CVE-2020-24330 – trousers: fails to drop the root gid privilege when no longer needed
https://notcve.org/view.php?id=CVE-2020-24330
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed. Se detectó un problema en TrouSerS versiones hasta 0.3.14. Si el demonio tcsd es iniciado con privilegios root en lugar de hacerlo por el usuario tss, se produce un fallo al no poder eliminar el privilegio de root gid cuando ya no es necesario • http://www.openwall.com/lists/oss-security/2020/08/14/1 https://bugzilla.suse.com/show_bug.cgi?id=1164472 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch https://sourceforge.net/p/trousers/mailman/message/37015817 https://access.redhat.com/security/cve/CVE-2020-24330 https://bugzilla.redhat.com/show_bug.cgi?id=1870054 • CWE-269: Improper Privilege Management CWE-271: Privilege Dropping / Lowering Errors •
CVE-2020-24331 – trousers: tss user still has read and write access to the /etc/tcsd.conf file if tcsd is started as root
https://notcve.org/view.php?id=CVE-2020-24331
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon). Se detectó un problema en TrouSerS versiones hasta 0.3.14. Si el demonio tcsd es iniciado con privilegios root, el usuario tss aún tiene acceso de lectura y escritura al archivo /etc/tcsd.conf (que contiene varias configuraciones relacionadas con este demonio) • http://www.openwall.com/lists/oss-security/2020/08/14/1 https://bugzilla.suse.com/show_bug.cgi?id=1164472 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch https://sourceforge.net/p/trousers/mailman/message/37015817 https://access.redhat.com/security/cve/CVE-2020-24331 https://bugzilla.redhat.com/show_bug.cgi?id=1870056 • CWE-269: Improper Privilege Management •