Bug 1183176 - (CVE-2015-0234) CVE-2015-0234 pki-core 10.x: multiple /tmp/ file vulnerabilities
CVE-2015-0234 pki-core 10.x: multiple /tmp/ file vulnerabilities
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150116,reported=2...
: Security
Depends On: 1183178 1183179
Blocks: 1014779
  Show dependency treegraph
 
Reported: 2015-01-16 17:58 EST by Kurt Seifried
Modified: 2015-05-08 21:02 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-08 21:02:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for /tmp/file vulnerabilities (25.62 KB, patch)
2015-02-27 21:51 EST, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2015-01-16 17:58:53 EST
Kurt Seifried of Red Hat Product Security reports:

There are several temporary file creation vulnerabilities:

./pki-core-10.2.0/base/

kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";
Comment 2 Kurt Seifried 2015-01-16 18:03:40 EST
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1183178]
Comment 3 Kurt Seifried 2015-01-16 18:10:03 EST
Statement:

This issue affects the versions of pki-core as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 4 Kurt Seifried 2015-01-16 18:10:12 EST
Acknowledgement:

This issue was discovered by Kurt Seifried of Red Hat Product Security.
Comment 5 Kurt Seifried 2015-01-16 18:15:43 EST
So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.
Comment 6 Matthew Harmsen 2015-02-27 21:51:48 EST
Created attachment 996332 [details]
Patch for /tmp/file vulnerabilities

The attached patch was tested using the Dogtag 10.2.2 source code on the 'master' branch as of 02/27/2015.

It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS including successfully running the 'tpsclient' tool.

Unfortunately, this code cannot be checked-in to the source code branches until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the source code for CS 9.  At that time, this code will need to be applied (changing it as necessary), and sent out for the appropriate review.

Once checked in, this code should close out this bug on RHEL 7 as well as fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [certificate_system_9].

Once the embargo has been lifted, this code will need to be checked into the appropriate Fedora branches at that time to fulfill [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]].
Comment 7 Matthew Harmsen 2015-02-27 21:53:27 EST
(In reply to Matthew Harmsen from comment #6)
> Created attachment 996332 [details]
> Patch for /tmp/file vulnerabilities
> 
> The attached patch was tested using the Dogtag 10.2.2 source code on the
> 'master' branch as of 02/27/2015.
> 
> It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS
> including successfully running the 'tpsclient' tool.
> 

The code was tested on an x86_64 machine running Fedora 21.

> Unfortunately, this code cannot be checked-in to the source code branches
> until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has
> been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the
> source code for CS 9.  At that time, this code will need to be applied
> (changing it as necessary), and sent out for the appropriate review.
> 
> Once checked in, this code should close out this bug on RHEL 7 as well as
> fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug
> #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file
> vulnerabilities [certificate_system_9].
> 
> Once the embargo has been lifted, this code will need to be checked into the
> appropriate Fedora branches at that time to fulfill
> [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 -
> CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities
> [fedora-all]].
Comment 8 Matthew Harmsen 2015-05-08 21:02:09 EDT
On 05/07/15 23:15, Kurt Seifried wrote:
> Sorry lost track of this, in short if all the code is removed/unused we
> can classify this as NOTABUG and close it up.

Note You need to log in before you can comment on or make changes to this bug.