http://secunia.com/advisories/12973/ A vulnerability has been reported in OpenSSL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the "der_chop" script creating temporary files insecurely. This can be exploited via symlink attacks to create or overwrite arbitrary files with the privileges of the user executing the vulnerable script. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975 Red Hat Bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302 ------- Additional Comments From dwb7.edu 2004-12-06 12:37:23 ---- The redhat bug report mentions the following: Temporary file vulnerability in der_chop script. Patch attached. However der_chop isn't a useful script and is deprecated. Removing der_chop script is a valid solution to this issue. So, we have two options: 1. patch it (assuming the patch applies) 2. remove the script (what replaces it... anyone)? ------- Additional Comments From mschout 2005-02-05 15:34:09 ---- Judging from the "proposed patch" in redhat bugzilla, and comparing to openssl .src.rpms from 7.3, I can confirm that rh 7.3 is vulnerable. Is there any reason we dont simply apply the proposed patch in redhat's bugzilla? It seems like a simple enough solution. They simply replace the hard-coded temp filenames with the result of mktemp. If thats an acceptable solution, I'd be happy to make packages for this one. I added rh73 to keywords since rh73 is vulnerable. ------- Additional Comments From pekkas 2005-02-18 08:17:47 ---- You mean, RH73 is _also_ vulnerable. RH9 includes der_chop as well, and I bet FC1 does.. I can give a publish for packages applying Red Hat's proposed patch. ------- Additional Comments From julien.gilli 2005-02-23 06:24:49 ---- Please, can you tell me if this patch will be applied and published as an official fedora legacy package ? Thank you very much for your attention ! ------- Additional Comments From marcdeslauriers 2005-03-05 11:25:12 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated openssl packages to QA: Changelog: * Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy - - add security fix for CAN-2004-0975 3f5fbdeef07d9912fff81185afb9e62c81d31f34 7.3/openssl-0.9.6b-37.7.legacy.i386.rpm f59d47b2858ac8386cc92aba90cdcf2462c7eb5c 7.3/openssl-0.9.6b-37.7.legacy.src.rpm 8c252677e7e75ccc07f24d2c342c85b2f20195b9 7.3/openssl-devel-0.9.6b-37.7.legacy.i386.rpm 2ffbe75cd52e2b1319c3fd2a62c181667c2568a6 7.3/openssl-perl-0.9.6b-37.7.legacy.i386.rpm 6a41153ac7c7a35a16f9f63c934ef0e57f40cbfd 9/openssl-0.9.7a-20.3.legacy.i386.rpm 637236326a79168da5a4715e5b172789cc54f21e 9/openssl-0.9.7a-20.3.legacy.src.rpm 875b05c7353e815f1b50b9b80331c77c8e233c03 9/openssl-devel-0.9.7a-20.3.legacy.i386.rpm 5e506a3ca8b8e4dbda863dd3bc21928a83c98261 9/openssl-perl-0.9.7a-20.3.legacy.i386.rpm fbfc59518932269d121524a2c3a2323d29a2d0d4 1/openssl-0.9.7a-33.11.legacy.i386.rpm 4998cc098c73e0ef413cb50d170011c7dbf7133a 1/openssl-0.9.7a-33.11.legacy.src.rpm 3c656cf4d3ba4c815baa66b0fb69b9b071166df8 1/openssl-devel-0.9.7a-33.11.legacy.i386.rpm 59ad015a387156d93ff9080793ad9d72e9fcc98b 1/openssl-perl-0.9.7a-33.11.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-37.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-37.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-devel-0.9.6b-37.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-perl-0.9.6b-37.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-devel-0.9.7a-20.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-perl-0.9.7a-20.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/openssl-0.9.7a-33.11.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/openssl-0.9.7a-33.11.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/openssl-devel-0.9.7a-33.11.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/openssl-perl-0.9.7a-33.11.