Bug 1183176 (CVE-2015-0234)

Summary: CVE-2015-0234 pki-core 10.x: multiple /tmp/ file vulnerabilities
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alee, cfu, edewata, jmagne, jrusnack, kwright, mharmsen, nkinder
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-09 01:02:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1183178, 1183179    
Bug Blocks: 1014779    
Attachments:
Description Flags
Patch for /tmp/file vulnerabilities none

Description Kurt Seifried 2015-01-16 22:58:53 UTC 
Kurt Seifried of Red Hat Product Security reports:

There are several temporary file creation vulnerabilities:

./pki-core-10.2.0/base/

kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";
Comment 2 Kurt Seifried 2015-01-16 23:03:40 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1183178]
Comment 3 Kurt Seifried 2015-01-16 23:10:03 UTC 
Statement:

This issue affects the versions of pki-core as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 4 Kurt Seifried 2015-01-16 23:10:12 UTC 
Acknowledgement:

This issue was discovered by Kurt Seifried of Red Hat Product Security.
Comment 5 Kurt Seifried 2015-01-16 23:15:43 UTC 
So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.
Comment 6 Matthew Harmsen 2015-02-28 02:51:48 UTC 
Created attachment 996332 [details]
Patch for /tmp/file vulnerabilities

The attached patch was tested using the Dogtag 10.2.2 source code on the 'master' branch as of 02/27/2015.

It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS including successfully running the 'tpsclient' tool.

Unfortunately, this code cannot be checked-in to the source code branches until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the source code for CS 9.  At that time, this code will need to be applied (changing it as necessary), and sent out for the appropriate review.

Once checked in, this code should close out this bug on RHEL 7 as well as fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [certificate_system_9].

Once the embargo has been lifted, this code will need to be checked into the appropriate Fedora branches at that time to fulfill [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]].
Comment 7 Matthew Harmsen 2015-02-28 02:53:27 UTC 
(In reply to Matthew Harmsen from comment #6)
> Created attachment 996332 [details]
> Patch for /tmp/file vulnerabilities
> 
> The attached patch was tested using the Dogtag 10.2.2 source code on the
> 'master' branch as of 02/27/2015.
> 
> It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS
> including successfully running the 'tpsclient' tool.
> 

The code was tested on an x86_64 machine running Fedora 21.

> Unfortunately, this code cannot be checked-in to the source code branches
> until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has
> been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the
> source code for CS 9.  At that time, this code will need to be applied
> (changing it as necessary), and sent out for the appropriate review.
> 
> Once checked in, this code should close out this bug on RHEL 7 as well as
> fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug
> #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file
> vulnerabilities [certificate_system_9].
> 
> Once the embargo has been lifted, this code will need to be checked into the
> appropriate Fedora branches at that time to fulfill
> [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 -
> CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities
> [fedora-all]].
Comment 8 Matthew Harmsen 2015-05-09 01:02:09 UTC 
On 05/07/15 23:15, Kurt Seifried wrote:
> Sorry lost track of this, in short if all the code is removed/unused we
> can classify this as NOTABUG and close it up.