OpenSSL library reads certain settings from environment variables. Certain settings, such as OPENSSL_CONF containing path to an openssl.cnf configuration file, are read even when OpenSSL library is used in an application running with elevated privileges (setuid or setgid application, application with file system capabilities). This may allow local attacker to escalate their privileges.
Some getenv() call already protected by calls to OPENSSL_issetugid() and not read in setuid or setgid applications, but it's implementation does not take into an account file system capabilities.
Following upstream ticket contains a proposed patch with several improvements:
This is public via:
openssl-1.0.1e-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2013:0587 https://rhn.redhat.com/errata/RHSA-2013-0587.html
openssl-1.0.0k-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 716927 [details]
Portability patch for __secure_getenv()
This patch which needs to be applied in addition to the ...-secure-getenv.patch adds implementation of __secure_getenv() on non-linux platforms.
The portability patch for __secure_getenv() works as expected on non-linux platforms.