CVE-2020-24330: An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed. CVE-2020-24331: An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon). CVE-2020-24332: An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack. Patch for the lot: https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch Maintainer, please add this patch. Note: I'm making this C4/trivial because the daemon starts as the tss user by default in Gentoo: app-crypt/trousers/files/tcsd.initd: ... start-stop-daemon --start --user tss --exec /usr/sbin/tcsd ... app-crypt/trousers/files/tcsd: ... User=tss ...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52ec8c626ac6ebec40685ef69c09a41f135b0897 commit 52ec8c626ac6ebec40685ef69c09a41f135b0897 Author: Salah Coronya <salah.coronya@gmail.com> AuthorDate: 2020-08-14 02:46:33 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-15 00:55:57 +0000 app-crypt/trousers: Add patch for CVE-2020-244{30,31,32} Bug: https://bugs.gentoo.org/737022 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Salah Coronya <salah.coronya@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/17118 Signed-off-by: Sam James <sam@gentoo.org> .../files/trousers-0.3.14-tcsd-fixes.patch | 58 ++++++++++++++++++ app-crypt/trousers/trousers-0.3.14-r3.ebuild | 69 ++++++++++++++++++++++ 2 files changed, 127 insertions(+)
Maintainer, please let us know when ready to stable.
Ready yet?
Yes, go ahead. I thought I had wait before stabilzation.
(In reply to Salah Coronya from comment #4) > Yes, go ahead. I thought I had wait before stabilzation. For security bugs, tell us straight away if it's ready or not. No need to wait unless a lot changed. :)
arm stable
x86 stable
amd64 stable
arm64 done
ppc64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3840a28f931fcc82823944ab3941c69d57fcf43b commit 3840a28f931fcc82823944ab3941c69d57fcf43b Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-17 23:25:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-17 23:25:12 +0000 app-crypt/trousers: security cleanup Bug: https://bugs.gentoo.org/737022 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> app-crypt/trousers/trousers-0.3.14-r2.ebuild | 68 ---------------------------- 1 file changed, 68 deletions(-)
no GLSA, closing