Bug 581022 - fetch-crl script is occasionally leaving behind {hash}.r0.XXXXXX.r0 files.
Summary: fetch-crl script is occasionally leaving behind {hash}.r0.XXXXXX.r0 files.
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fetch-crl
Version: el5
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Steve Traylen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-09 19:39 UTC by Jason Smith
Modified: 2010-05-12 12:21 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-05-11 19:39:05 UTC


Attachments (Terms of Use)
Patch to fix the template for mktemp call. (723 bytes, patch)
2010-04-20 15:33 UTC, Jason Smith
no flags Details | Diff

Description Jason Smith 2010-04-09 19:39:24 UTC
Description of problem:
The script sometimes leaves behind files like {hash}.r0.XXXXXX.r0, sometimes with valid contents but occasionally empty.

Version-Release number of selected component (if applicable):
fetch-crl-2.8.4-1.el5.noarch

How reproducible:
Occasionally.

Steps to Reproduce:
/usr/sbin/fetch-crl -l /path/osg/certificates -o /path/osg/certificates -f user -r 30 -a 24 -v
  
Actual results:
Sometimes see: /path/osg/certificates/{hash}.r0.XXXXXX.r0 files.  If the files are empty, this can result in warnings like this from commands like srmping:

CRL /path/osg/certificates/{hash}.r0.XXXXXX.r0 failed to load.
java.security.GeneralSecurityException: CRL data not found.

Expected results:
Should never leave behind temp/save files like this.

Comment 1 Steve Traylen 2010-04-11 18:26:48 UTC
Hi Jason,
I'm away all this week, will look after that.
Steve.

Comment 2 Jason Smith 2010-04-20 15:33:05 UTC
Created attachment 407851 [details]
Patch to fix the template for mktemp call.

Hi Steve,

I think I found the problem, or at least part of it.  It seems that the mktemp command requires that the XXXXXX template be at the end of the dir/file name, if it is not, then no random character substitution is made and the filename ending with XXXXXX.r0 is returned as is.  Simply removing the .r0 at the end should fix this problem, and will probably also fix the Java GSI warnings or errors since it seems to be trying to read any *.r0 file that is present.  See attached patch.

~Jason

Comment 3 Steve Traylen 2010-04-20 18:43:07 UTC
Hi Jason,
Interesting, with F13.

$ rpm -qf /bin/mktemp
coreutils-7.6-9.fc12.x86_64

You get.

$ mktemp /tmp/abcd.XXX.r0
mktemp: too few X's in template `/tmp/abcd.XXX.r0'

and a failure, where as on centos4

$ rpm -qf /bin/mktemp 
mktemp-1.5-20

As you say it creates a /tmp/abcd.XXX.r0 file which is kind of bad or
rather does not protect the poor user very well.

This should go through quick as its obviously a predictable file name
with the old mktemp behaviour.

Thanks ever so much for the patch.

Steve.

Comment 4 Fedora Update System 2010-04-20 19:14:34 UTC
fetch-crl-2.8.4-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4

Comment 5 Fedora Update System 2010-04-20 19:15:02 UTC
fetch-crl-2.8.4-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5

Comment 6 Fedora Update System 2010-04-20 19:15:28 UTC
fetch-crl-2.8.4-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11

Comment 7 Fedora Update System 2010-04-20 19:15:55 UTC
fetch-crl-2.8.4-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12

Comment 8 Fedora Update System 2010-04-20 19:16:22 UTC
fetch-crl-2.8.4-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13

Comment 9 Tomas Hoger 2010-04-21 06:51:43 UTC
Steve, I've noticed updates in bodhi for this, but I'm not quite convinced this is security flaw.

On all current Fedora versions, mktemp fails rather than creating a file with a predictable name.  Script does not check mktemp exit status, but the problem should be detected by following ValidateCRLHashFile.

On EL4/EL5, mktemp does create file with predictable name, but it does not overwrite any existing file, so there's not possibility of symlink attack (try e.g. ln -s /etc/passwd foo.XXXXXXXX.r0 ; mktemp $PWD/foo.XXXXXXXX.r0).

Additionally, that temporary file is created in the $outputDirectory.  It seems that it's not intended to use /tmp or other world-writeable directory as $outputDirectory for normal use.

Please let me know if I'm missing some other reason to call those updates security.  Thank you!

Comment 10 Steve Traylen 2010-04-21 07:03:25 UTC
Hi Tomas,
All points accepted, will alter to a normal, update, thanks for reviewing.
It was on the EL4/5 I thought there could be a problem if someone
was setting a non-standard $outputDirectory.
Steve.

Comment 11 Tomas Hoger 2010-04-21 09:48:40 UTC
Thank you, Steve!

Comment 12 Fedora Update System 2010-04-21 21:55:44 UTC
fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13

Comment 13 Fedora Update System 2010-04-21 22:02:24 UTC
fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11

Comment 14 Fedora Update System 2010-04-21 22:02:44 UTC
fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12

Comment 15 Fedora Update System 2010-04-26 23:24:50 UTC
fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4

Comment 16 Fedora Update System 2010-04-26 23:28:14 UTC
fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5

Comment 17 Fedora Update System 2010-05-07 17:24:36 UTC
fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc11

Comment 18 Fedora Update System 2010-05-07 17:24:45 UTC
fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc12

Comment 19 Fedora Update System 2010-05-08 16:11:34 UTC
fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.fc13

Comment 20 Fedora Update System 2010-05-10 20:17:13 UTC
fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el4

Comment 21 Fedora Update System 2010-05-10 20:17:38 UTC
fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.4-2.el5

Comment 22 Fedora Update System 2010-05-11 19:39:01 UTC
fetch-crl-2.8.4-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2010-05-11 19:47:30 UTC
fetch-crl-2.8.4-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2010-05-12 01:51:14 UTC
fetch-crl-2.8.4-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2010-05-12 01:51:27 UTC
fetch-crl-2.8.4-2.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2010-05-12 12:21:47 UTC
fetch-crl-2.8.4-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.