Bug 152841 - CAN-2004-0975 OpenSSL "der_chop" Script Insecure Temporary File Creation
Summary: CAN-2004-0975 OpenSSL "der_chop" Script Insecure Temporary File Creation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: openssl
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://bugzilla.redhat.com/bugzilla/s...
Whiteboard: 1, LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-08 23:54 UTC by David Lawrence
Modified: 2007-04-18 17:22 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-16 02:12:44 UTC
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:29:19 UTC
http://secunia.com/advisories/12973/

A vulnerability has been reported in OpenSSL, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerability is caused due to the "der_chop" script creating temporary
files insecurely. This can be exploited via symlink attacks to create or
overwrite arbitrary files with the privileges of the user executing the
vulnerable script.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975

Red Hat Bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302



------- Additional Comments From dwb7.edu 2004-12-06 12:37:23 ----

The redhat bug report mentions the following:

Temporary file vulnerability in der_chop script.  Patch attached. 
However der_chop isn't a useful script and is deprecated.  Removing
der_chop script is a valid solution to this issue.

So, we have two options:

1. patch it (assuming the patch applies)
2. remove the script (what replaces it... anyone)?



------- Additional Comments From mschout 2005-02-05 15:34:09 ----

Judging from the "proposed patch" in redhat bugzilla, and comparing to openssl
.src.rpms from 7.3, I can confirm that rh 7.3 is vulnerable.

Is there any reason we dont simply apply the proposed patch in redhat's
bugzilla?  It seems like a simple enough solution.  They simply replace the
hard-coded temp filenames with the result of mktemp.

If thats an acceptable solution, I'd be happy to make packages for this one.

I added rh73 to keywords since rh73 is vulnerable.



------- Additional Comments From pekkas 2005-02-18 08:17:47 ----

You mean, RH73 is _also_ vulnerable.  RH9 includes der_chop as well, and I bet
FC1 does..

I can give a publish for packages applying Red Hat's proposed patch.



------- Additional Comments From julien.gilli 2005-02-23 06:24:49 ----

Please, can you tell me if this patch will be applied and published as an
official fedora legacy package ?

Thank you very much for your attention !





------- Additional Comments From marcdeslauriers 2005-03-05 11:25:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated openssl packages to QA:

Changelog:
* Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy
- - add security fix for CAN-2004-0975

3f5fbdeef07d9912fff81185afb9e62c81d31f34  7.3/openssl-0.9.6b-37.7.legacy.i386.rpm
f59d47b2858ac8386cc92aba90cdcf2462c7eb5c  7.3/openssl-0.9.6b-37.7.legacy.src.rpm
8c252677e7e75ccc07f24d2c342c85b2f20195b9 
7.3/openssl-devel-0.9.6b-37.7.legacy.i386.rpm
2ffbe75cd52e2b1319c3fd2a62c181667c2568a6 
7.3/openssl-perl-0.9.6b-37.7.legacy.i386.rpm
6a41153ac7c7a35a16f9f63c934ef0e57f40cbfd  9/openssl-0.9.7a-20.3.legacy.i386.rpm
637236326a79168da5a4715e5b172789cc54f21e  9/openssl-0.9.7a-20.3.legacy.src.rpm
875b05c7353e815f1b50b9b80331c77c8e233c03 
9/openssl-devel-0.9.7a-20.3.legacy.i386.rpm
5e506a3ca8b8e4dbda863dd3bc21928a83c98261  9/openssl-perl-0.9.7a-20.3.legacy.i386.rpm
fbfc59518932269d121524a2c3a2323d29a2d0d4  1/openssl-0.9.7a-33.11.legacy.i386.rpm
4998cc098c73e0ef413cb50d170011c7dbf7133a  1/openssl-0.9.7a-33.11.legacy.src.rpm
3c656cf4d3ba4c815baa66b0fb69b9b071166df8 
1/openssl-devel-0.9.7a-33.11.legacy.i386.rpm
59ad015a387156d93ff9080793ad9d72e9fcc98b 
1/openssl-perl-0.9.7a-33.11.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-37.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-37.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-devel-0.9.6b-37.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-perl-0.9.6b-37.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-devel-0.9.7a-20.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-perl-0.9.7a-20.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/openssl-0.9.7a-33.11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/openssl-0.9.7a-33.11.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/openssl-devel-0.9.7a-33.11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/openssl-perl-0.9.7a-33.11.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKiOsLMAs/0C4zNoRAuXJAJwL5ZUsVqHt5ILrOLeHFxDnKFezvgCgi7QW
So3fyn6Mvd0zMrQq3YJJTsY=
=GWkN
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-06 08:39:56 ----

The packages look pretty good, but there's one problem.. at least in RHL73 and
RHL9, 'mktemp' does not support -t toggle...



------- Additional Comments From marcdeslauriers 2005-03-06 14:44:45 ----

oh, darn. I didn't know that.

