A security issue in the TrouSerS tcsd daemon has been announced today (May 20): https://www.openwall.com/lists/oss-security/2020/05/20/3 A preliminary suggested fix is attached to the message above. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
The reference given above is a long & thorough discourse. The attached patch is what matters! Obliged to assign this globally owing to lack of an identifiable maintainer.
Assignee: bugsquad => pkg-bugs
rpms: trousers-0.3.14-4.1.mga7. libtspi1-0.3.14-4.1.mga7 libtrousers-devel-0.3.14-4.1.mga7 from: trousers-0.3.14-4.1.mga7
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7CC: (none) => mageiaAssignee: pkg-bugs => qa-bugs
Build failed in Cauldron with a nonsensical error from ld: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20200521233432.neoclust.duvel.23314/log/trousers-0.3.14-6.mga8/build.0.20200521233507.log
Whiteboard: (none) => MGA7TOOVersion: 7 => CauldronCC: (none) => qa-bugsAssignee: qa-bugs => pkg-bugsStatus comment: (none) => Build failed in Cauldron
CVE-2020-2433[0-2] have been assigned for this: https://www.openwall.com/lists/oss-security/2020/08/14/1
Summary: trousers new security issue in tscd => trousers new security issues in tscd (CVE-2020-2433[0-2])
Guillaume fixed the Cauldron build in trousers-0.3.14-7.mga8.
Status comment: Build failed in Cauldron => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Is this build in mga7? Regards,
CC: (none) => ouaurelien
Yes, package list in Comment 2. Advisory to come later.
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous updates, no wiki. Info in MCC: "You can use TrouSerS to write applications that make use of your TPM hardware". The command in the package is tcsd - d meaning daemon? So had a go at it in root CLI: # systemctl -l status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start tcsd Job for tcsd.service failed because the control process exited with error code. See "systemctl status tcsd.service" and "journalctl -xe" for details. # systemctl -l status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2020-08-24 11:24:26 CEST; 2min 28s ago Aug 24 11:24:26 mach5.hviaene.thuis systemd[1]: Starting TCG Core Services Daemon... Aug 24 11:24:26 mach5.hviaene.thuis TCSD[20220]: TrouSerS ERROR: TCSD config file (/etc/tcsd.conf) must be user/group root/tss Aug 24 11:24:26 mach5.hviaene.thuis systemd[1]: tcsd.service: Control process exited, code=exited, status=4/NOPERMISSION Aug 24 11:24:26 mach5.hviaene.thuis systemd[1]: tcsd.service: Failed with result 'exit-code'. Aug 24 11:24:26 mach5.hviaene.thuis systemd[1]: Failed to start TCG Core Services Daemon. I looked at the access rights for the conf file and found user/group being tss/tss. So changed it to: user root with full access and group tss read-only, then tried again. # systemctl start tcsd Job for tcsd.service failed because the control process exited with error code. See "systemctl status tcsd.service" and "journalctl -xe" for details. # systemctl -l status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2020-08-24 11:27:07 CEST; 4s ago Process: 32558 ExecStart=/sbin/tcsd (code=exited, status=137) Aug 24 11:27:07 mach5.hviaene.thuis systemd[1]: Starting TCG Core Services Daemon... Aug 24 11:27:07 mach5.hviaene.thuis tcsd[32558]: TCSD TDDL[32558]: TrouSerS ERROR: Could not find a device to open! Aug 24 11:27:07 mach5.hviaene.thuis systemd[1]: tcsd.service: Control process exited, code=exited, status=137/n/a Aug 24 11:27:07 mach5.hviaene.thuis systemd[1]: tcsd.service: Failed with result 'exit-code'. Aug 24 11:27:07 mach5.hviaene.thuis systemd[1]: Failed to start TCG Core Services Daemon. So, it seems happy with the settings for the conf file, but refuses to run when there is no suitable device present. That sounds reasonable to me. Leaves me wondering whether we can let this go with a faulty access right setting on the conf file??? I would vote for a nogo.
CC: (none) => herman.viaene
Interesting. I'm guessing you don't have a /dev/tpm0. If you do, what is the ownership of it? From reading the post linked in Comment 0, it sounds like it's better to have tpm ownership than root ownership. Maybe the conf_file_init() function needs to be patched to expect that.
Keywords: (none) => feedback
There is no such thing as /dev/tpm0 on this laptop. I agree there is a contradiction between the post and the observed behavior of tcsd. Which one is right might be not ours to decide.
CC: ouaurelien => (none)
Assignee: qa-bugs => mageia
Fedora has issued an advisory for this today (November 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
Fedora's fix: https://src.fedoraproject.org/rpms/trousers/c/3459d0cdf62335d30ae118a8952e34165f14782d?branch=master Note the change to tcsd.conf that we missed.
Status comment: (none) => Needs change to tcsd.conf from Fedora
RedHat has issued an advisory for this on May 18: https://access.redhat.com/errata/RHSA-2021:1627
tscd.conf ownership and permissions fixed in trousers-0.3.14-4.2.mga7.
Status comment: Needs change to tcsd.conf from Fedora => (none)CC: qa-bugs => (none)Assignee: mageia => qa-bugsKeywords: feedback => (none)
Installed trousers-0.3.14-4.2.mga7 and lib64tspi1-0.3.14-4.2.mga7 # systemctl -l status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@mach5 ~]# systemctl start tcsd Job for tcsd.service failed because the control process exited with error code. See "systemctl status tcsd.service" and "journalctl -xe" for details. [root@mach5 ~]# systemctl -l status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-06-23 13:40:27 CEST; 4s ago Process: 5057 ExecStart=/sbin/tcsd (code=exited, status=137) Jun 23 13:40:27 mach5.hviaene.thuis systemd[1]: Starting TCG Core Services Daemon... Jun 23 13:40:27 mach5.hviaene.thuis tcsd[5057]: TCSD TDDL[5057]: TrouSerS ERROR: Could not find a device to open! Jun 23 13:40:27 mach5.hviaene.thuis systemd[1]: tcsd.service: Control process exited, code=exited, status=137/n/a Jun 23 13:40:27 mach5.hviaene.thuis systemd[1]: tcsd.service: Failed with result 'exit-code'. Jun 23 13:40:27 mach5.hviaene.thuis systemd[1]: Failed to start TCG Core Services Daemon. This is as stated in Comment 8: the issue of the conf file is gone (checked the access rights), but having no such HW, this behavior is acceptable to me. So OK for me.
Whiteboard: (none) => MGA7-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated trousers packages fix security vulnerabilities: An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed (CVE-2020-24330). An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon) (CVE-2020-24331). An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack (CVE-2020-24332). References: - https://bugs.mageia.org/show_bug.cgi?id=26658 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24330 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24331 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24332 - https://www.openwall.com/lists/oss-security/2020/08/14/1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/ ======================== Updated packages in core/updates_testing: ======================== trousers-0.3.14-4.1.mga7. lib(64)tspi1-0.3.14-4.1.mga7 lib(64)trousers-devel-0.3.14-4.1.mga7 from: trousers-0.3.14-4.1.mga7
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2020-2433[0-2]
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0297.html
Status: NEW => RESOLVEDResolution: (none) => FIXED