From 3459d0cdf62335d30ae118a8952e34165f14782d Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Thu, 29 Oct 2020 16:00:41 -0700
Subject: [PATCH] trousers: security fixes

Fixes for the following CVEs, plus a fix for an annocheck warning.

- Fix for CVE-2020-24330 (RHBZ#1874824)
- Fix for CVE-2020-24331 (RHBZ#1870057)
- Fix for CVE-2020-24332 (RHBZ#1870053)

Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
 trousers-0.3.14-correct-security-issues.patch | 89 +++++++++++++++++++
 trousers-0.3.14-no-optimize.patch             | 49 ++++++++++
 trousers.spec                                 | 11 ++-
 3 files changed, 147 insertions(+), 2 deletions(-)
 create mode 100644 trousers-0.3.14-correct-security-issues.patch
 create mode 100644 trousers-0.3.14-no-optimize.patch

diff --git a/trousers-0.3.14-correct-security-issues.patch b/trousers-0.3.14-correct-security-issues.patch
new file mode 100644
index 0000000..afa80e9
--- /dev/null
+++ b/trousers-0.3.14-correct-security-issues.patch
@@ -0,0 +1,89 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH 1/2] Correct multiple security issues that are present if the
+ tcsd is started by root instead of the tss user.
+
+Patch fixes the following 3 CVEs:
+
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+---
+ src/tcs/ps/tcsps.c   |  2 +-
+ src/tcsd/svrside.c   |  1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
+index e47154b20612..85d45a96b7c3 100644
+--- a/src/tcs/ps/tcsps.c
++++ b/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ 	}
+ 
+ 	/* open and lock the file */
+-	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ 	if (system_ps_fd < 0) {
+ 		LogError("system PS: open() of %s failed: %s",
+ 				tcsd_options.system_ps_file, strerror(errno));
+diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
+index 1ae1636f8730..1c12ff3afdd0 100644
+--- a/src/tcsd/svrside.c
++++ b/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ 		}
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
++	setgid(pwd->pw_gid);
+ 	setuid(pwd->pw_uid);
+ #endif
+ #endif
+diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
+index a31503df3f1f..ea8ea13f5f16 100644
+--- a/src/tcsd/tcsd_conf.c
++++ b/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ 	struct group *grp;
+ 	struct passwd *pw;
+-	mode_t mode = (S_IRUSR|S_IWUSR);
++	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ 	TSS_RESULT result;
+ 
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ 	}
+ 
+ 	/* make sure user/group TSS owns the conf file */
+-	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+-				TSS_USER_NAME, TSS_GROUP_NAME);
++				"root", TSS_GROUP_NAME);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ 
+-	/* make sure only the tss user can manipulate the config file */
++	/* make sure only the tss user can read (but not manipulate) the config file */
+ 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+-		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ #endif /* SOLARIS */
+-- 
+2.27.0
+
diff --git a/trousers-0.3.14-no-optimize.patch b/trousers-0.3.14-no-optimize.patch
new file mode 100644
index 0000000..a7af3df
--- /dev/null
+++ b/trousers-0.3.14-no-optimize.patch
@@ -0,0 +1,49 @@
+From 6edef3777f9b9a26e63168bb81c8d4f4ddb17017 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 5 Jun 2019 11:51:33 -0700
+Subject: [PATCH 2/2] trousers: don't use __no_optimize
+
+The trousers is failing annocheck hardened check due to
+__no_optimize being used for __tspi_memset(). Instead of
+__no_optimize use a asm memory barrier.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+---
+ src/include/spi_utils.h    | 2 +-
+ src/tspi/tsp_context_mem.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/include/spi_utils.h b/src/include/spi_utils.h
+index 11255b20a21d..6ef21ce0cc83 100644
+--- a/src/include/spi_utils.h
++++ b/src/include/spi_utils.h
+@@ -53,7 +53,7 @@ MUTEX_DECLARE_EXTERN(mem_cache_lock);
+ void *calloc_tspi(TSS_HCONTEXT, UINT32);
+ TSS_RESULT free_tspi(TSS_HCONTEXT, void *);
+ TSS_RESULT __tspi_add_mem_entry(TSS_HCONTEXT, void *);
+-void * __no_optimize __tspi_memset(void *, int, size_t);
++void * __tspi_memset(void *, int, size_t);
+ 
+ /* secrets.c */
+ 
+diff --git a/src/tspi/tsp_context_mem.c b/src/tspi/tsp_context_mem.c
+index 2982df9fed06..2769af3662b9 100644
+--- a/src/tspi/tsp_context_mem.c
++++ b/src/tspi/tsp_context_mem.c
+@@ -258,8 +258,10 @@ free_tspi(TSS_HCONTEXT tspContext, void *memPointer)
+ }
+ 
+ /* definition for a memset that cannot be optimized away */
+-void * __no_optimize
++void *
+ __tspi_memset(void *s, int c, size_t n)
+ {
+-	return memset(s, c, n);
++	memset(s, c, n);
++	asm volatile("" ::: "memory");
++	return s;
+ }
+-- 
+2.27.0
+
diff --git a/trousers.spec b/trousers.spec
index b6f9618..4e087f9 100644
--- a/trousers.spec
+++ b/trousers.spec
@@ -1,7 +1,7 @@
 Name: trousers
 Summary: TCG's Software Stack v1.2
 Version: 0.3.14
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 Url: http://trousers.sourceforge.net
 
@@ -14,6 +14,8 @@ Patch3: trousers-0.3.14-fix-indent-obj_policy.patch
 Patch4: trousers-0.3.14-double-free.patch
 Patch5: trousers-0.3.14-fix-indent-tspi_key.patch
 Patch6: trousers-0.3.14-tcsd-header-fix.patch
+Patch7: trousers-0.3.14-correct-security-issues.patch
+Patch8: trousers-0.3.14-no-optimize.patch
 
 BuildRequires: libtool, openssl-devel
 BuildRequires: systemd
@@ -95,7 +97,7 @@ exit 0
 %files
 %doc README ChangeLog
 %{_sbindir}/tcsd
-%config(noreplace) %attr(0600, tss, tss) %{_sysconfdir}/tcsd.conf
+%config(noreplace) %attr(0640, root, tss) %{_sysconfdir}/tcsd.conf
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 %attr(644,root,root) %{_unitdir}/tcsd.service
@@ -118,6 +120,11 @@ exit 0
 %{_libdir}/libtddl.a
 
 %changelog
+* Thu Oct 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 0.3.14-4
+- Fix for CVE-2020-24330 (RHBZ#1874824)
+- Fix for CVE-2020-24331 (RHBZ#1870057)
+- Fix for CVE-2020-24332 (RHBZ#1870053)
+
 * Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.3.14-3
 - Update user creation to latest guidelines