Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737022 (CVE-2020-24330, CVE-2020-24331, CVE-2020-24332) - <app-crypt/trousers-0.3.14-r3: Multiple vulnerabilities (CVE-2020-{24330,24331,24332})
Summary: <app-crypt/trousers-0.3.14-r3: Multiple vulnerabilities (CVE-2020-{24330,2433...
Status: RESOLVED FIXED
Alias: CVE-2020-24330, CVE-2020-24331, CVE-2020-24332
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/trousers/ma...
Whiteboard: C4 [noglsa]
Keywords: CC-ARCHES, PullRequest
Depends on:
Blocks:
 
Reported: 2020-08-13 23:46 UTC by John Helmert III (ajak)
Modified: 2020-09-17 23:25 UTC (History)
2 users (show)

See Also:
Package list:
app-crypt/trousers-0.3.14-r3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-08-13 23:46:20 UTC
CVE-2020-24330:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.

CVE-2020-24331:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).

CVE-2020-24332:

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.


Patch for the lot: https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch

Maintainer, please add this patch. 


Note: I'm making this C4/trivial because the daemon starts as the tss user by default in Gentoo:

app-crypt/trousers/files/tcsd.initd:
...
start-stop-daemon --start --user tss --exec /usr/sbin/tcsd
...

app-crypt/trousers/files/tcsd:
...
User=tss
...
Comment 1 Larry the Git Cow gentoo-dev 2020-08-15 00:57:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52ec8c626ac6ebec40685ef69c09a41f135b0897

commit 52ec8c626ac6ebec40685ef69c09a41f135b0897
Author:     Salah Coronya <salah.coronya@gmail.com>
AuthorDate: 2020-08-14 02:46:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-15 00:55:57 +0000

    app-crypt/trousers: Add patch for CVE-2020-244{30,31,32}
    
    Bug: https://bugs.gentoo.org/737022
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17118
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/trousers-0.3.14-tcsd-fixes.patch         | 58 ++++++++++++++++++
 app-crypt/trousers/trousers-0.3.14-r3.ebuild       | 69 ++++++++++++++++++++++
 2 files changed, 127 insertions(+)
Comment 2 John Helmert III (ajak) 2020-08-17 16:46:01 UTC
Maintainer, please let us know when ready to stable.
Comment 3 Sam James archtester gentoo-dev Security 2020-08-20 09:07:55 UTC
Ready yet?
Comment 4 Salah Coronya 2020-08-20 19:02:28 UTC
Yes, go ahead. I thought I had wait before stabilzation.
Comment 5 Sam James archtester gentoo-dev Security 2020-08-20 19:11:18 UTC
(In reply to Salah Coronya from comment #4)
> Yes, go ahead. I thought I had wait before stabilzation.

For security bugs, tell us straight away if it's ready or not. No need to wait unless a lot changed. :)
Comment 6 Agostino Sarubbo gentoo-dev 2020-08-21 15:28:34 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-21 15:36:15 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-08-22 05:47:25 UTC
amd64 stable
Comment 9 Sam James archtester gentoo-dev Security 2020-08-22 20:20:50 UTC
arm64 done
Comment 10 Sam James archtester gentoo-dev Security 2020-09-01 00:22:40 UTC
ppc64 done

all arches done
Comment 11 Sam James archtester gentoo-dev Security 2020-09-01 00:40:03 UTC
Please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-09-17 23:25:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3840a28f931fcc82823944ab3941c69d57fcf43b

commit 3840a28f931fcc82823944ab3941c69d57fcf43b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-17 23:25:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-17 23:25:12 +0000

    app-crypt/trousers: security cleanup
    
    Bug: https://bugs.gentoo.org/737022
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/trousers/trousers-0.3.14-r2.ebuild | 68 ----------------------------
 1 file changed, 68 deletions(-)
Comment 13 Sam James archtester gentoo-dev Security 2020-09-17 23:25:47 UTC
no GLSA, closing