Your message dated Sat, 07 Oct 2023 12:41:28 +0100 with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk> and subject line Closing opu requests for updates included in 11.8 has caused the Debian Bug report #1040668, regarding bullseye-pu: package tang/8-3+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1040668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040668 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package tang/8-3+deb11u1
- From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Date: Sat, 8 Jul 2023 23:14:00 +0200
- Message-id: <1688850696@msgid.manchmal.in-ulm.de>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: tang@packages.debian.org Control: affects -1 + src:tang This is the bullseye version of #1040646 [ Reason ] Fix https://security-tracker.debian.org/tracker/CVE-2023-1672 for Debian 11 ("bullseye"), tagged "no-dsa (minor)" by the security team. The problem of creating key material without restrictive file permissions probably existed upstream since always. Up to and including Debian 10 ("buster") however, this situation was caught by enforcing restrictive permissions on the key directory. With Debian 11 ("bullseye") a change in the creation of that directory caused it to be created with a too permissive mode. [ Impact ] Without the change being accepted, the directory that holds the private key would stay world-readable. Also this would continue to put users at risk who configured a different key directory but did not enforce restrictive access permissions. [ Tests ] No automated tests I'm aware of. Of course I did a manual test, and the outcome matched the expectations. [ Risks ] The changes are small and rather straight-forward. I'd be surprised if they introduce problems. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable (14.1) [ Changes ] * Assert restrictive permissions of the key directory in Debian's postinst. For regular users and new instaaltions. * Upstream's change to create the key file with restrictive permissions. Mostly for users who configure a different key directory. * Recommend a key rotation in setups where this seems wise, add some details in NEWS.Debian. * Make the key rotation program executable as it should always have been. Regards, Christophdiff -Nru tang-8/debian/changelog tang-8/debian/changelog --- tang-8/debian/changelog 2021-12-16 20:47:10.000000000 +0100 +++ tang-8/debian/changelog 2023-07-08 12:41:29.000000000 +0200 @@ -1,3 +1,14 @@ +tang (8-3+deb11u2) bullseye; urgency=high + + * Fix CVE-2023-1672: + - Cherry-pick "Fix race condition when creating/rotating keys" + - Assert restrictive permissions on tang's key directory + In existing multi-user bullseye installations, rotating the keys + is suggested. + * Make the tangd-rotate-keys program executable + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Sat, 08 Jul 2023 12:41:29 +0200 + tang (8-3+deb11u1) bullseye-security; urgency=high * Fix data leak [CVE-2021-4076] diff -Nru tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch --- tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch 1970-01-01 01:00:00.000000000 +0100 +++ tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch 2023-07-08 12:41:29.000000000 +0200 @@ -0,0 +1,73 @@ +Subject: Fix race condition when creating/rotating keys (#123) +Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1> +Upstream-Author: Sergio Correia <scorreia@redhat.com> +Date: Wed Jun 14 10:53:20 2023 -0300 + + When we create/rotate keys using either the tangd-keygen and + tangd-rotate-keys helpers, there is a small window between the + keys being created and then the proper ownership permissions being + set. This also happens when there are no keys and tang creates a + pair of keys itself. + + In certain situations, such as the keys directory having wide open + permissions, a user with local access could exploit this race + condition and read the keys before they are set to more restrictive + permissions. + + To prevent this issue, we now set the default umask to 0337 before + creating the files, so that they are already created with restrictive + permissions; afterwards, we set the proper ownership as usual. + + Issue reported by Brian McDermott of CENSUS labs. + + Fixes CVE-2023-1672 + + + Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com> + Signed-off-by: Sergio Correia <scorreia@redhat.com> + +--- a/src/keys.c ++++ b/src/keys.c +@@ -17,6 +17,7 @@ + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/stat.h> + #include <stdlib.h> + #include <string.h> + #include <dirent.h> +@@ -304,6 +305,9 @@ + const char** hashes = supported_hashes(); + const char* alg[] = {"ES512", "ECMR", NULL}; + char path[PATH_MAX]; ++ ++ /* Set default umask for file creation. */ ++ umask(0337); + for (int i = 0; alg[i] != NULL; i++) { + json_auto_t* jwk = jwk_generate(alg[i]); + if (!jwk) { +--- a/src/tangd-keygen ++++ b/src/tangd-keygen +@@ -27,6 +27,9 @@ + + [ $# -eq 3 ] && sig=$2 && exc=$3 + ++# Set default umask for file creation. ++umask 0337 ++ + jwe=`jose jwk gen -i '{"alg":"ES512"}'` + [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-` + echo "$jwe" > $1/$sig.jwk +--- a/src/tangd-rotate-keys ++++ b/src/tangd-rotate-keys +@@ -72,6 +72,10 @@ + + # Create a new set of keys. + DEFAULT_THP_HASH="S256" ++ ++ # Set default umask for file creation. ++ umask 0337 ++ + for alg in "ES512" "ECMR"; do + json="$(printf '{"alg": "%s"}' "${alg}")" + jwe="$(jose jwk gen --input "${json}")" diff -Nru tang-8/debian/patches/series tang-8/debian/patches/series --- tang-8/debian/patches/series 2021-12-16 20:47:10.000000000 +0100 +++ tang-8/debian/patches/series 2023-07-08 12:41:29.000000000 +0200 @@ -13,5 +13,7 @@ debian/2021-04-19.non-usrmerged.patch # cherry-picked after the stable release -# CVE-2021-4076: +# CVE-2021-4076 bullseye/1639480721.v10-9-ge82459f.keys-move-signing-part-out-of-find-by-thp-and-to-find-jws-81.patch +# CVE-2023-1672 +bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch diff -Nru tang-8/debian/rules tang-8/debian/rules --- tang-8/debian/rules 2021-12-15 23:52:10.000000000 +0100 +++ tang-8/debian/rules 2023-07-08 12:41:29.000000000 +0200 @@ -10,4 +10,8 @@ override_dh_auto_install: dh_auto_install --buildsystem=meson rm -rf debian/tang/usr/share/licenses - mkdir -p debian/tang/var/db/tang + mkdir -m0750 -p debian/tang/var/db/tang + +override_dh_fixperms: + chmod 755 debian/tang/usr/libexec/tangd-rotate-keys + dh_fixperms $@ -Xvar/db/tang diff -Nru tang-8/debian/tang.NEWS tang-8/debian/tang.NEWS --- tang-8/debian/tang.NEWS 1970-01-01 01:00:00.000000000 +0100 +++ tang-8/debian/tang.NEWS 2023-07-08 12:41:29.000000000 +0200 @@ -0,0 +1,13 @@ +tang (8-3+deb11u2) bullseye; urgency=high + + * In existing bullseye installations, the key directory has world- + readable access permissions. If untrusted users have access to that + systems, administrators might want to do a key rotation after this + upgrade. + + To do so, run: /usr/libexec/tangd-rotate-keys -v -d /var/db/tang + + See https://manpages.debian.org/bookworm/tang-common/tangd-rotate-keys.1.en.html + for details. + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Sat, 08 Jul 2023 12:41:29 +0200 diff -Nru tang-8/debian/tang.postinst tang-8/debian/tang.postinst --- tang-8/debian/tang.postinst 1970-01-01 01:00:00.000000000 +0100 +++ tang-8/debian/tang.postinst 2023-07-08 12:41:29.000000000 +0200 @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + # assert restrictive permissions on the key directory + chmod 0750 /var/db/tang + ;; + abort-upgrade | abort-remove | abort-deconfigure) ;; + + *) + echo "postinst called with unknown argument '$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# +exit 0Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1007787-done@bugs.debian.org, 1007950-done@bugs.debian.org, 1013893-done@bugs.debian.org, 1028992-done@bugs.debian.org, 1032299-done@bugs.debian.org, 1034510-done@bugs.debian.org, 1034713-done@bugs.debian.org, 1034714-done@bugs.debian.org, 1034736-done@bugs.debian.org, 1035046-done@bugs.debian.org, 1035059-done@bugs.debian.org, 1035105-done@bugs.debian.org, 1035304-done@bugs.debian.org, 1035311-done@bugs.debian.org, 1035464-done@bugs.debian.org, 1035475-done@bugs.debian.org, 1035522-done@bugs.debian.org, 1035683-done@bugs.debian.org, 1035924-done@bugs.debian.org, 1036043-done@bugs.debian.org, 1036044-done@bugs.debian.org, 1036046-done@bugs.debian.org, 1036182-done@bugs.debian.org, 1036240-done@bugs.debian.org, 1036300-done@bugs.debian.org, 1036314-done@bugs.debian.org, 1036797-done@bugs.debian.org, 1036811-done@bugs.debian.org, 1036976-done@bugs.debian.org, 1037054-done@bugs.debian.org, 1037175-done@bugs.debian.org, 1037182-done@bugs.debian.org, 1037187-done@bugs.debian.org, 1037196-done@bugs.debian.org, 1037214-done@bugs.debian.org, 1037236-done@bugs.debian.org, 1038153-done@bugs.debian.org, 1038451-done@bugs.debian.org, 1038813-done@bugs.debian.org, 1038943-done@bugs.debian.org, 1039020-done@bugs.debian.org, 1039040-done@bugs.debian.org, 1039470-done@bugs.debian.org, 1039708-done@bugs.debian.org, 1039738-done@bugs.debian.org, 1039854-done@bugs.debian.org, 1039860-done@bugs.debian.org, 1039994-done@bugs.debian.org, 1040137-done@bugs.debian.org, 1040668-done@bugs.debian.org, 1040677-done@bugs.debian.org, 1040758-done@bugs.debian.org, 1040865-done@bugs.debian.org, 1040930-done@bugs.debian.org, 1040950-done@bugs.debian.org, 1041397-done@bugs.debian.org, 1041475-done@bugs.debian.org, 1042057-done@bugs.debian.org, 1043270-done@bugs.debian.org, 1049374-done@bugs.debian.org, 1050044-done@bugs.debian.org, 1050119-done@bugs.debian.org, 1050121-done@bugs.debian.org, 1050332-done@bugs.debian.org, 1050333-done@bugs.debian.org, 1050538-done@bugs.debian.org, 1050573-done@bugs.debian.org, 1050638-done@bugs.debian.org, 1051051-done@bugs.debian.org, 1051339-done@bugs.debian.org, 1051508-done@bugs.debian.org, 1051884-done@bugs.debian.org, 1051902-done@bugs.debian.org, 1051937-done@bugs.debian.org, 1052027-done@bugs.debian.org, 1052082-done@bugs.debian.org, 1052150-done@bugs.debian.org, 1052222-done@bugs.debian.org, 1052288-done@bugs.debian.org, 1052363-done@bugs.debian.org, 1052402-done@bugs.debian.org, 1052420-done@bugs.debian.org, 1052552-done@bugs.debian.org, 1052611-done@bugs.debian.org, 1053177-done@bugs.debian.org, 1053220-done@bugs.debian.org, 1053240-done@bugs.debian.org, 1053270-done@bugs.debian.org, 1053271-done@bugs.debian.org, 1053290-done@bugs.debian.org, 1053522-done@bugs.debian.org
- Subject: Closing opu requests for updates included in 11.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Oct 2023 12:41:28 +0100
- Message-id: <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.8 Hi, The updates referred to by each of these requests were included in today's 11.8 bullseye point release. Regards, Adam
--- End Message ---