So what if we do:
$file=`mktemp /tmp/a$$.DER.XXXXXX` || die $!;

instead of:
$file=`mktemp -t a$$.DER.XXXXXX` || die $!;

for rh73 and rh9?

Is that acceptable?
Is there any better way?



------- Additional Comments From pekkas 2005-03-06 16:46:00 ----

That seems to be a decent way.  Some scripts usually use $TMPDIR, but as that's
not defined by default, they'll have to have fallback to set $TMPDIR to /tmp/ if
it's not set up properly.  But here for simplicity just using /tmp/ should be OK..



------- Additional Comments From marcdeslauriers 2005-03-11 19:36:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated openssl packages to QA for rh73 and rh9.
The previous fc1 packages are still good.

Changelog:
* Fri Mar 11 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-38.7.legacy
- - Fixed the CAN-2004-0975 patch

* Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy
- - add security fix for CAN-2004-0975

cbba16ba78a3528596907c4ab42c99054d12dbdc  7.3/openssl-0.9.6b-38.7.legacy.i386.rpm
94b12fc9635c74a967ba1db9c3e232f474cae11b  7.3/openssl-0.9.6b-38.7.legacy.src.rpm
61977024cf4f4ff393362ba053adbdf612cdf5e8 
7.3/openssl-devel-0.9.6b-38.7.legacy.i386.rpm
856612356726eda9d16ff3b6009c6817742831f3 
7.3/openssl-perl-0.9.6b-38.7.legacy.i386.rpm
85378db3275a2e3b80c1e16193b99fa9a4423147  9/openssl-0.9.7a-20.4.legacy.i386.rpm
cbd4207538410d37d8cc16d139f96914a102de0e  9/openssl-0.9.7a-20.4.legacy.src.rpm
d8ed96d0ae6cff177523ea194f545df6cd77cbb8 
9/openssl-devel-0.9.7a-20.4.legacy.i386.rpm
3fb74e36e1a19101fac633d84ebff5e9ae0026a2  9/openssl-perl-0.9.7a-20.4.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-38.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-38.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-devel-0.9.6b-38.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-perl-0.9.6b-38.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-devel-0.9.7a-20.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssl-perl-0.9.7a-20.4.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCMn+0LMAs/0C4zNoRAu3yAJ43G+UTNoEj0zmweFRRyNHr692TMwCgnVOV
Ag3ZbNy4TdE2HZxA7htSwU0=
=IPyQ
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-13 05:49:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for the openssl RPMs:
 - source integrity OK
 - patch files are good
 - spec file changes look OK

+PUBLISH RHL73,RHL9,FC1

94b12fc9635c74a967ba1db9c3e232f474cae11b  openssl-0.9.6b-38.7.legacy.src.rpm
cbd4207538410d37d8cc16d139f96914a102de0e  openssl-0.9.7a-20.4.legacy.src.rpm
4998cc098c73e0ef413cb50d170011c7dbf7133a  openssl-0.9.7a-33.11.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCNGEHGHbTkzxSL7QRAr8TAJ47B6G88y+g03Qpw3Cy9tCOuR/I+wCfcJXH
CyT2fREkaOqi5R+peYqIoK0=
=g4Y2
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2257 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2257
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Jim Popovitch 2005-05-29 02:37:21 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+PUBLISH RHL73

cbba16ba78a3528596907c4ab42c99054d12dbdc  openssl-0.9.6b-38.7.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCmSpMuhh7yV/E9I4RAjBrAKCCuRQUiNS8PrvNKfPBHfHUgGHngACfcftD
NEHpaAIZxlWPd7KozJ5FJag=
=3OlA
-----END PGP SIGNATURE-----


Comment 2 Marc Deslauriers 2005-06-04 19:30:05 UTC
These were pushed to updates-testing

Comment 3 Tom Yates 2005-06-05 06:51:47 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

c3c4d1e26f568e9186c5db1753961d7d openssl-0.9.7a-20.4.legacy.i686.rpm
91524f82d759e7308e9cdef073a9822b openssl-devel-0.9.7a-20.4.legacy.i386.rpm

installed OK.  apache (https) works fine after restart (my biggest
dependency on /lib/libssl.so.0.9.7a).  'openssl x509 -text -in server.crt'
correctly reads the details from my (self-signed) https and imaps
certificates.

i don't seem to have the der_chop script, so i'm not sure how to test
that.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCoqDJePtvKV31zw4RAtehAJsEZj2xBki4FgurcVk2gwQldHQsPQCgtoay
vyGwKQyHLA3BzkCL21Xk2Ok=
=OBCv
-----END PGP SIGNATURE-----


Comment 4 Pekka Savola 2005-06-16 12:37:11 UTC
One verify, timeouts in 4 weeks.

Comment 5 Pekka Savola 2005-07-15 05:41:39 UTC
Timeout over.

Comment 6 Marc Deslauriers 2005-07-16 02:12:44 UTC
Packages were released to updates.


Note You need to log in before you can comment on or make changes to this bug.