From 82a6b7b258da754be9155519edc3d632edc3fb9a Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 26 Jan 2021 22:49:13 +0100 Subject: [PATCH] trousers: 0.3.14 -> 0.3.15 Fix CVE-2020-24332, CVE-2020-24330 and CVE-2020-24331. --- .../trousers/allow-non-tss-config-file-owner.patch | 4 ++-- pkgs/tools/security/trousers/default.nix | 10 ++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch b/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch index 774a14f72bab..391eb1ad589d 100644 --- a/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch +++ b/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch @@ -7,10 +7,10 @@ diff -ur trousers-0.3.11.2.orig/src/tcsd/tcsd_conf.c trousers-0.3.11.2/src/tcsd/ +#ifndef ALLOW_NON_TSS_CONFIG_FILE /* make sure user/group TSS owns the conf file */ - if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { + if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, @@ -775,6 +776,7 @@ - LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); + LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); return TCSERR(TSS_E_INTERNAL_ERROR); } +#endif diff --git a/pkgs/tools/security/trousers/default.nix b/pkgs/tools/security/trousers/default.nix index c7a11e16f390..16536409b5e6 100644 --- a/pkgs/tools/security/trousers/default.nix +++ b/pkgs/tools/security/trousers/default.nix @@ -1,17 +1,15 @@ -{ lib, stdenv, fetchurl, openssl, pkg-config }: +{ lib, stdenv, fetchurl, openssl, pkg-config, autoreconfHook }: stdenv.mkDerivation rec { pname = "trousers"; - version = "0.3.14"; + version = "0.3.15"; src = fetchurl { url = "mirror://sourceforge/trousers/trousers/${version}/${pname}-${version}.tar.gz"; - sha256 = "0iwgsbrbb7nfqgl61x8aailwxm8akxh9gkcwxhsvf50x4qx72l6f"; + sha256 = "0zy7r9cnr2gvwr2fb1q4fc5xnvx405ymcbrdv7qsqwl3a4zfjnqy"; }; - sourceRoot = "."; - - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = [ pkg-config autoreconfHook ]; buildInputs = [ openssl ]; patches = [ ./allow-non-tss-config-file-owner.patch ];