Bug 1183176 (CVE-2015-0234) - CVE-2015-0234 pki-core 10.x: multiple /tmp/ file vulnerabilities
Summary: CVE-2015-0234 pki-core 10.x: multiple /tmp/ file vulnerabilities
Status: CLOSED NOTABUG
Alias: CVE-2015-0234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150116,reported=2...
Keywords: Security
Depends On: 1183178 1183179
Blocks: 1014779
TreeView+ depends on / blocked
 
Reported: 2015-01-16 22:58 UTC by Kurt Seifried
Modified: 2019-06-08 20:22 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-05-09 01:02:09 UTC


Attachments (Terms of Use)
Patch for /tmp/file vulnerabilities (25.62 KB, patch)
2015-02-28 02:51 UTC, Matthew Harmsen
no flags Details | Diff

Description Kurt Seifried 2015-01-16 22:58:53 UTC
Kurt Seifried of Red Hat Product Security reports:

There are several temporary file creation vulnerabilities:

./pki-core-10.2.0/base/

kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";

Comment 2 Kurt Seifried 2015-01-16 23:03:40 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1183178]

Comment 3 Kurt Seifried 2015-01-16 23:10:03 UTC
Statement:

This issue affects the versions of pki-core as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 4 Kurt Seifried 2015-01-16 23:10:12 UTC
Acknowledgement:

This issue was discovered by Kurt Seifried of Red Hat Product Security.

Comment 5 Kurt Seifried 2015-01-16 23:15:43 UTC
So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.

Comment 6 Matthew Harmsen 2015-02-28 02:51:48 UTC
Created attachment 996332 [details]
Patch for /tmp/file vulnerabilities

The attached patch was tested using the Dogtag 10.2.2 source code on the 'master' branch as of 02/27/2015.

It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS including successfully running the 'tpsclient' tool.

Unfortunately, this code cannot be checked-in to the source code branches until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the source code for CS 9.  At that time, this code will need to be applied (changing it as necessary), and sent out for the appropriate review.

Once checked in, this code should close out this bug on RHEL 7 as well as fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [certificate_system_9].

Once the embargo has been lifted, this code will need to be checked into the appropriate Fedora branches at that time to fulfill [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]].

Comment 7 Matthew Harmsen 2015-02-28 02:53:27 UTC
(In reply to Matthew Harmsen from comment #6)
> Created attachment 996332 [details]
> Patch for /tmp/file vulnerabilities
> 
> The attached patch was tested using the Dogtag 10.2.2 source code on the
> 'master' branch as of 02/27/2015.
> 
> It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS
> including successfully running the 'tpsclient' tool.
> 

The code was tested on an x86_64 machine running Fedora 21.

> Unfortunately, this code cannot be checked-in to the source code branches
> until such time as both the Dogtag 10.2.2 and Dogtag 10.2.3 source code has
> been merged onto the DOGTAG_10_2_RHEL_BRANCH which is slated to contain the
> source code for CS 9.  At that time, this code will need to be applied
> (changing it as necessary), and sent out for the appropriate review.
> 
> Once checked in, this code should close out this bug on RHEL 7 as well as
> fulfilling [https://bugzilla.redhat.com/show_bug.cgi?id=1183179 Bugzilla Bug
> #1183179 - CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file
> vulnerabilities [certificate_system_9].
> 
> Once the embargo has been lifted, this code will need to be checked into the
> appropriate Fedora branches at that time to fulfill
> [https://bugzilla.redhat.com/show_bug.cgi?id=1183178 Bugzilla Bug #1183178 -
> CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities
> [fedora-all]].

Comment 8 Matthew Harmsen 2015-05-09 01:02:09 UTC
On 05/07/15 23:15, Kurt Seifried wrote:
> Sorry lost track of this, in short if all the code is removed/unused we
> can classify this as NOTABUG and close it up.


Note You need to log in before you can comment on or make changes to this bug.