Project

Profile

Help

Issue #1858

Updated by rbarlow over 8 years ago

In working on another security issue in this same script, I noticed that  
 Pulp's pulp-qpid-ssl-cfg script uses bash's $RANDOM in unsafe ways. One  
 of them is already being fixed as part of another CVE (the TMP directory  
 is unsafe, CVE-2016-3696), but the other two uses are: 

 0) The default NSS DB password is a single value from $RANDOM,  
 limiting it to the strings from 0 to 32768: 

 https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L25 

 1) The certutil -z flag receives a "noise file". The script uses $RANDOM to  
 populate a file with numbers to generate this file: 

 https://github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L97-L105 

 Since $RANDOM is used in this way, the seed file ends up having low  
 diversity since only 11 possible bytes appear in the file: ASCII 0-9 and 
 newline. 

 pwgen can be used to fix #0, but I'm not sure we want to depend  
 on pwgen. One possibility is to avoid having a default password and force  
 the user to provide one. Suggestions for this problem welcome. 

 For #1 we should just grab 8 kB from /dev/urandom and call it a day.

Back