There are several temporary file creation vulnerabilities:
./pki-core-10.2.0/base/ kra/functional/drmtest.py: certdb_dir = "/tmp/drmtest-certdb" kra/src/com/netscape/kra/NetkeyKeygenService.java: String oFilePath = "/tmp/wrappedPrivKey.bin"; common/python/pki/profile.py: connection.set_authentication_cert("/tmp/auth.pem") common/python/pki/cert.py: connection.set_authentication_cert("/tmp/auth.pem") util/src/netscape/security/extensions/KerberosName.java: FileOutputStream os = new FileOutputStream("/tmp/out.der"); setup/pkicommon.pm: $tmp_dir = "/tmp"; setup/pkicommon.pm: $tmp_dir = "/tmp"; tps-client/lib/perl/PKI/TPS/AdminPanel.pm: my $tmpfile = "/tmp/admin-$$"; tps-client/lib/perl/PKI/TPS/AdminPanel.pm: my $tmp = "/tmp/addAgents-$$.ldif"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $filename = "/tmp/random.$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/req$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/req$$"; tps-client/lib/perl/PKI/TPS/NamePanel.pm: my $tmpfile = "/tmp/grep$$"; tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm: my $tmpfile = "/tmp/ca-$$"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: my $tmp = "/tmp/database-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addTokens-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addIndexes-$$.ldif"; tps-client/lib/perl/PKI/TPS/DatabasePanel.pm: $tmp = "/tmp/addVLVIndexes-$$.ldif"; tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg"); tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg"); tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/lib/perl/PKI/TPS/DonePanel.pm: my $tmpfile = "/tmp/donepanel-$$"; tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE "/tmp/mem-dump.log" tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"), tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"), tps-client/src/engine/RA.cpp: m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"), tps-client/src/engine/RA.cpp: "/tmp/audit.log"), tps-client/src/engine/RA.cpp: "/tmp/audit.log"), tps-client/src/tus/tus_db.c: debug_fd = PR_Open("/tmp/debugTUSdb.log", tps-client/src/modules/tokendb/mod_tokendb.cpp: debug_fd = PR_Open( "/tmp/tus-debug.log", tps-client/setup/create.pl: $tmpDir = "/tmp";
NOTE: So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.
Reference material for this issue:
Fix for /tmp/file vulnerabilities 20150227-Fix-for-tmpfile-vulnerabilities.patch
On 03/11/15, Ade Lee replied:
NACK. Very few of these changes make any sense. 1. change in cert.py, profile.py, . This is in code that is used to unit test the cert.py code. In order to run the unit test, you have to specify where the auth file is -- you can't do that with your proposed changes. In any case, as this is unit test code, its hard to see this as a real vulnerability. If you want to remove the /tmp reference, then you should add a parameter for the user to pass in the correct path. 2. The same thing is true in KerberosName.java. Its defining the output file from unit test code. With your changes, we wont know where the output will go. 3. The NetkeyKeygenService.java reference is in debug code that has been commented out. Why is a change needed here? 4. The code change in pkicommon.pm is fine, but this code is no longer used, so do we need to update it? 5. The code in base/tps-client looks like it is no longer needed. Rather than trying to patch it, we should remove it unless there is any reason for it. It looks like the code for the old TPS. Ade
Based upon comment:4 above, the following email was sent to Kurt Seifried (the originator of the bug from whence this ticket was created):
Kurt, I have attached the patch to which the NACK below refers. Additional information regarding 4. and 5. below: 4. 'pkicommon.pm' is still needed by 'pki-setup-proxy', but no calls are made to the offending code. Additionally, the 'pki-setup-proxy' call is currently slated to be rewritten in Python which will result in the deletion of this code: PKI TRAC #1234 - Rewrite 'pki-setup-proxy' in Python 5. Vast portions of the code in 'base/tps-client' refer to the native-code (C/C++/Perl) version of the TPS PKI subsystem which has since been re-written in Java. Unfortunately, we still utilize the native-code based 'tpsclient' test tool which requires some of the legacy native code in order to be built. Once 'tpsclient' is rewritten in Java, all of this code will be removed. Finally, these changes were to be applied to the upstream Fedora branch (rhbz #1183178) which would later be merged to the code branch for certificate system 9 (rhbz #1183179). Therefore, based upon these findings, I would like to propose closing the tickets/bugs associated with this as WONTFIX. Please let us know if you are agreeable to this suggestion. Thanks, -- Matt
As we await to hear back, we have deemed this ticket non-critical to the release of Dogtag 10.2.2 for Fedora 22, and may end up moving it forward to the Dogtag 10.2.3 milestone if it cannot be closed as WONTFIX.
Per request from nkinder on 03/13/2015: 10.2.3
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1183179 (Red Hat Certificate System)
Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: 10.3 (not even certain if these are vulnerabilities)
On 05/07/15 23:15, Kurt Seifried wrote:
Sorry lost track of this, in short if all the code is removed/unused we can classify this as NOTABUG and close it up.
Metadata Update from @mharmsen: - Issue assigned to mharmsen - Issue set to the milestone: 10.3.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1865
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.