Red Hat Bugzilla – Bug 1051092
CVE-2013-7283 libreswan: insecure tmp files on rpm package installation
Last modified: 2014-01-27 04:10:34 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7283 to the following vulnerability: Name: CVE-2013-7283 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7283 Assigned: 20140109 Reference: https://lists.libreswan.org/pipermail/swan-announce/2013/000007.html Reference: https://github.com/libreswan/libreswan/commit/ef2d756e73a188401c36133c2e2f7ce4f3c6ae55 Reference: OSVDB:101575 Reference: http://www.osvdb.org/101575 Reference: SECUNIA:56276 Reference: http://secunia.com/advisories/56276 Race condition in the libreswan.spec files for Red Hat Enterprise Linux (RHEL) and Fedora packages in libreswan 3.6 has unspecified impact and attack vectors, involving the /var/tmp/libreswan-nss-pwd temporary file.
The libreswan.spec used in Fedora contains: %post %systemd_post ipsec.service if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX) [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$ echo > ${TEMPFILE} certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || : rm -f ${TEMPFILE} fi which is quite different from the problematic upstream version, which is why Fedora and EPEL are not affected by this issue (note that despite the possible /etc/ipsec.d/nsspw.$$ fallback, /etc/ipsec.d/ is root:root and 0700). EPEL6 is similar to the above except for using chkconfig vs %systemd_post. These spec files are the upstream-created/provided spec files and are not those used in Fedora or EPEL as shipped by Red Hat (and libreswan is not provided in Red Hat Enterprise Linux 6 or earlier).