This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 849256 (CVE-2012-3504)

Summary: CVE-2012-3504 crypto-utils: insecure temporary file usage in genkey
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: emaldona, jorton, jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121002,reported=20120816,source=redhat,cvss2=2.6/AV:L/AC:H/Au:N/C:N/I:P/A:P,rhel-5/crypto-utils=notaffected,rhel-6/crypto-utils=defer,fedora-all/crypto-utils=affected,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 862430    
Bug Blocks: 849258    

Description Vincent Danen 2012-08-17 16:37:46 EDT
The genkey script, as provided in the crypto-utils package, suffers from poor temporary file handling.  When executed, it writes to a file called 'list' in the current working directory, without first checking to see if the file exists.  If an attacker were able to coerce the root user into running the genkey script from a specific directory containing a symbolic link, the linked file would be overwritten.

This flaw only exists in genkey as provided by Red Hat Enterprise Linux 6 and Fedora.  Earlier versions of genkey, such as that provided with Red Hat Enterprise Linux 5 do not contain the vulnerable function (nssconfigFound()).
Comment 1 Vincent Danen 2012-08-17 16:43:43 EDT
The vulnerable code is here:

 358 # Check that nss.conf exists
 359 sub nssconfigFound {
 360     # if it isn't in its usual place
 361     if (!$nssconf || !(-f $nssconf)) {
 362         # do an rpm query
 363         my $cmd = 'rpm -ql mod_nss';
 364         my $tmplist = "list";
 365         system("$cmd > $tmplist");
 366         $nssconf = `grep nss.conf $tmplist`;
 367         unlink($tmplist);
 368     }
 369     return ($nssconf && (-f $nssconf));
 370 }
Comment 2 Vincent Danen 2012-08-17 16:44:39 EDT
Statement:

This issue did not affect the version of crypto-utils as shipped with Red Hat Enterprise Linux 5.  The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue in Red Hat Enterprise Linux 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 4 Vincent Danen 2012-09-26 21:54:51 EDT
I think this patch should do it; there are a few more spots where the script runs a command that redirects to an arbitrary file.  It would probably be better to have these files in /tmp/ though, I think.

--- genkey.pl.orig      2012-09-26 19:40:07.257383383 -0600
+++ genkey.pl   2012-09-26 19:44:45.217577278 -0600
@@ -43,6 +43,7 @@
 use Crypt::Makerand;
 use Newt;
 use Getopt::Long;
+use File::Temp qw/ tempfile /;
 
 sub InitRoot
 {
@@ -361,7 +362,7 @@
     if (!$nssconf || !(-f $nssconf)) {
         # do an rpm query
         my $cmd = 'rpm -ql mod_nss';
-        my $tmplist = "list";
+        ($fh, $tmplist) = tempfile("list.XXXXXX");
         system("$cmd > $tmplist");
         $nssconf = `grep nss.conf $tmplist`;
         unlink($tmplist);
@@ -374,7 +375,7 @@
    
     # Extract the value from the mod_nss configuration file.
     my $cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $nssconf"; 
-    my $dbfile = "dbdirectory";
+    ($fh, $dbfile) = tempfile("dbdirectory.XXXXXX");
     system("$cmd > $dbfile");
     open(DIR, "<$dbfile");
     my $dbdir = '';
@@ -390,7 +391,7 @@
 
     # Extract the value from the mod_nss configuration file.
     my $cmd ='/usr/bin/gawk \'/^NSSNickname/ { print $2 }\'' . " $nssconf";
-    my $nicknamefile = "nssnickname";
+    ($fh, $nicknamefile) = tempfile("nssnickname.XXXXXX");
     system("$cmd > $nicknamefile");
     open(NICK, "<$nicknamefile");  
     my $nickname = ''; 
@@ -404,7 +405,7 @@
 
     # Extract the value from the mod_nss configuration file.
     my $cmd ='/usr/bin/gawk \'/^NSSDBPrefix/ { print $2 }\'' . " $nssconf";
-    my $prefixfile = "dbprefix";
+    ($fh, $prefixfile) = tempfile("dbprefix.XXXXXX");
     system("$cmd > $prefixfile");
     open(PREFIX, "<$prefixfile");
     my $prefix = '';
Comment 5 Vincent Danen 2012-10-02 17:07:20 EDT
I've sent a notice to oss-sec to make others aware of this issue:

http://www.openwall.com/lists/oss-security/2012/10/02/3
Comment 6 Vincent Danen 2012-10-02 17:09:53 EDT
Created crypto-utils tracking bugs for this issue

Affects: fedora-all [bug 862430]
Comment 7 Elio Maldonado Batiz 2012-12-06 17:00:59 EST
Thank you Vincent. I have submitted our proposed fix for review to the fedora tracking [bug 862430]. See attachment 659066 [details].
Comment 8 Elio Maldonado Batiz 2012-12-06 17:03:03 EST
fast fingers: s/our/your/g
Comment 9 Vincent Danen 2012-12-07 23:28:55 EST
Perfect.  Thank you!