Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 159508

Summary: net-nds/openldap: gencert.sh insecure usage of /tmp
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: blocker CC: jokey, lcars, ldap-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1? [glsa]
Package list:
Runtime testing required: ---

Description Tavis Ormandy (RETIRED) gentoo-dev 2006-12-30 13:08:46 UTC
The gencert.sh script installed and executed by the openldap ebuild uses /tmp insecurely.

The following line:

mkdir -p /tmp/tmpssl-$$

should be replaced with something like

mkdir /tmp/tmpssl-$$ || exit 1

(or print some error and exit, whichever you prefer).

This could be abused by local attackers to cause all sorts of mischief, such as stealing certificates, overwriting arbitrary files, interfering with certificate data, etc, etc.

This bug is fairly critical.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-12-30 13:30:39 UTC
Why are we using this script anyway? We have ssl-cert.eclass for this; it's as easy as docert openldap and install to the proper place, see mail-mta/postfix, net-misc/stunnel, net-mail/cyrus-imapd, net-im/ejabberd or others for usage.
Comment 2 Markus Ullmann (RETIRED) gentoo-dev 2007-01-06 15:13:02 UTC
fixed versions

2.1.30-r10
2.2.28-r7
2.3.30-r2

stay unstable but fixed:
2.3.31-r1
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2007-01-07 13:27:03 UTC
arch teams, please test and mark stable openldap-2.3.30-r2
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-07 19:09:43 UTC
(In reply to comment #3)
> arch teams, please test and mark stable openldap-2.3.30-r2

marked ppc stable, shall we also stable 2.1.30-r10 and 2.2.28-r7?
Comment 5 Markus Ullmann (RETIRED) gentoo-dev 2007-01-07 22:51:12 UTC
I'd say so, they contain the same fix
Comment 6 Jason Wever (RETIRED) gentoo-dev 2007-01-08 05:12:02 UTC
SPARC stable on openldap-2.3.30-r2, 2.1.30-r10, and 2.2.28-r7
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-08 11:29:27 UTC
*** Bug 158972 has been marked as a duplicate of this bug. ***
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2007-01-08 13:34:15 UTC
Marked stable for HPPA:
  net-nds/openldap-2.1.30-r10
  net-nds/openldap-2.2.28-r7
  net-nds/openldap-2.3.30-r2
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-08 20:36:03 UTC
Everything stable for ppc.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-01-08 20:47:39 UTC
ppc64 stable
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2007-01-08 22:39:28 UTC
Stable on Alpha + IA64.
Comment 12 Markus Meier gentoo-dev 2007-01-08 22:43:42 UTC
net-nds/openldap-2.1.30-r10
1. emerges on x86, please note:
* Doing tests
ln: creating symbolic link `./data': File exists

and
chown: cannot access `etc/openldap/slapd.conf': No such file or directory
chmod: cannot access `etc/openldap/slapd.conf': No such file or directory
chown: cannot access `etc/openldap/slapd.conf.default': No such file or directory
chmod: cannot access `etc/openldap/slapd.conf.default': No such file or directory
>>> Completed installing openldap-2.1.30-r10 into /var/tmp/portage/openldap-2.1.30-r10/image/

2. passes test suite
3. passes collision test

net-nds/openldap-2.2.28-r7
1. emerges on x86
2. passes test suite
3. passes collision test

net-nds/openldap-2.3.30-r2
1. emerges on x86
2. passes test suite
3. passes collision test

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19.1 i686)
=================================================================
System uname: 2.6.19.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Last Sync: Mon, 08 Jan 2007 19:00:01 +0000
ccache version 2.4 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/pack
ages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa
_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via8
2xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop
 alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugin
s_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugin
s_shm alsa_pcm_plugins_softvol apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fort
ran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_G
B mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl
svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xpri
nt xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-08 22:49:51 UTC
x86 saved again by the Incredible Opfer!
Comment 14 Markus Ullmann (RETIRED) gentoo-dev 2007-01-09 15:28:33 UTC
welp stabled on amd64
Comment 15 Markus Ullmann (RETIRED) gentoo-dev 2007-01-13 13:04:18 UTC
Stable on arm
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-13 13:19:25 UTC
somebody set this to "B3?", which requires GLSA voting. I dont know any details, but this could be a B1 (local priv escal)? I guess this is gentoo specific? 

Voting: yes
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-13 21:20:19 UTC
(In reply to comment #16)
> somebody set this to "B3?", which requires GLSA voting. I dont know any
> details, but this could be a B1 (local priv escal)? 

i think so

> I guess this is gentoo
> specific? 

i don't think so, e.g.:
http://cvs.mandriva.com/cgi-bin/viewvc.cgi/SPECS/openldap/gencert.sh?revision=1.5.6.1&view=markup

> 
> Voting: yes
> 

i think so :)
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-24 01:13:35 UTC
GLSA 200701-19