Created attachment 242976 [details] Patches Makefile and distinfo to version 14 Patch against current for updates to Makefile and distinfo Fix race condition when creating/rotating keys (8dbbed1)
Hello, Is there a record for CVE-2023-1672 ?
(In reply to Nuno Teixeira from comment #1) It looks like it's been reserved but not published. I'm just going off of https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096 which says that's the CVE that the patch is addressing. I don't have any further insight.
(In reply to Howard Holm from comment #2) See also https://security-tracker.debian.org/tracker/CVE-2023-1672 and https://census-labs.com/news/2023/06/15/race-tang/ but you probably already found those.
(In reply to Nuno Teixeira from comment #1) Sorry for the barrage of replies, but I should probably also note that as shipped, the tang package in FreeBSD creates the db directory with restrictive permissions meaning that this is not an issue in FreeBSD unless someone has altered the directory permissions to be more open.
^Triage: Maintainer-feedback flag (+) not required unless requested (?) first. Thanks!
CVE-2023-1672
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9047016e2e3af3ccd56cf557dc34edb113658d85 commit 9047016e2e3af3ccd56cf557dc34edb113658d85 Author: Howard Holm <hdholm@alumni.iastate.edu> AuthorDate: 2023-06-28 10:48:55 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-06-29 11:47:18 +0000 security/tang: Update to v14 (Fix CVE-2023-1672) ChangeLog: https://github.com/latchset/tang/releases/tag/v14 Note this is not a problem in FreeBSD due to the restrictive permissions of the db directory. PR: 272191 Reported by: hdholm@alumni.iastate.edu (maintainer) Security: CVE-2023-1672 security/tang/Makefile | 2 +- security/tang/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)