It was found that spec file generating RSA keys, used for authenticating messages between server and consumers, as post installation step does this in world-readable directories for a brief moment. Vulnerable code: https://github.com/pulp/pulp/blob/master/pulp.spec#L473-L486 https://github.com/pulp/pulp/blob/master/pulp.spec#L894-L903
Acknowledgments: Name: Jeremy Cline (Red Hat)
The Fedora spec file is also vulnerable in this way: http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n317 and http://pkgs.fedoraproject.org/cgit/rpms/pulp.git/tree/pulp.spec#n620 Additionally, the Fedora spec file fails to protect the key but that is reported in a separate issue: https://bugzilla.redhat.com/show_bug.cgi?id=1325693
Created attachment 1146522 [details] Proposed patch
This issue has been addressed in the following products: Red Hat Satellite 6.2 Via RHSA-2016:1501