Source: opencryptoki Version: 3.23.0+dfsg-0.3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for opencryptoki. CVE-2026-23893[0]: | openCryptoki is a PKCS#11 library and provides tooling for Linux and | AIX. Versions 2.3.2 and above are vulnerable to symlink-following | when running in privileged contexts. A token-group user can redirect | file operations to arbitrary filesystem targets by planting symlinks | in group-writable token directories, resulting in privilege | escalation or data exposure. Token and lock directories are 0770 | (group-writable for token users), so any token-group member can | plant files and symlinks inside them. When run as root, the base | code handling token directory file access, as well as several | openCryptoki tools used for administrative purposes, may reset | ownership or permissions on existing files inside the token | directories. An attacker with token-group membership can exploit the | system when an administrator runs a PKCS#11 application or | administrative tool that performs chown on files inside the token | directory during normal maintenance. This issue is fixed in commit | 5e6e4b4, but has not been included in a released version at the time | of publication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23893 https://www.cve.org/CVERecord?id=CVE-2026-23893 [1] https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q [2] https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
