This repository has been archived by the owner on Dec 7, 2022. It is now read-only.
Safely create tmp dir for the Nodes certificate (CVE-2016-3108). #2528
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security researcher Sander Bos contacted the Pulp team to notify us that the pulp-gen-nodes-certificate script suffers from the same exploit as was found in CVE-2016-3095, namely that the $TMP directory that contains the Nodes private key was created in an unsafe manner. This commit contains his proposed patch, using mktemp -d to safely create the directory. Additionally, I added a set -e so that the script would exit upon error. Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it. Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue. https://pulp.plan.io/issues/1830 fixes pulp#1830
|
Moved to #2533 so it would be against the 2.8-dev branch. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. This commit contains his proposed patch, using
mktemp -d to safely create the directory.
Additionally, I added a set -e so that the script would exit upon
error.
Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.
Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.
https://pulp.plan.io/issues/1830
fixes #1830