Bug 581022
Summary: | fetch-crl script is occasionally leaving behind {hash}.r0.XXXXXX.r0 files. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Jason Smith <smithj4> | ||||
Component: | fetch-crl | Assignee: | Steve Traylen <steve.traylen> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | el5 | CC: | davidg, steve.traylen, thoger | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | fetch-crl-2.8.4-2.fc13 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-05-11 19:39:05 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jason Smith
2010-04-09 19:39:24 UTC
Hi Jason, I'm away all this week, will look after that. Steve. Created attachment 407851 [details]
Patch to fix the template for mktemp call.
Hi Steve,
I think I found the problem, or at least part of it. It seems that the mktemp command requires that the XXXXXX template be at the end of the dir/file name, if it is not, then no random character substitution is made and the filename ending with XXXXXX.r0 is returned as is. Simply removing the .r0 at the end should fix this problem, and will probably also fix the Java GSI warnings or errors since it seems to be trying to read any *.r0 file that is present. See attached patch.
~Jason
Hi Jason, Interesting, with F13. $ rpm -qf /bin/mktemp coreutils-7.6-9.fc12.x86_64 You get. $ mktemp /tmp/abcd.XXX.r0 mktemp: too few X's in template `/tmp/abcd.XXX.r0' and a failure, where as on centos4 $ rpm -qf /bin/mktemp mktemp-1.5-20 As you say it creates a /tmp/abcd.XXX.r0 file which is kind of bad or rather does not protect the poor user very well. This should go through quick as its obviously a predictable file name with the old mktemp behaviour. Thanks ever so much for the patch. Steve. fetch-crl-2.8.4-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4 fetch-crl-2.8.4-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5 fetch-crl-2.8.4-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11 fetch-crl-2.8.4-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12 fetch-crl-2.8.4-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13 Steve, I've noticed updates in bodhi for this, but I'm not quite convinced this is security flaw. On all current Fedora versions, mktemp fails rather than creating a file with a predictable name. Script does not check mktemp exit status, but the problem should be detected by following ValidateCRLHashFile. On EL4/EL5, mktemp does create file with predictable name, but it does not overwrite any existing file, so there's not possibility of symlink attack (try e.g. ln -s /etc/passwd foo.XXXXXXXX.r0 ; mktemp $PWD/foo.XXXXXXXX.r0). Additionally, that temporary file is created in the $outputDirectory. It seems that it's not intended to use /tmp or other world-writeable directory as $outputDirectory for normal use. Please let me know if I'm missing some other reason to call those updates security. Thank you! Hi Tomas, All points accepted, will alter to a normal, update, thanks for reviewing. It was on the EL4/5 I thought there could be a problem if someone was setting a non-standard $outputDirectory. Steve. Thank you, Steve! fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13 fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11 fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12 fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4 fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5 fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11 fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12 fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13 fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4 fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update fetch-crl'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5 fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |