Bug 849256 (CVE-2012-3504)
Summary: | CVE-2012-3504 crypto-utils: insecure temporary file usage in genkey | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jorton, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-11 21:04:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 862430 | ||
Bug Blocks: | 849258 |
Description
Vincent Danen
2012-08-17 20:37:46 UTC
The vulnerable code is here: 358 # Check that nss.conf exists 359 sub nssconfigFound { 360 # if it isn't in its usual place 361 if (!$nssconf || !(-f $nssconf)) { 362 # do an rpm query 363 my $cmd = 'rpm -ql mod_nss'; 364 my $tmplist = "list"; 365 system("$cmd > $tmplist"); 366 $nssconf = `grep nss.conf $tmplist`; 367 unlink($tmplist); 368 } 369 return ($nssconf && (-f $nssconf)); 370 } I think this patch should do it; there are a few more spots where the script runs a command that redirects to an arbitrary file. It would probably be better to have these files in /tmp/ though, I think. --- genkey.pl.orig 2012-09-26 19:40:07.257383383 -0600 +++ genkey.pl 2012-09-26 19:44:45.217577278 -0600 @@ -43,6 +43,7 @@ use Crypt::Makerand; use Newt; use Getopt::Long; +use File::Temp qw/ tempfile /; sub InitRoot { @@ -361,7 +362,7 @@ if (!$nssconf || !(-f $nssconf)) { # do an rpm query my $cmd = 'rpm -ql mod_nss'; - my $tmplist = "list"; + ($fh, $tmplist) = tempfile("list.XXXXXX"); system("$cmd > $tmplist"); $nssconf = `grep nss.conf $tmplist`; unlink($tmplist); @@ -374,7 +375,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $nssconf"; - my $dbfile = "dbdirectory"; + ($fh, $dbfile) = tempfile("dbdirectory.XXXXXX"); system("$cmd > $dbfile"); open(DIR, "<$dbfile"); my $dbdir = ''; @@ -390,7 +391,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSNickname/ { print $2 }\'' . " $nssconf"; - my $nicknamefile = "nssnickname"; + ($fh, $nicknamefile) = tempfile("nssnickname.XXXXXX"); system("$cmd > $nicknamefile"); open(NICK, "<$nicknamefile"); my $nickname = ''; @@ -404,7 +405,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSDBPrefix/ { print $2 }\'' . " $nssconf"; - my $prefixfile = "dbprefix"; + ($fh, $prefixfile) = tempfile("dbprefix.XXXXXX"); system("$cmd > $prefixfile"); open(PREFIX, "<$prefixfile"); my $prefix = ''; I've sent a notice to oss-sec to make others aware of this issue: http://www.openwall.com/lists/oss-security/2012/10/02/3 Created crypto-utils tracking bugs for this issue Affects: fedora-all [bug 862430] Thank you Vincent. I have submitted our proposed fix for review to the fedora tracking [bug 862430]. See attachment 659066 [details]. fast fingers: s/our/your/g Perfect. Thank you! This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2012-3504 |