Project

Profile

Help

Issue #1830

closed

CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes

Added by rbarlow almost 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. The fix is to use mktemp -d to safely create the
directory.

Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.

Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.

Actions #1

Updated by rbarlow almost 8 years ago

  • Subject changed from reserved to CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes
  • Description updated (diff)
  • Status changed from NEW to POST
  • Assignee set to rbarlow
  • Private changed from Yes to No
  • Triaged changed from No to Yes
Actions #3

Updated by semyers almost 8 years ago

  • Platform Release set to 2.8.3

Added by rbarlow almost 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Added by rbarlow almost 8 years ago

Revision e152f9e1 | View on GitHub

Add release notes for the upcoming 2.8.3.

re #1827 re #1830 re #1833 re #1834 re #1837

Credit goes to Jeremy Cline for writing the included release notes for CVE-2016-3111 and CVE-2016-3112.

Added by rbarlow almost 8 years ago

Revision 8571d9a0 | View on GitHub

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107

Install Node certificate with 640, apache owned (CVE-2016-3107).

Prior to this commit, the Node certificate had been installed world-readable:

$ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

This commit adjusts the generation script to limit the permissions to 0640, and to adjust the group ownership to the apache group.

Credit also goes to Jeremy Cline (Red Hat) for independently discovering and reporting this issue.

https://pulp.plan.io/issues/1833

fixes #1833

CVE-2016-3108

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).

Security researcher Sander Bos contacted the Pulp team to notify us that the pulp-gen-nodes-certificate script suffers from the same exploit as was found in CVE-2016-3095, namely that the $TMP directory that contains the Nodes private key was created in an unsafe manner. This commit contains his proposed fix to use mktemp -d to safely create the directory.

Additionally, I added a set -e so that the script would exit upon error.

Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it.

Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue.

https://pulp.plan.io/issues/1830

fixes #1830

Added by rbarlow almost 8 years ago

Revision 8571d9a0 | View on GitHub

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107

Install Node certificate with 640, apache owned (CVE-2016-3107).

Prior to this commit, the Node certificate had been installed world-readable:

$ ls -lah /etc/pki/pulp/nodes/ total 4.0K drwxr-xr-x. 2 root root 21 Apr 8 16:37 . drwxr-xr-x. 4 root root 90 Apr 8 16:37 .. -rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

This commit adjusts the generation script to limit the permissions to 0640, and to adjust the group ownership to the apache group.

Credit also goes to Jeremy Cline (Red Hat) for independently discovering and reporting this issue.

https://pulp.plan.io/issues/1833

fixes #1833

CVE-2016-3108

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).

Security researcher Sander Bos contacted the Pulp team to notify us that the pulp-gen-nodes-certificate script suffers from the same exploit as was found in CVE-2016-3095, namely that the $TMP directory that contains the Nodes private key was created in an unsafe manner. This commit contains his proposed fix to use mktemp -d to safely create the directory.

Additionally, I added a set -e so that the script would exit upon error.

Thanks to Sander Bos for taking the time to carefully inspect the Pulp codebase and for writing a wonderfully detailed report describing the issue and the fix for it.

Credit also goes to Jeremy Cline (Red Hat) for independently reporting this issue.

https://pulp.plan.io/issues/1830

fixes #1830

Actions #6

Updated by rbarlow almost 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #7

Updated by semyers almost 8 years ago

  • Status changed from MODIFIED to 5
Actions #8

Updated by semyers almost 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #9

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF