CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]

[pki-bot]

This issue was migrated from Pagure Issue #1303. Originally filed by mharmsen (@mharmsen) on 2015-03-10 01:32:02:

• Closed as Invalid
• Assigned to mharmsen (@mharmsen)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1183178
  • https://bugzilla.redhat.com/show_bug.cgi?id=1183179

---

There are several temporary file creation vulnerabilities:

./pki-core-10.2.0/base/

kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/Config.pm:#$config->load_file("/tmp/CS.cfg");
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";

NOTE: So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-11 20:20:19

Reference material for this issue:

• https://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-13 18:42:48

Fix for /tmp/file vulnerabilities
20150227-Fix-for-tmpfile-vulnerabilities.patch

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-13 18:45:46

On 03/11/15, Ade Lee replied:

NACK.  Very few of these changes make any sense.

1. change in cert.py, profile.py, .  This is in code that is used to
unit test the cert.py code.  In order to run the unit test, you have to
specify where the auth file is -- you can't do that with your proposed
changes.

In any case, as this is unit test code, its hard to see this as a real
vulnerability.  If you want to remove the /tmp reference, then you
should add a parameter for the user to pass in the correct path.

2. The same thing is true in KerberosName.java.  Its defining the output
file from unit test code.  With your changes, we wont know where the
output will go.

3. The NetkeyKeygenService.java reference is in debug code that has been
commented out.  Why is a change needed here?

4.  The code change in pkicommon.pm is fine, but this code is no longer
used, so do we need to update it?

5.  The code in base/tps-client looks like it is no longer needed.
Rather than trying to patch it, we should remove it unless there is any
reason for it.  It looks like the code for the old TPS.

Ade

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-13 18:56:13

Based upon comment:4 above, the following email was sent to Kurt Seifried (the originator of the bug from whence this ticket was created):

Kurt,

I have attached the patch to which the NACK below refers.

Additional information regarding 4. and 5. below:

4.  'pkicommon.pm' is still needed by 'pki-setup-proxy', but no calls are made to the offending code.
Additionally, the 'pki-setup-proxy' call is currently slated to be rewritten in Python which will
result in the deletion of this code:

    PKI TRAC 1234 - Rewrite 'pki-setup-proxy' in Python

5. Vast portions of the code in 'base/tps-client' refer to the native-code (C/C++/Perl) version of
the TPS PKI subsystem which has since been re-written in Java.  Unfortunately, we still
utilize the native-code based 'tpsclient' test tool which requires some of the legacy native code
in order to be built.  Once 'tpsclient' is rewritten in Java, all of this code will be removed.

Finally, these changes were to be applied to the upstream Fedora branch (rhbz 1183178) which would
later be merged to the code branch for certificate system 9 (rhbz 1183179).

Therefore, based upon these findings, I would like to propose closing the tickets/bugs associated with this as WONTFIX.


Please let us know if you are agreeable to this suggestion.

Thanks,
-- Matt

As we await to hear back, we have deemed this ticket non-critical to the release of Dogtag 10.2.2 for Fedora 22, and may end up moving it forward to the Dogtag 10.2.3 milestone if it cannot be closed as WONTFIX.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-13 19:19:53

Per request from nkinder on 03/13/2015: 10.2.3

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-20 01:08:55

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1183179 (Red Hat Certificate System)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-20 01:09:30

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1183179 (Red Hat Certificate System)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-04-28 20:42:32

Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: 10.3 (not even certain if these are vulnerabilities)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-05-09 03:02:37

On 05/07/15 23:15, Kurt Seifried wrote:

Sorry lost track of this, in short if all the code is removed/unused we
can classify this as NOTABUG and close it up.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-02-27 13:58:46

Metadata Update from @mharmsen:

• Issue assigned to mharmsen
• Issue set to the milestone: 10.3.0