The genkey script, as provided in the crypto-utils package, suffers from poor temporary file handling. When executed, it writes to a file called 'list' in the current working directory, without first checking to see if the file exists. If an attacker were able to coerce the root user into running the genkey script from a specific directory containing a symbolic link, the linked file would be overwritten. This flaw only exists in genkey as provided by Red Hat Enterprise Linux 6 and Fedora. Earlier versions of genkey, such as that provided with Red Hat Enterprise Linux 5 do not contain the vulnerable function (nssconfigFound()).
The vulnerable code is here: 358 # Check that nss.conf exists 359 sub nssconfigFound { 360 # if it isn't in its usual place 361 if (!$nssconf || !(-f $nssconf)) { 362 # do an rpm query 363 my $cmd = 'rpm -ql mod_nss'; 364 my $tmplist = "list"; 365 system("$cmd > $tmplist"); 366 $nssconf = `grep nss.conf $tmplist`; 367 unlink($tmplist); 368 } 369 return ($nssconf && (-f $nssconf)); 370 }
I think this patch should do it; there are a few more spots where the script runs a command that redirects to an arbitrary file. It would probably be better to have these files in /tmp/ though, I think. --- genkey.pl.orig 2012-09-26 19:40:07.257383383 -0600 +++ genkey.pl 2012-09-26 19:44:45.217577278 -0600 @@ -43,6 +43,7 @@ use Crypt::Makerand; use Newt; use Getopt::Long; +use File::Temp qw/ tempfile /; sub InitRoot { @@ -361,7 +362,7 @@ if (!$nssconf || !(-f $nssconf)) { # do an rpm query my $cmd = 'rpm -ql mod_nss'; - my $tmplist = "list"; + ($fh, $tmplist) = tempfile("list.XXXXXX"); system("$cmd > $tmplist"); $nssconf = `grep nss.conf $tmplist`; unlink($tmplist); @@ -374,7 +375,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $nssconf"; - my $dbfile = "dbdirectory"; + ($fh, $dbfile) = tempfile("dbdirectory.XXXXXX"); system("$cmd > $dbfile"); open(DIR, "<$dbfile"); my $dbdir = ''; @@ -390,7 +391,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSNickname/ { print $2 }\'' . " $nssconf"; - my $nicknamefile = "nssnickname"; + ($fh, $nicknamefile) = tempfile("nssnickname.XXXXXX"); system("$cmd > $nicknamefile"); open(NICK, "<$nicknamefile"); my $nickname = ''; @@ -404,7 +405,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSDBPrefix/ { print $2 }\'' . " $nssconf"; - my $prefixfile = "dbprefix"; + ($fh, $prefixfile) = tempfile("dbprefix.XXXXXX"); system("$cmd > $prefixfile"); open(PREFIX, "<$prefixfile"); my $prefix = '';
I've sent a notice to oss-sec to make others aware of this issue: http://www.openwall.com/lists/oss-security/2012/10/02/3
Created crypto-utils tracking bugs for this issue Affects: fedora-all [bug 862430]
Thank you Vincent. I have submitted our proposed fix for review to the fedora tracking [bug 862430]. See attachment 659066 [details].
fast fingers: s/our/your/g
Perfect. Thank you!
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2012-3504