vor 1 Jahr · 6b8233f119
--- a/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
+++ b/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
@@ -0,0 +1,66 @@
 
				+Subject: Fix race condition when creating/rotating keys (#123)
			
 
				+Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1>
			
 
				+Upstream-Author: Sergio Correia <scorreia@redhat.com>
			
 
				+Date: Wed Jun 14 10:53:20 2023 -0300
			
 
				+
			
 
				+    When we create/rotate keys using either the tangd-keygen and
			
 
				+    tangd-rotate-keys helpers, there is a small window between the
			
 
				+    keys being created and then the proper ownership permissions being
			
 
				+    set. This also happens when there are no keys and tang creates a
			
 
				+    pair of keys itself.
			
 
				+
			
 
				+    In certain situations, such as the keys directory having wide open
			
 
				+    permissions, a user with local access could exploit this race
			
 
				+    condition and read the keys before they are set to more restrictive
			
 
				+    permissions.
			
 
				+
			
 
				+    To prevent this issue, we now set the default umask to 0337 before
			
 
				+    creating the files, so that they are already created with restrictive
			
 
				+    permissions; afterwards, we set the proper ownership as usual.
			
 
				+
			
 
				+    Issue reported by Brian McDermott of CENSUS labs.
			
 
				+
			
 
				+    Fixes CVE-2023-1672
			
 
				+
			
 
				+
			
 
				+    Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
			
 
				+    Signed-off-by: Sergio Correia <scorreia@redhat.com>
			
 
				+
			
 
				+--- a/src/keys.c
			
 
				++++ b/src/keys.c
			
 
				+@@ -307,6 +307,9 @@
			
 
				+ {
			
 
				+     const char* alg[] = {"ES512", "ECMR", NULL};
			
 
				+     char path[PATH_MAX];
			
 
				++
			
 
				++    /* Set default umask for file creation. */
			
 
				++    umask(0337);
			
 
				+     for (int i = 0; alg[i] != NULL; i++) {
			
 
				+         json_auto_t* jwk = jwk_generate(alg[i]);
			
 
				+         if (!jwk) {
			
 
				+--- a/src/tangd-keygen.in
			
 
				++++ b/src/tangd-keygen.in
			
 
				+@@ -38,6 +38,10 @@
			
 
				+ [ $# -eq 3 ] && sig=$2 && exc=$3
			
 
				+ 
			
 
				+ THP_DEFAULT_HASH=S256     # SHA-256.
			
 
				++
			
 
				++# Set default umask for file creation.
			
 
				++umask 0337
			
 
				++
			
 
				+ jwe=$(jose jwk gen -i '{"alg":"ES512"}')
			
 
				+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
			
 
				+ echo "$jwe" > "$1/$sig.jwk"
			
 
				+--- a/src/tangd-rotate-keys.in
			
 
				++++ b/src/tangd-rotate-keys.in
			
 
				+@@ -79,6 +79,10 @@
			
 
				+ 
			
 
				+     # Create a new set of keys.
			
 
				+     DEFAULT_THP_HASH="S256"
			
 
				++
			
 
				++    # Set default umask for file creation.
			
 
				++    umask 0337
			
 
				++
			
 
				+     for alg in "ES512" "ECMR"; do
			
 
				+         json="$(printf '{"alg": "%s"}' "${alg}")"
			
 
				+         jwe="$(jose jwk gen --input "${json}")"
			
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@ for-upstream/2021-09-30.run-as-tang-user.patch
 
				 debian/2021-04-19.non-usrmerged.patch
			
 
				 debian/2021-09-30.use-var-lib.patch
			
 
				 debian/2021-09-30.xinetd-support.patch
			
 
				+
			
 
				+# cherry-picked after the stable release
			
 
				+# CVE-2023-1672
			
 
				+bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch