Bug 849256 (CVE-2012-3504)
| Summary: | CVE-2012-3504 crypto-utils: insecure temporary file usage in genkey | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jorton, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-11 21:04:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 862430 | ||
| Bug Blocks: | 849258 | ||
|
Description
Vincent Danen
2012-08-17 20:37:46 UTC
The vulnerable code is here:
358 # Check that nss.conf exists
359 sub nssconfigFound {
360 # if it isn't in its usual place
361 if (!$nssconf || !(-f $nssconf)) {
362 # do an rpm query
363 my $cmd = 'rpm -ql mod_nss';
364 my $tmplist = "list";
365 system("$cmd > $tmplist");
366 $nssconf = `grep nss.conf $tmplist`;
367 unlink($tmplist);
368 }
369 return ($nssconf && (-f $nssconf));
370 }
I think this patch should do it; there are a few more spots where the script runs a command that redirects to an arbitrary file. It would probably be better to have these files in /tmp/ though, I think.
--- genkey.pl.orig 2012-09-26 19:40:07.257383383 -0600
+++ genkey.pl 2012-09-26 19:44:45.217577278 -0600
@@ -43,6 +43,7 @@
use Crypt::Makerand;
use Newt;
use Getopt::Long;
+use File::Temp qw/ tempfile /;
sub InitRoot
{
@@ -361,7 +362,7 @@
if (!$nssconf || !(-f $nssconf)) {
# do an rpm query
my $cmd = 'rpm -ql mod_nss';
- my $tmplist = "list";
+ ($fh, $tmplist) = tempfile("list.XXXXXX");
system("$cmd > $tmplist");
$nssconf = `grep nss.conf $tmplist`;
unlink($tmplist);
@@ -374,7 +375,7 @@
# Extract the value from the mod_nss configuration file.
my $cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $nssconf";
- my $dbfile = "dbdirectory";
+ ($fh, $dbfile) = tempfile("dbdirectory.XXXXXX");
system("$cmd > $dbfile");
open(DIR, "<$dbfile");
my $dbdir = '';
@@ -390,7 +391,7 @@
# Extract the value from the mod_nss configuration file.
my $cmd ='/usr/bin/gawk \'/^NSSNickname/ { print $2 }\'' . " $nssconf";
- my $nicknamefile = "nssnickname";
+ ($fh, $nicknamefile) = tempfile("nssnickname.XXXXXX");
system("$cmd > $nicknamefile");
open(NICK, "<$nicknamefile");
my $nickname = '';
@@ -404,7 +405,7 @@
# Extract the value from the mod_nss configuration file.
my $cmd ='/usr/bin/gawk \'/^NSSDBPrefix/ { print $2 }\'' . " $nssconf";
- my $prefixfile = "dbprefix";
+ ($fh, $prefixfile) = tempfile("dbprefix.XXXXXX");
system("$cmd > $prefixfile");
open(PREFIX, "<$prefixfile");
my $prefix = '';
I've sent a notice to oss-sec to make others aware of this issue: http://www.openwall.com/lists/oss-security/2012/10/02/3 Created crypto-utils tracking bugs for this issue Affects: fedora-all [bug 862430] Thank you Vincent. I have submitted our proposed fix for review to the fedora tracking [bug 862430]. See attachment 659066 [details]. fast fingers: s/our/your/g Perfect. Thank you! This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2012-3504 |