Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.
This commit fixes two CVEs. CVE-2016-3107 ============= Install Node certificate with 640, apache owned (CVE-2016-3107). Prior to this commit, the Node certificate had been installed world-readable: $ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt This commit adjusts the generation script to limit the permissions to 0640, and to adjust the group ownership to the apache group. Credit also goes to Jeremy Cline (Red Hat) for independently discovering and reporting this issue. https://pulp.plan.io/issues/1833 fixes #1833 CVE-2016-3108 ============= Safely create tmp dir for the Nodes certificate (CVE-2016-3108). Security researcher Sander Bos contacted the Pulp team to notify us that the pulp-gen-nodes-certificate script suffers from the same exploit as was found in CVE-2016-3095, namely that the $TMP directory that contains the Nodes private key was created in an unsafe manner. This commit contains his proposed fix to use mktemp -d to safely create the directory. Additionally, I added a set -e so that the script would exit upon error. Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it. Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue. https://pulp.plan.io/issues/1830 fixes #1830
- Loading branch information