dogtagpki

Clone
Source Code
GIT

#1303 CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]
Closed: Invalid None Opened 9 years ago by mharmsen.

Closed: Invalid
Reopen Issue

There are several temporary file creation vulnerabilities:

./pki-core-10.2.0/base/

kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";

NOTE: So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.

Fix for /tmp/file vulnerabilities
20150227-Fix-for-tmpfile-vulnerabilities.patch

On 03/11/15, Ade Lee replied:

NACK.  Very few of these changes make any sense.

1. change in cert.py, profile.py, .  This is in code that is used to
unit test the cert.py code.  In order to run the unit test, you have to
specify where the auth file is -- you can't do that with your proposed
changes.

In any case, as this is unit test code, its hard to see this as a real
vulnerability.  If you want to remove the /tmp reference, then you
should add a parameter for the user to pass in the correct path.

2. The same thing is true in KerberosName.java.  Its defining the output
file from unit test code.  With your changes, we wont know where the
output will go.

3. The NetkeyKeygenService.java reference is in debug code that has been
commented out.  Why is a change needed here?

4.  The code change in pkicommon.pm is fine, but this code is no longer
used, so do we need to update it?

5.  The code in base/tps-client looks like it is no longer needed.
Rather than trying to patch it, we should remove it unless there is any
reason for it.  It looks like the code for the old TPS.

Ade

Based upon comment:4 above, the following email was sent to Kurt Seifried (the originator of the bug from whence this ticket was created):

Kurt,

I have attached the patch to which the NACK below refers.

Additional information regarding 4. and 5. below:

4.  'pkicommon.pm' is still needed by 'pki-setup-proxy', but no calls are made to the offending code.
Additionally, the 'pki-setup-proxy' call is currently slated to be rewritten in Python which will
result in the deletion of this code:

    PKI TRAC #1234 - Rewrite 'pki-setup-proxy' in Python

5. Vast portions of the code in 'base/tps-client' refer to the native-code (C/C++/Perl) version of
the TPS PKI subsystem which has since been re-written in Java.  Unfortunately, we still
utilize the native-code based 'tpsclient' test tool which requires some of the legacy native code
in order to be built.  Once 'tpsclient' is rewritten in Java, all of this code will be removed.

Finally, these changes were to be applied to the upstream Fedora branch (rhbz #1183178) which would
later be merged to the code branch for certificate system 9 (rhbz #1183179).

Therefore, based upon these findings, I would like to propose closing the tickets/bugs associated with this as WONTFIX.


Please let us know if you are agreeable to this suggestion.

Thanks,
-- Matt

As we await to hear back, we have deemed this ticket non-critical to the release of Dogtag 10.2.2 for Fedora 22, and may end up moving it forward to the Dogtag 10.2.3 milestone if it cannot be closed as WONTFIX.

Per request from nkinder on 03/13/2015: 10.2.3

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1183179 (Red Hat Certificate System)

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1183179 (Red Hat Certificate System)

Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: 10.3 (not even certain if these are vulnerabilities)

On 05/07/15 23:15, Kurt Seifried wrote:

Sorry lost track of this, in short if all the code is removed/unused we
can classify this as NOTABUG and close it up.

Metadata Update from @mharmsen:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.3.0
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1865

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
Community
None
None
None
None
None
None
General
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.