Bug 1326242 – CVE-2016-3112 pulp: Agent certificate containing private key is stored in world-readable file

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1326242 - (CVE-2016-3112) CVE-2016-3112 pulp: Agent certificate containing private key is stored in world-readable file

Summary:	CVE-2016-3112 pulp: Agent certificate containing private key is stored in wor...

Status:	CLOSED ERRATA

Aliases:	CVE-2016-3112

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160413,repor...
Keywords:	Security

Depends On:	1326913 1326919
Blocks:	1325942
	Show dependency tree / graph

Reported:	2016-04-12 04:53 EDT by Adam Mariš
Modified:	2017-01-05 06:14 EST (History)
CC List:	12 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that the private key for the agent certificate was contained in a world-readable file. A local user could possibly use this flaw to gain access to the private key information in the file.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-19 15:02:56 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Proposed patch (1.72 KB, patch) 2016-04-12 11:50 EDT, Jeremy Cline	no flags	Details \| Diff
python2.4-compatible patch (1.29 KB, patch) 2016-04-12 12:29 EDT, Jeremy Cline	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-04-12 04:53:59 EDT

It was reported that certificate that identifies agent is written to etc/pki/pulp/consumer/consumer-cert.pem with 644 permissions and contains also the private key, making it world-readable.

Comment 1 Adam Mariš 2016-04-12 04:54:08 EDT

Acknowledgments:

Name: Jeremy Cline (Red Hat)

Comment 3 Jeremy Cline 2016-04-12 11:50 EDT

Created attachment 1146527 [details]
Proposed patch

This fixes the issue where new certificates and keys are written with 644 permissions, but it doesn't do anything for all the keys and certificates that already exist.

Comment 4 Randy Barlow 2016-04-12 12:00:09 EDT

From a security perspective, the current proposed patch seems OK, but I believe this code needs to be able to work in Python 2.4 (RHEL 5) which does not have the with statement available.

Comment 5 Jeremy Cline 2016-04-12 12:29 EDT

Created attachment 1146538 [details]
python2.4-compatible patch

This patch works with Python 2.4 which is a requirement, as Randy noted. Thanks, Randy!

Comment 6 Randy Barlow 2016-04-13 10:19:48 EDT

This patch looks good to me, thanks jcline!

Comment 9 Kurt Seifried 2016-09-19 15:02:56 EDT

This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.