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCKiOsLMAs/0C4zNoRAuXJAJwL5ZUsVqHt5ILrOLeHFxDnKFezvgCgi7QW So3fyn6Mvd0zMrQq3YJJTsY= =GWkN -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-06 08:39:56 ---- The packages look pretty good, but there's one problem.. at least in RHL73 and RHL9, 'mktemp' does not support -t toggle... ------- Additional Comments From marcdeslauriers 2005-03-06 14:44:45 ---- oh, darn. I didn't know that. So what if we do: $file=`mktemp /tmp/a$$.DER.XXXXXX` || die $!; instead of: $file=`mktemp -t a$$.DER.XXXXXX` || die $!; for rh73 and rh9? Is that acceptable? Is there any better way? ------- Additional Comments From pekkas 2005-03-06 16:46:00 ---- That seems to be a decent way. Some scripts usually use $TMPDIR, but as that's not defined by default, they'll have to have fallback to set $TMPDIR to /tmp/ if it's not set up properly. But here for simplicity just using /tmp/ should be OK.. ------- Additional Comments From marcdeslauriers 2005-03-11 19:36:27 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated openssl packages to QA for rh73 and rh9. The previous fc1 packages are still good. Changelog: * Fri Mar 11 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-38.7.legacy - - Fixed the CAN-2004-0975 patch * Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy - - add security fix for CAN-2004-0975 cbba16ba78a3528596907c4ab42c99054d12dbdc 7.3/openssl-0.9.6b-38.7.legacy.i386.rpm 94b12fc9635c74a967ba1db9c3e232f474cae11b 7.3/openssl-0.9.6b-38.7.legacy.src.rpm 61977024cf4f4ff393362ba053adbdf612cdf5e8 7.3/openssl-devel-0.9.6b-38.7.legacy.i386.rpm 856612356726eda9d16ff3b6009c6817742831f3 7.3/openssl-perl-0.9.6b-38.7.legacy.i386.rpm 85378db3275a2e3b80c1e16193b99fa9a4423147 9/openssl-0.9.7a-20.4.legacy.i386.rpm cbd4207538410d37d8cc16d139f96914a102de0e 9/openssl-0.9.7a-20.4.legacy.src.rpm d8ed96d0ae6cff177523ea194f545df6cd77cbb8 9/openssl-devel-0.9.7a-20.4.legacy.i386.rpm 3fb74e36e1a19101fac633d84ebff5e9ae0026a2 9/openssl-perl-0.9.7a-20.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-38.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-0.9.6b-38.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-devel-0.9.6b-38.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/openssl-perl-0.9.6b-38.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-0.9.7a-20.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-devel-0.9.7a-20.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/openssl-perl-0.9.7a-20.4.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCMn+0LMAs/0C4zNoRAu3yAJ43G+UTNoEj0zmweFRRyNHr692TMwCgnVOV Ag3ZbNy4TdE2HZxA7htSwU0= =IPyQ -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-13 05:49:43 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for the openssl RPMs: - source integrity OK - patch files are good - spec file changes look OK +PUBLISH RHL73,RHL9,FC1 94b12fc9635c74a967ba1db9c3e232f474cae11b openssl-0.9.6b-38.7.legacy.src.rpm cbd4207538410d37d8cc16d139f96914a102de0e openssl-0.9.7a-20.4.legacy.src.rpm 4998cc098c73e0ef413cb50d170011c7dbf7133a openssl-0.9.7a-33.11.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCNGEHGHbTkzxSL7QRAr8TAJ47B6G88y+g03Qpw3Cy9tCOuR/I+wCfcJXH CyT2fREkaOqi5R+peYqIoK0= =g4Y2 -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2257 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2257 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +PUBLISH RHL73 cbba16ba78a3528596907c4ab42c99054d12dbdc openssl-0.9.6b-38.7.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCmSpMuhh7yV/E9I4RAjBrAKCCuRQUiNS8PrvNKfPBHfHUgGHngACfcftD NEHpaAIZxlWPd7KozJ5FJag= =3OlA -----END PGP SIGNATURE-----
These were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 c3c4d1e26f568e9186c5db1753961d7d openssl-0.9.7a-20.4.legacy.i686.rpm 91524f82d759e7308e9cdef073a9822b openssl-devel-0.9.7a-20.4.legacy.i386.rpm installed OK. apache (https) works fine after restart (my biggest dependency on /lib/libssl.so.0.9.7a). 'openssl x509 -text -in server.crt' correctly reads the details from my (self-signed) https and imaps certificates. i don't seem to have the der_chop script, so i'm not sure how to test that. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCoqDJePtvKV31zw4RAtehAJsEZj2xBki4FgurcVk2gwQldHQsPQCgtoay vyGwKQyHLA3BzkCL21Xk2Ok= =OBCv -----END PGP SIGNATURE-----
One verify, timeouts in 4 weeks.
Timeout over.
Packages were released to updates.