Kurt Seifried of Red Hat Product Security reports: There are several temporary file creation vulnerabilities: ./pki-core-10.2.0/base/ kra/functional/drmtest.py: certdb_dir = "/tmp/drmtest-certdb" kra/src/com/netscape/kra/NetkeyKeygenService.java: String oFilePath = "/tmp/wrappedPrivKey.bin"; common/python/pki/profile.py: connection.set_authentication_cert("/tmp/auth.pem") common/python/pki/cert.py: connection.set_authentication_cert("/tmp/auth.pem") util/src/netscape/security/extensions/KerberosName.java: FileOutputStream os = new FileOutputStream("/tmp/out.der"); setup/pkicommon.pm: $tmp_dir = "/tmp"; setup/pkicommon.pm: $tmp_dir = "/tmp"; tps-client/lib/perl/PKI/TPS/AdminPanel.pm: my $tmpfile = "/tmp/admin-$$"; tps-client/lib/perl/PKI/TPS/AdminPanel.pm: my $tmp = "/tmp/addAgents-$$.ldif"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $filename = "/tmp/random.$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/req$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/req$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/grep$$"; tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm: my $tmpfile = "/tmp/ca-$$"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: my $tmp = "/tmp/database-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addTokens-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addIndexes-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addVLVIndexes-$$.ldif"; tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg"); tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg"); tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE "/tmp/mem-dump.log" tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"), tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"), tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"), tps-client/src/engine/RA.cpp: "/tmp/audit.log"), tps-client/src/engine/RA.cpp: "/tmp/audit.log"), tps-client/src/tus/tus_db.c: debug_fd = PR_Open("/tmp/debugTUSdb.log", tps-client/src/modules/tokendb/mod_tokendb.cpp: debug_fd = PR_Open( "/tmp/tus-debug.log", tps-client/setup/create.pl: $tmpDir = "/tmp";
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1183178]
Statement: This issue affects the versions of pki-core as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Acknowledgement: This issue was discovered by Kurt Seifried of Red Hat Product Security.
So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.
Created attachment 996332 [details] Patch for /tmp/file vulnerabilities The attached patch was tested using the Dogtag 10.2.2 source code on the 'master' branch as of 02/27/2015. It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS including successfully running the 'tpsclient' tool. Unfortunately, this code cannot be checked-in to the source code branches until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the source code for CS 9. At that time, this code will need to be applied (changing it as necessary), and sent out for the appropriate review. Once checked in, this code should close out this bug on RHEL 7 as well as fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [certificate_system_9]. Once the embargo has been lifted, this code will need to be checked into the appropriate Fedora branches at that time to fulfill [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]].
(In reply to Matthew Harmsen from comment #6) > Created attachment 996332 [details] > Patch for /tmp/file vulnerabilities > > The attached patch was tested using the Dogtag 10.2.2 source code on the > 'master' branch as of 02/27/2015. > > It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS > including successfully running the 'tpsclient' tool. > The code was tested on an x86_64 machine running Fedora 21. > Unfortunately, this code cannot be checked-in to the source code branches > until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has > been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the > source code for CS 9. At that time, this code will need to be applied > (changing it as necessary), and sent out for the appropriate review. > > Once checked in, this code should close out this bug on RHEL 7 as well as > fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug > #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file > vulnerabilities [certificate_system_9]. > > Once the embargo has been lifted, this code will need to be checked into the > appropriate Fedora branches at that time to fulfill > [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 - > CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities > [fedora-all]].
On 05/07/15 23:15, Kurt Seifried wrote: > Sorry lost track of this, in short if all the code is removed/unused we > can classify this as NOTABUG and close it up.