Red Hat Bugzilla – Bug 849256
CVE-2012-3504 crypto-utils: insecure temporary file usage in genkey
Last modified: 2018-01-30 18:25:06 EST
The genkey script, as provided in the crypto-utils package, suffers from poor temporary file handling. When executed, it writes to a file called 'list' in the current working directory, without first checking to see if the file exists. If an attacker were able to coerce the root user into running the genkey script from a specific directory containing a symbolic link, the linked file would be overwritten. This flaw only exists in genkey as provided by Red Hat Enterprise Linux 6 and Fedora. Earlier versions of genkey, such as that provided with Red Hat Enterprise Linux 5 do not contain the vulnerable function (nssconfigFound()).
The vulnerable code is here: 358 # Check that nss.conf exists 359 sub nssconfigFound { 360 # if it isn't in its usual place 361 if (!$nssconf || !(-f $nssconf)) { 362 # do an rpm query 363 my $cmd = 'rpm -ql mod_nss'; 364 my $tmplist = "list"; 365 system("$cmd > $tmplist"); 366 $nssconf = `grep nss.conf $tmplist`; 367 unlink($tmplist); 368 } 369 return ($nssconf && (-f $nssconf)); 370 }
Statement: This issue did not affect the version of crypto-utils as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue in Red Hat Enterprise Linux 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
I think this patch should do it; there are a few more spots where the script runs a command that redirects to an arbitrary file. It would probably be better to have these files in /tmp/ though, I think. --- genkey.pl.orig 2012-09-26 19:40:07.257383383 -0600 +++ genkey.pl 2012-09-26 19:44:45.217577278 -0600 @@ -43,6 +43,7 @@ use Crypt::Makerand; use Newt; use Getopt::Long; +use File::Temp qw/ tempfile /; sub InitRoot { @@ -361,7 +362,7 @@ if (!$nssconf || !(-f $nssconf)) { # do an rpm query my $cmd = 'rpm -ql mod_nss'; - my $tmplist = "list"; + ($fh, $tmplist) = tempfile("list.XXXXXX"); system("$cmd > $tmplist"); $nssconf = `grep nss.conf $tmplist`; unlink($tmplist); @@ -374,7 +375,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $nssconf"; - my $dbfile = "dbdirectory"; + ($fh, $dbfile) = tempfile("dbdirectory.XXXXXX"); system("$cmd > $dbfile"); open(DIR, "<$dbfile"); my $dbdir = ''; @@ -390,7 +391,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSNickname/ { print $2 }\'' . " $nssconf"; - my $nicknamefile = "nssnickname"; + ($fh, $nicknamefile) = tempfile("nssnickname.XXXXXX"); system("$cmd > $nicknamefile"); open(NICK, "<$nicknamefile"); my $nickname = ''; @@ -404,7 +405,7 @@ # Extract the value from the mod_nss configuration file. my $cmd ='/usr/bin/gawk \'/^NSSDBPrefix/ { print $2 }\'' . " $nssconf"; - my $prefixfile = "dbprefix"; + ($fh, $prefixfile) = tempfile("dbprefix.XXXXXX"); system("$cmd > $prefixfile"); open(PREFIX, "<$prefixfile"); my $prefix = '';
I've sent a notice to oss-sec to make others aware of this issue: http://www.openwall.com/lists/oss-security/2012/10/02/3
Created crypto-utils tracking bugs for this issue Affects: fedora-all [bug 862430]
Thank you Vincent. I have submitted our proposed fix for review to the fedora tracking [bug 862430]. See attachment 659066 [details].
fast fingers: s/our/your/g
Perfect. Thank you!