Bug 1328930 (CVE-2016-3696) - CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
Summary: CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1545354 1545355
Blocks: 1325942 1432305
TreeView+ depends on / blocked
 
Reported: 2016-04-20 15:51 UTC by Adam Mariš
Modified: 2021-04-06 17:58 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 1854 0 High CLOSED - CURRENTRELEASE CVE-2016-3696 Leakage of CA key in pulp-qpid-ssl-cfg 2016-06-27 17:01:15 UTC
Red Hat Product Errata RHSA-2018:0336 0 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Description Adam Mariš 2016-04-20 15:51:53 UTC 
Sander Bos reports:

It was found that pulp-qpid-ssl-cfg script creates certificate files and NSS database files in world-readable unsafe temporary directory $DIR, from which is than the content copied to permanent installation directory $INST_DIR with wrongly assigned permissions, which are corrected only after the copying process is done. This bug gives attacker a time frame for stealing sensitive data.
Comment 1 Adam Mariš 2016-04-20 15:52:04 UTC 
Acknowledgments:

Name: Sander Bos
Comment 2 pulp-infra@redhat.com 2016-04-20 19:03:24 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 3 pulp-infra@redhat.com 2016-04-20 19:03:30 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 4 pulp-infra@redhat.com 2016-04-22 15:03:38 UTC 
The Pulp upstream bug priority is at High. Updating the external tracker on this bug.
Comment 5 pulp-infra@redhat.com 2016-04-25 17:33:38 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 6 pulp-infra@redhat.com 2016-05-03 17:33:43 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 7 pulp-infra@redhat.com 2016-05-26 20:30:59 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 8 pulp-infra@redhat.com 2016-05-31 17:30:48 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 9 pulp-infra@redhat.com 2016-06-17 17:30:57 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 10 pulp-infra@redhat.com 2016-06-27 17:01:16 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 11 Fedora Update System 2016-08-16 19:24:39 UTC 
pulp-2.8.6-1.fc24, pulp-docker-2.0.2-1.fc24, pulp-ostree-1.1.2-1.fc24, pulp-puppet-2.8.6-2.fc24, pulp-python-1.1.2-1.fc24, pulp-rpm-2.8.6-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 pulp-infra@redhat.com 2016-11-21 21:02:17 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 15 pulp-infra@redhat.com 2018-02-21 08:35:52 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 16 errata-xmlrpc 2018-02-21 12:26:37 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336
Comment 17 Product Security DevOps Team 2019-07-12 13:04:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3696
Note You need to log in before you can comment on or make changes to this bug.