Bug 1051092 (CVE-2013-7283) - CVE-2013-7283 libreswan: insecure tmp files on rpm package installation
Summary: CVE-2013-7283 libreswan: insecure tmp files on rpm package installation
Alias: CVE-2013-7283
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1051094
Blocks: 1051096
TreeView+ depends on / blocked
Reported: 2014-01-09 16:49 UTC by Ratul Gupta
Modified: 2019-09-29 13:12 UTC (History)
2 users (show)

Fixed In Version: libreswan 3.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-01-09 21:43:25 UTC

Attachments (Terms of Use)

Description Ratul Gupta 2014-01-09 16:49:13 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7283 to the following vulnerability:

Name: CVE-2013-7283
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7283
Assigned: 20140109
Reference: https://lists.libreswan.org/pipermail/swan-announce/2013/000007.html
Reference: https://github.com/libreswan/libreswan/commit/ef2d756e73a188401c36133c2e2f7ce4f3c6ae55
Reference: OSVDB:101575
Reference: http://www.osvdb.org/101575
Reference: SECUNIA:56276
Reference: http://secunia.com/advisories/56276

Race condition in the libreswan.spec files for Red Hat Enterprise Linux (RHEL) and Fedora packages in libreswan 3.6 has unspecified impact and attack vectors, involving the /var/tmp/libreswan-nss-pwd temporary file.

Comment 2 Vincent Danen 2014-01-09 21:43:25 UTC
The libreswan.spec used in Fedora contains:

%systemd_post ipsec.service
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
    echo > ${TEMPFILE}
    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
    rm -f ${TEMPFILE}

which is quite different from the problematic upstream version, which is why Fedora and EPEL are not affected by this issue (note that despite the possible /etc/ipsec.d/nsspw.$$ fallback, /etc/ipsec.d/ is root:root and 0700).  EPEL6 is similar to the above except for using chkconfig vs %systemd_post.

These spec files are the upstream-created/provided spec files and are not those used in Fedora or EPEL as shipped by Red Hat (and libreswan is not provided in Red Hat Enterprise Linux 6 or earlier).

Note You need to log in before you can comment on or make changes to this bug.