Hello Patrick,
A minor security bug that makes insecure directories. I have patched
the Debian package but you probably want to fix your archive some time.
- Craig
----- Forwarded message from Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
-----
Subject: Bug#286391: lprng_certs: Insecure temporary file handling
Date: Mon, 20 Dec 2004 00:40:21 +0100
From: Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.0.1
Package: lprng
Version: 3.8.28-1
Priority:important
Tags: security
The lprng_certs script does not protect itself from temporary directory
attacks since it creates several temporary files in an insecure manner
($$.sslcfg, $$.crt and $$.key, the process PID is not suffient to avoid
an attack) and does not check if the temporary files it tries to use
already exist before using them. Also, these temporary files are all not
removed after the script is finished (only the first one is) and
might potentially contain sensitive information.
The attached patch is an attempt to fix this behaviour using the
mktemp tool, I've tackled this bug by creating a temporary directory
where all these files are created.
Regards
Javier
PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <[EMAIL PROTECTED]>
--- lprng_certs.orig 2004-12-20 00:29:21.000000000 +0100
+++ lprng_certs 2004-12-20 00:33:49.000000000 +0100
@@ -320,7 +320,9 @@
# set default values
-CFG=/tmp/$$.sslcfg
+TMPDIR=`mktemp -d -t lprng.XXXXXX` || { echo "$0: Cannot create temporary
directory!" >&2 ; exit 1; }
+trap "/bin/rm -rf ${TMPDIR}" 0 1 2 3 13 15
+CFG=$TMPDIR/sslcfg
OPENSSL=/usr/bin/openssl
CA_KEY=//etc/lprng/ssl.ca/ca.key
@@ -508,14 +510,14 @@
shift
if [ "$1" = "" ] ; then usage; fi;
if [ ! -f "$1" ] ; then useage; fi;
- sed -n -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/p' $1 >/tmp/$$.key
- sed -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/d' $1 >/tmp/$$.crt
- STEP="" encrypt /tmp/$$.key
+ sed -n -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/p' $1 >$TMPDIR/key
+ sed -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/d' $1 >$TMPDIR/crt
+ STEP="" encrypt $TMPDIR/key
status=$?
echo STATUS $status
if [ $status = 0 ] ; then
mv $1 $1.orig
- cat /tmp/$$.crt /tmp/$$.key >$1
+ cat $TMPDIR/crt $TMPDIR/key >$1
fi
;;
@@ -845,5 +847,4 @@
exit 1
;;
esac
-rm -f ${CFG}
exit $RET
----- End forwarded message -----
--
Craig Small GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/ MIEE Debian developer
csmall at : enc.com.au ieee.org debian.org
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRng MAILING LIST
The address you post from or your Reply-To address MUST be your
subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body.
To subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, call Patrick Powell or one of the friendly
staff at Astart Technologies for help. Astart also does support for LPRng.
Also, check the Web Page at: http://www.lprng.com for any announcements.
Astart Technologies (LPRng - Print Spooler http://www.lprng.com)
6741 Convoy Court
San Diego, CA 92111
858-874-6543 FAX 858-751-2435
-----------------------------------------------------------------------------
