Bug 1051092 (CVE-2013-7283)

Summary: CVE-2013-7283 libreswan: insecure tmp files on rpm package installation
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pfrields, pwouters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan 3.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-09 21:43:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1051094    
Bug Blocks: 1051096    

Description Ratul Gupta 2014-01-09 16:49:13 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7283 to the following vulnerability:

Name: CVE-2013-7283
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7283
Assigned: 20140109
Reference: https://lists.libreswan.org/pipermail/swan-announce/2013/000007.html
Reference: https://github.com/libreswan/libreswan/commit/ef2d756e73a188401c36133c2e2f7ce4f3c6ae55
Reference: OSVDB:101575
Reference: http://www.osvdb.org/101575
Reference: SECUNIA:56276
Reference: http://secunia.com/advisories/56276

Race condition in the libreswan.spec files for Red Hat Enterprise Linux (RHEL) and Fedora packages in libreswan 3.6 has unspecified impact and attack vectors, involving the /var/tmp/libreswan-nss-pwd temporary file.
Comment 2 Vincent Danen 2014-01-09 21:43:25 UTC 
The libreswan.spec used in Fedora contains:

%post
%systemd_post ipsec.service
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
    echo > ${TEMPFILE}
    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
    rm -f ${TEMPFILE}
fi

which is quite different from the problematic upstream version, which is why Fedora and EPEL are not affected by this issue (note that despite the possible /etc/ipsec.d/nsspw.$$ fallback, /etc/ipsec.d/ is root:root and 0700).  EPEL6 is similar to the above except for using chkconfig vs %systemd_post.

These spec files are the upstream-created/provided spec files and are not those used in Fedora or EPEL as shipped by Red Hat (and libreswan is not provided in Red Hat Enterprise Linux 6 or earlier).