Bug 906207 (CVE-2012-6116)

Summary: CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athomas, bkearney, cpelland, mmccune, msuchy, sclewis, security-response-team, srevivo, sthirugn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 21:05:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877387, 896255, 906208, 924247, 995675, 995676    
Bug Blocks: 906209, 906638, 917158    
Attachments:
Description Flags
Fix for the permissions issue (in installer) none

Description Kurt Seifried 2013-01-31 06:27:17 UTC 
Dominic Cleal reports 

Description of problem:
katello-configure generates a bootstrap RPM for installation on clients to be 
connected to the Katello server.  This contains a CA certificate for Candlepin
which has a mode set of 0666, permitting other users on a client system to 
modify the CA used to trust the remote Katello server.

The RPM is named after the FQDN of the Katello server, e.g.
candlepin-cert-consumer-$FQDN

# ll /etc/rhsm/ca/candlepin-local.pem 
-rw-rw-rw-. 1 root root 5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem

# rpm -qalv candlepin-cert-consumer-\*
-rw-rw-rw-    1 root    root  5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem

Version-Release number of selected component (if applicable):
Tested on 1.1 release, verified code present in git master.

How reproducible:
Always.

Steps to Reproduce:
1. install Katello (https://fedorahosted.org/katello/wiki/Install)
2. run: katello-configure
3. run: rpm -qplv /var/www/html/pub/candlepin-cert-consumer-*noarch.rpm

Actual results:
-rw-rw-rw-    1 root    root  5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem

Expected results:
-rw-r--r--    1 root    root  5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem

Additional info:
katello-configure generates the RPM from within the certs::config puppet class:

  exec { "generate-candlepin-consumer-certificate":
    cwd       => "${katello_www_pub_dir}",
    command   => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:666=${ssl_build_path}/$candlepin_cert_name.crt 2>>${katello::params::configure_log_base}/certificates.log && /sbin/restorecon ./*rpm",
    path      => "/usr/share/katello/certs:/usr/bin:/bin",
    creates   => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
    require   => [Exec["generate-candlepin-certificate"], File["${ssl_build_path}/rhsm-katello-reconfigure"], File["${katello::params::configure_log_base}"]]
  }

In the middle of this command it passes in the permissions "666" to the gen-rpm.sh script, which get put into the RPM spec as the %attr for the CA cert file.

The gen-rpm.sh script is also used by katello-ssl-tool, but a quick test shows that this doesn't explicitly set the mode when it generates a CA RPM, so the RPM is generated with the file having default 644 permissions.
Comment 2 Kurt Seifried 2013-02-01 06:48:50 UTC 
*** Bug 876580 has been marked as a duplicate of this bug. ***
Comment 3 Murray McAllister 2013-02-14 09:25:57 UTC 
Acknowledgements:

This issue was discovered by Dominic Cleal and James Laska of Red Hat.
Comment 5 errata-xmlrpc 2013-02-21 19:07:24 UTC 
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0547 https://rhn.redhat.com/errata/RHSA-2013-0547.html
Comment 6 Bryan Kearney 2013-02-22 13:43:28 UTC 
commit 65f1e42b7bda0f3410931c50598540d944d8bf0d
Author: Marek Hulan <ares>
Date:   Tue Jan 22 12:48:10 2013 +0100

    877387 - Candlepin CA certificate mode in RPM
    
    File mode is set to 0644 when RPM is generated.
Comment 7 Martin Bacovsky 2013-02-22 14:38:37 UTC 
Created attachment 701212 [details]
Fix for the permissions issue (in installer)
Comment 8 sthirugn@redhat.com 2013-03-20 16:01:14 UTC 
Verified in SAM compose:

SAM 1.1 version:
* candlepin-0.6.5-1.el6_2.noarch
* candlepin-tomcat6-0.6.5-1.el6_2.noarch
* elasticsearch-0.18.4-11.el6.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.5-1.el6_2.noarch
* katello-cli-common-0.3.5-2.el6_2.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-0.3.3-1.el6_2.noarch
* katello-configure-0.3.7-1.el6_2.noarch
* katello-glue-candlepin-0.3.3-1.el6_2.noarch
* katello-headpin-0.2.13-1.el6_2.noarch
* katello-headpin-all-0.2.13-1.el6_2.noarch
* katello-selinux-0.2.4-1.el6_2.noarch
* thumbslug-0.0.24-1.el6_2.noarch

SAM 1.2.1 Version:
* candlepin-0.7.24-1.el6_3.noarch
* candlepin-cert-consumer-gizmo.idm.lab.bos.redhat.com-1.0-1.noarch
* candlepin-selinux-0.7.24-1.el6_3.noarch
* candlepin-tomcat6-0.7.24-1.el6_3.noarch
* elasticsearch-0.19.9-5.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.2.1-1h.el6_3.noarch
* katello-cli-1.2.1-12h.el6_3.noarch
* katello-cli-common-1.2.1-12h.el6_3.noarch
* katello-common-1.2.1.1-1h.el6_4.noarch
* katello-configure-1.2.3.1-4h.el6_4.noarch
* katello-glue-candlepin-1.2.1.1-1h.el6_4.noarch
* katello-headpin-1.2.1.1-1h.el6_4.noarch
* katello-headpin-all-1.2.1.1-1h.el6_4.noarch
* katello-selinux-1.2.1-2h.el6_3.noarch
* thumbslug-0.0.28.1-1.el6_4.noarch
* thumbslug-selinux-0.0.28.1-1.el6_4.noarch
Comment 9 errata-xmlrpc 2013-03-26 19:17:15 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
Comment 10 Kurt Seifried 2013-07-26 07:41:17 UTC 
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.