC

Maintainer, please let us know when ready to stable.

Comment 3 Sam James archtester

2020-08-20 09:07:55 UTC

Ready yet?

Comment 4 Christopher Byrne 2020-08-20 19:02:28 UTC

Yes, go ahead. I thought I had wait before stabilzation.

Comment 5 Sam James archtester

2020-08-20 19:11:18 UTC

(In reply to Salah Coronya from comment #4)
> Yes, go ahead. I thought I had wait before stabilzation.

For security bugs, tell us straight away if it's ready or not. No need to wait unless a lot changed. :)

Comment 6 Agostino Sarubbo gentoo-dev

2020-08-21 15:28:34 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-08-21 15:36:15 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-08-22 05:47:25 UTC

amd64 stable

Comment 9 Sam James archtester

2020-08-22 20:20:50 UTC

arm64 done

Comment 10 Sam James archtester

2020-09-01 00:22:40 UTC

ppc64 done

all arches done

Comment 11 Sam James archtester

2020-09-01 00:40:03 UTC

Please cleanup.

Comment 12 Larry the Git Cow gentoo-dev

2020-09-17 23:25:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3840a28f931fcc82823944ab3941c69d57fcf43b

commit 3840a28f931fcc82823944ab3941c69d57fcf43b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-17 23:25:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-17 23:25:12 +0000

    app-crypt/trousers: security cleanup
    
    Bug: https://bugs.gentoo.org/737022
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/trousers/trousers-0.3.14-r2.ebuild | 68 ----------------------------
 1 file changed, 68 deletions(-)

Comment 13 Sam James archtester

2020-09-17 23:25:47 UTC

no GLSA, closing