Hello Patrick, A minor security bug that makes insecure directories. I have patched the Debian package but you probably want to fix your archive some time.
- Craig ----- Forwarded message from Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> ----- Subject: Bug#286391: lprng_certs: Insecure temporary file handling Date: Mon, 20 Dec 2004 00:40:21 +0100 From: Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.1 Package: lprng Version: 3.8.28-1 Priority:important Tags: security The lprng_certs script does not protect itself from temporary directory attacks since it creates several temporary files in an insecure manner ($$.sslcfg, $$.crt and $$.key, the process PID is not suffient to avoid an attack) and does not check if the temporary files it tries to use already exist before using them. Also, these temporary files are all not removed after the script is finished (only the first one is) and might potentially contain sensitive information. The attached patch is an attempt to fix this behaviour using the mktemp tool, I've tackled this bug by creating a temporary directory where all these files are created. Regards Javier PS: I initially reported this to the security team back in June, but have not found time to follow up on this issue until today. Security team, please check Resent-Message-ID: <[EMAIL PROTECTED]> --- lprng_certs.orig 2004-12-20 00:29:21.000000000 +0100 +++ lprng_certs 2004-12-20 00:33:49.000000000 +0100 @@ -320,7 +320,9 @@ # set default values -CFG=/tmp/$$.sslcfg +TMPDIR=`mktemp -d -t lprng.XXXXXX` || { echo "$0: Cannot create temporary directory!" >&2 ; exit 1; } +trap "/bin/rm -rf ${TMPDIR}" 0 1 2 3 13 15 +CFG=$TMPDIR/sslcfg OPENSSL=/usr/bin/openssl CA_KEY=//etc/lprng/ssl.ca/ca.key @@ -508,14 +510,14 @@ shift if [ "$1" = "" ] ; then usage; fi; if [ ! -f "$1" ] ; then useage; fi; - sed -n -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/p' $1 >/tmp/$$.key - sed -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/d' $1 >/tmp/$$.crt - STEP="" encrypt /tmp/$$.key + sed -n -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/p' $1 >$TMPDIR/key + sed -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/d' $1 >$TMPDIR/crt + STEP="" encrypt $TMPDIR/key status=$? echo STATUS $status if [ $status = 0 ] ; then mv $1 $1.orig - cat /tmp/$$.crt /tmp/$$.key >$1 + cat $TMPDIR/crt $TMPDIR/key >$1 fi ;; @@ -845,5 +847,4 @@ exit 1 ;; esac -rm -f ${CFG} exit $RET ----- End forwarded message ----- -- Craig Small GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5 Eye-Net Consulting http://www.enc.com.au/ MIEE Debian developer csmall at : enc.com.au ieee.org debian.org ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRng MAILING LIST The address you post from or your Reply-To address MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. To subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, call Patrick Powell or one of the friendly staff at Astart Technologies for help. Astart also does support for LPRng. Also, check the Web Page at: http://www.lprng.com for any announcements. Astart Technologies (LPRng - Print Spooler http://www.lprng.com) 6741 Convoy Court San Diego, CA 92111 858-874-6543 FAX 858-751-2435 -----------------------------------------------------------------------------