+++ This bug was initially created as a clone of Bug #1103101 +++ +++ This bug was initially created as a clone of Bug #1102083 +++ This has come up in the CentOS bug tracker: http://bugs.centos.org/view.php?id=7139 At least the following package is affected - openldap-servers-2.4.23-34.el6_5.1.x86_64 After a short discussion with the reporter I decided to open this bug here. Short description (taken from the bug report): When running /usr/libexec/openldap-generate-server-cert.sh, a tmp file with a random name is being generated, and should be deleted after use. A wrong variable is used in deletion, leaving security relevant material lying around in an insecure fashion. In the trace below you can see the CERT_RANDOM file being generated, but it is attempted to delete $RANDOM_DATA after use. This is wrong. It should have been "rm -rf $CERT_RANDOM". After completion of the script, the file is left behind in /tmp, containing random bytes used to generate the cert. This is a security issue, even if the permissions of the file are restrictive. How to reproduce: [root@cloud01 ~]# cd /etc/openldap/certs [root@cloud01 certs]# \rm -rf * [root@cloud01 certs]# echo keks > password [root@cloud01 certs]# certutil -d $(pwd) -N -f password [root@cloud01 certs]# bash -xv /usr/libexec/openldap/generate-server-cert.sh ... CERT_RANDOM=$(mktemp) mktemp) mktemp ++ mktemp + CERT_RANDOM=/tmp/tmp.toBUDh50mG dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null + dd if=/dev/urandom bs=256 count=1 of=/tmp/tmp.toBUDh50mG certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ -S -x -n "$CERT_NAME" \ -s "CN=$HOSTNAME_FQDN" \ -t TC,, \ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ -v $CERT_VALID_MONTHS \ -8 "$ALT_NAMES" \ &>/dev/null + certutil -d /etc/openldap/certs -f /etc/openldap/certs/password -z /tmp/tmp.toBUDh50mG -S -x -n 'OpenLDAP Server' -s CN=cloud01.bki1.syseleven.de -t TC,, -k rsa -g 1024 -v 12 -8 cloud01.bki1.syseleven.de,localhost,localhost.localdomain rm -f $RANDOM_DATA + rm -f ... [root@cloud01 certs]# ls -l /tmp/tmp.toBUDh50mG -rw------- 1 root root 256 May 27 15:24 /tmp/tmp.toBUDh50mG --- Additional comment from Jan Synacek on 2014-05-30 11:00:52 CEST --- Thanks for the report. Trivial patch: -rm -f $RANDOM_DATA +rm -f $CERT_RANDOM
Pushed: http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=b15ffab696161ec224c311cdfc3469bb5d49c24b
openldap-2.4.39-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/openldap-2.4.39-3.fc20
openldap-2.4.39-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/openldap-2.4.39-3.fc19
openldap-2.4.39-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
openldap-2.4.39-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.