From a4e2b17eb86f4da1721aed657273e675941e0f8a Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 11 Dec 2023 17:12:58 +0300 Subject: [PATCH] import tang-7-8.el8 --- .../0003-Fix-permissions-race-condition.patch | 31 +++++++++++++++++++ SOURCES/0004-Set-tang-owner-group.patch | 26 ++++++++++++++++ SPECS/tang.spec | 15 +++++++-- 3 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0003-Fix-permissions-race-condition.patch create mode 100644 SOURCES/0004-Set-tang-owner-group.patch diff --git a/SOURCES/0003-Fix-permissions-race-condition.patch b/SOURCES/0003-Fix-permissions-race-condition.patch new file mode 100644 index 0000000..c24ac55 --- /dev/null +++ b/SOURCES/0003-Fix-permissions-race-condition.patch @@ -0,0 +1,31 @@ +--- tang-7.ori/src/tangd-keygen 2017-06-10 15:29:39.000000000 +0200 ++++ tang-7/src/tangd-keygen 2023-06-28 11:40:01.700819479 +0200 +@@ -27,6 +27,8 @@ + + [ $# -eq 3 ] && sig=$2 && exc=$3 + ++# Set default umask for file creation. ++umask 0337 + jwe=`jose jwk gen -i '{"alg":"ES512"}'` + [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-` + echo "$jwe" > $1/$sig.jwk +--- tang-7.ori/src/keys.c 2023-06-28 09:57:08.706712410 +0200 ++++ tang-7/src/keys.c 2023-06-28 11:43:41.742247417 +0200 +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "util.h" + #include "keys.h" +@@ -557,6 +558,9 @@ + /* At this point, there are no keys, so let's create them. */ + const char *alg[] = {"ES512", "ECMR", NULL}; + char path[PATH_MAX]; ++ ++ /* Set default umask for file creation. */ ++ umask(0337); + for (int i = 0; alg[i] != NULL; i++) { + struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]); + if (!jwk) { diff --git a/SOURCES/0004-Set-tang-owner-group.patch b/SOURCES/0004-Set-tang-owner-group.patch new file mode 100644 index 0000000..7cc9bc5 --- /dev/null +++ b/SOURCES/0004-Set-tang-owner-group.patch @@ -0,0 +1,26 @@ +--- tang-7.ori/src/tangd-keygen 2023-07-21 11:45:39.091100369 +0200 ++++ tang-7/src/tangd-keygen 2023-07-21 11:47:58.813612221 +0200 +@@ -20,6 +20,13 @@ + + trap 'exit' ERR + ++set_perms() { ++ chmod -- 0440 "${1}" ++ if ! chown -- "tang:tang" "${1}" 2>/dev/null; then ++ echo "Unable to change owner/group for ${1} to tang:tang" >&2 ++ fi ++} ++ + if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then + echo "Usage: $0 [ ]" >&2 + exit 1 +@@ -32,7 +39,9 @@ + jwe=`jose jwk gen -i '{"alg":"ES512"}'` + [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-` + echo "$jwe" > $1/$sig.jwk ++set_perms "$1/$sig.jwk" + + jwe=`jose jwk gen -i '{"alg":"ECMR"}'` + [ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-` + echo "$jwe" > $1/$exc.jwk ++set_perms "$1/$exc.jwk" diff --git a/SPECS/tang.spec b/SPECS/tang.spec index 999126c..02a600d 100644 --- a/SPECS/tang.spec +++ b/SPECS/tang.spec @@ -1,6 +1,6 @@ Name: tang Version: 7 -Release: 6%{?dist} +Release: 8%{?dist} Summary: Network Presence Binding Daemon License: GPLv3+ @@ -8,6 +8,8 @@ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Patch1: 0001-Move-key-generation-to-tang.patch Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch +Patch3: 0003-Fix-permissions-race-condition.patch +Patch4: 0004-Set-tang-owner-group.patch BuildRequires: gcc BuildRequires: autoconf @@ -89,9 +91,18 @@ exit 0 %{_mandir}/man1/tang-show-keys.1* %changelog -* Wed Jul 26 2023 MSVSphere Packaging Team - 7-6 +* Wed Jul 26 2023 MSVSphere Packaging Team - 7-8 - Rebuilt for MSVSphere 8.8 +* Fri Jul 21 2023 Sergio Arroutbi - 7-8 +- Set correct user/group (tang/tang) in tangd-keygen + Resolves: rhbz#2188743 + +* Wed Jun 28 2023 Sergio Arroutbi - 7-7 +- Fix race condition when creating/rotating keys + Resolves: rhbz#2182410 + Resolves: CVE-2023-1672 + * Wed Jan 13 2021 Sergio Correia - 7-6 - Exit with success unless the issue was with with tangd itself Resolves: rhbz#1828558