Bug 774465 (CVE-2021-27098, CVE-2021-27099)

Summary:	<app-misc/spire-1.1.0: multiple vulnerabilities (CVE-2021-{27098,27099})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/spiffe/spire/security/advisories/GHSA-q7gm-mjrg-44h9
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-03-06 15:05:11 UTC

CVE-2021-27099:

In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the value of an EC2 tag prior to attestation, and the attestor is configured for agent ID templating where the tag value is the last element in the path. This issue has been fixed in SPIRE versions 0.11.3 and 0.12.1


Going off the versions we have in tree, we need a bump to at least 0.8.5,
0.10.2, and 0.11.3. Thanks!

Comment 1 John Helmert III archtester

2021-03-06 15:38:50 UTC

CVE-2021-27098:

In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1.


Same fixed versions.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:23:43 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:32:07 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:40:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:48:11 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:04:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:12:25 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Larry the Git Cow gentoo-dev

2022-02-22 00:20:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b8aa0e8b5ef79d8d808042dc31370e38e21cc2

commit 65b8aa0e8b5ef79d8d808042dc31370e38e21cc2
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-02-22 00:19:15 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-22 00:19:52 +0000

    app-misc/spire: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/774465
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-misc/spire/Manifest            | 408 ---------------
 app-misc/spire/spire-0.10.0.ebuild | 523 --------------------
 app-misc/spire/spire-0.11.1.ebuild | 981 -------------------------------------
 app-misc/spire/spire-0.8.1.ebuild  |  61 ---
 4 files changed, 1973 deletions(-)

Comment 9 John Helmert III archtester

2022-02-22 00:23:35 UTC

All done, thanks!