Add check of result chmod() in RAND_file_name(...) #25143

nv-dmd · 2024-08-08T15:13:10Z

OpenSSL 3.0.14

In the function RAND_file_name(), chmod(file, 0600) is executed on line 249.
But the result of the chmod(...) function execution is not checked.
Maybe it is worth checking the result, because chmod(...) should restrict permissions and its successful execution seems important?

paulidale · 2024-08-08T21:41:37Z

Yes, it is import but only if you are running VMS. On Unix like systems, the file is created with mode 0600 on line 210 making this redundant.

This chmod should be conditioned as VMS only and the return value should be checked.
It's also a race condition waiting to happen.

Fortunately, OpenSSL doesn't attribute any entropy to rand-files, so this isn't going to compromise the RAND subsystem.

nv-dmd added the issue: bug report The issue was opened to report a bug label Aug 8, 2024

paulidale added triaged: bug The issue/pr is/fixes a bug and removed issue: bug report The issue was opened to report a bug labels Aug 8, 2024

paulidale assigned levitte Aug 8, 2024

t8m added the help wanted label Sep 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add check of result chmod() in RAND_file_name(...) #25143

Add check of result chmod() in RAND_file_name(...) #25143

nv-dmd commented Aug 8, 2024

paulidale commented Aug 8, 2024 •

edited

Loading

Add check of result chmod() in RAND_file_name(...) #25143

Add check of result chmod() in RAND_file_name(...) #25143

Comments

nv-dmd commented Aug 8, 2024

paulidale commented Aug 8, 2024 • edited Loading

paulidale commented Aug 8, 2024 •

edited

Loading