2 years ago · 2d8e98203c
--- a/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
+++ b/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
@@ -0,0 +1,73 @@
 
				+Subject: Fix race condition when creating/rotating keys (#123)
			
 
				+Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1>
			
 
				+Upstream-Author: Sergio Correia <scorreia@redhat.com>
			
 
				+Date: Wed Jun 14 10:53:20 2023 -0300
			
 
				+
			
 
				+    When we create/rotate keys using either the tangd-keygen and
			
 
				+    tangd-rotate-keys helpers, there is a small window between the
			
 
				+    keys being created and then the proper ownership permissions being
			
 
				+    set. This also happens when there are no keys and tang creates a
			
 
				+    pair of keys itself.
			
 
				+
			
 
				+    In certain situations, such as the keys directory having wide open
			
 
				+    permissions, a user with local access could exploit this race
			
 
				+    condition and read the keys before they are set to more restrictive
			
 
				+    permissions.
			
 
				+
			
 
				+    To prevent this issue, we now set the default umask to 0337 before
			
 
				+    creating the files, so that they are already created with restrictive
			
 
				+    permissions; afterwards, we set the proper ownership as usual.
			
 
				+
			
 
				+    Issue reported by Brian McDermott of CENSUS labs.
			
 
				+
			
 
				+    Fixes CVE-2023-1672
			
 
				+
			
 
				+
			
 
				+    Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
			
 
				+    Signed-off-by: Sergio Correia <scorreia@redhat.com>
			
 
				+
			
 
				+--- a/src/keys.c
			
 
				++++ b/src/keys.c
			
 
				+@@ -17,6 +17,7 @@
			
 
				+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
			
 
				+  */
			
 
				+ 
			
 
				++#include <sys/stat.h>
			
 
				+ #include <stdlib.h>
			
 
				+ #include <string.h>
			
 
				+ #include <dirent.h>
			
 
				+@@ -304,6 +305,9 @@
			
 
				+     const char** hashes = supported_hashes();
			
 
				+     const char* alg[] = {"ES512", "ECMR", NULL};
			
 
				+     char path[PATH_MAX];
			
 
				++
			
 
				++    /* Set default umask for file creation. */
			
 
				++    umask(0337);
			
 
				+     for (int i = 0; alg[i] != NULL; i++) {
			
 
				+         json_auto_t* jwk = jwk_generate(alg[i]);
			
 
				+         if (!jwk) {
			
 
				+--- a/src/tangd-keygen
			
 
				++++ b/src/tangd-keygen
			
 
				+@@ -27,6 +27,9 @@
			
 
				+ 
			
 
				+ [ $# -eq 3 ] && sig=$2 && exc=$3
			
 
				+ 
			
 
				++# Set default umask for file creation.
			
 
				++umask 0337
			
 
				++
			
 
				+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
			
 
				+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
			
 
				+ echo "$jwe" > $1/$sig.jwk
			
 
				+--- a/src/tangd-rotate-keys
			
 
				++++ b/src/tangd-rotate-keys
			
 
				+@@ -72,6 +72,10 @@
			
 
				+ 
			
 
				+     # Create a new set of keys.
			
 
				+     DEFAULT_THP_HASH="S256"
			
 
				++
			
 
				++    # Set default umask for file creation.
			
 
				++    umask 0337
			
 
				++
			
 
				+     for alg in "ES512" "ECMR"; do
			
 
				+         json="$(printf '{"alg": "%s"}' "${alg}")"
			
 
				+         jwe="$(jose jwk gen --input "${json}")"
			
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,5 +13,7 @@ for-upstream/2018-08-12.add-systemd-documentation-key.patch
 
				 debian/2021-04-19.non-usrmerged.patch
			
 
				 
			
 
				 # cherry-picked after the stable release
			
 
				-# CVE-2021-4076:
			
 
				+# CVE-2021-4076
			
 
				 bullseye/1639480721.v10-9-ge82459f.keys-move-signing-part-out-of-find-by-thp-and-to-find-jws-81.patch
			
 
				+# CVE-2023-1672
			
 
				+bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch