Bug 1328930 (CVE-2016-3696)

Summary: CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bcourt, bkearney, bmbouter, cbillett, daviddavis, dkliban, ggainey, ipanova, jmatthew, mhrivnak, mmccune, ohadlevy, pcreech, rbarlow, rchan, rhui-bugs, satellite6-bugs, tlestach, tsanders, ttereshc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1545354, 1545355    
Bug Blocks: 1325942, 1432305    

Description Adam Mariš 2016-04-20 15:51:53 UTC 
Sander Bos reports:

It was found that pulp-qpid-ssl-cfg script creates certificate files and NSS database files in world-readable unsafe temporary directory $DIR, from which is than the content copied to permanent installation directory $INST_DIR with wrongly assigned permissions, which are corrected only after the copying process is done. This bug gives attacker a time frame for stealing sensitive data.
Comment 1 Adam Mariš 2016-04-20 15:52:04 UTC 
Acknowledgments:

Name: Sander Bos
Comment 2 pulp-infra@redhat.com 2016-04-20 19:03:24 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 3 pulp-infra@redhat.com 2016-04-20 19:03:30 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 4 pulp-infra@redhat.com 2016-04-22 15:03:38 UTC 
The Pulp upstream bug priority is at High. Updating the external tracker on this bug.
Comment 5 pulp-infra@redhat.com 2016-04-25 17:33:38 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 6 pulp-infra@redhat.com 2016-05-03 17:33:43 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 7 pulp-infra@redhat.com 2016-05-26 20:30:59 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 8 pulp-infra@redhat.com 2016-05-31 17:30:48 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 9 pulp-infra@redhat.com 2016-06-17 17:30:57 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 10 pulp-infra@redhat.com 2016-06-27 17:01:16 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 11 Fedora Update System 2016-08-16 19:24:39 UTC 
pulp-2.8.6-1.fc24, pulp-docker-2.0.2-1.fc24, pulp-ostree-1.1.2-1.fc24, pulp-puppet-2.8.6-2.fc24, pulp-python-1.1.2-1.fc24, pulp-rpm-2.8.6-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 pulp-infra@redhat.com 2016-11-21 21:02:17 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 15 pulp-infra@redhat.com 2018-02-21 08:35:52 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 16 errata-xmlrpc 2018-02-21 12:26:37 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336
Comment 17 Product Security DevOps Team 2019-07-12 13:04:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3696