Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 174759

Summary: ssl-cert.eclass docert function usage in src_install can expose SSL keys (CVE-2008-1383)
Product: Gentoo Security Reporter: Robin Johnson <robbat2>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: enhancement CC: agriffis, mgorny, ulm
Priority: High Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa] rbu
Package list:
Runtime testing required: ---
Bug Depends on: 201671, 201672, 201673, 201675, 201677, 201678, 201682, 201684, 201686, 201687, 201689, 201690, 201691, 201896, 201897    
Bug Blocks: 197881    
Description Flags
Proposed patch for docert() none

Description Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-04-16 08:27:28 UTC
In the ssl-cert.eclass, the docert function generates an SSL key, along with an SSL certificate.

If the docert function is used inside src_compile or src_install (see openldap-2.3.3[45]* for example), the SSL key is then included inside the binpkg, where it is NOT protected - anybody with access to the system can extract the tarball to recover the key.

Additionally, if the binpkg is used on multiple machines, they will be configured with the same SSL key and cert, and this may prevent correct functioning of some SSL applications.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-16 08:46:59 UTC
vapier/agriffis please advise.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 11:17:05 UTC
vapier/agriffis please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 07:22:28 UTC
vapier/agriffis please advise.
Comment 4 SpanKY gentoo-dev 2007-05-20 09:05:29 UTC
Robin's analysis of the situation is correct ... this is the same reason we stopped managing things like /etc/shadow in baselayout's src_install function ...

docert() should be rewritten to only allow it to be run inside of pkg_preinst()

ive never touched that eclass before, so ...
Comment 5 SpanKY gentoo-dev 2007-07-23 01:01:53 UTC
i'd say with the recent changes portage has seen, this should be fixed now
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-24 07:49:33 UTC
spanky: could you clarify which changes you are talking about?
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-21 14:32:13 UTC
someone just posted on this issue on the -dev mailing-list, maybe we should make it public now. Any opinions?
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-08-21 20:33:22 UTC
As the original reporter, I say open it, so that we can get some traction in getting it fixed all over the tree.

The only things needing nuking are public tinderboxes.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 20:42:11 UTC
Comment 10 SpanKY gentoo-dev 2007-08-21 23:04:36 UTC
sorry, i was thinking in terms of "binpkgs being world readable" and "portage doesnt consume /etc by default with quickpkg and friends" ... but the use case here doesnt fully apply (packages generating unique keys on each host), so the proposed route of pkg_postinst() is the only one i think

easy enough to add to the top of the docert() function:
case ${EBUILD_PHASE} in
    unpack|compile|test|install)  die "BOO";;
Comment 11 Ulrich Müller gentoo-dev 2007-11-03 11:05:42 UTC
"docert" doesn't work inside pkg_postinst at the moment, probably related to
bug #197942.
Comment 12 Ulrich Müller gentoo-dev 2007-12-01 23:50:08 UTC
Created attachment 137516 [details, diff]
Proposed patch for docert()

- Check for ebuild phase as suggested in comment #10
- Install relative to ${ROOT} instead of ${D}${INSDESTTREE}
- Arguments must be a full path now

Maybe the function should also be renamed, since it's no longer similar to other do* functions?
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-12-01 23:58:35 UTC
Patch looks good to me.
Comment 14 Ulrich Müller gentoo-dev 2007-12-02 00:19:25 UTC
The following packages will have to be changed then. They either call docert in src_install and suffer from the security issue of this bug, or they call it in pkg_postinst where it doesn't work at all (that is bug #197942).

src_install usage:

pkg_postinst usage:
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 01:02:21 UTC
Ulrich, how do you propose we proceed now? The commit can only be done if all ebuilds (stable and unstable) are fixed for this?

Just open bugs and bug maintainers? Or would it be advisable to announce this migration and change the ebuilds by ourselves?
Comment 16 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-12-04 01:13:37 UTC
unless I'm mistaken, the ones in pkg_postinst should just start to work after applying this patch? And all the ebuilds should be converted to use the functions in either postinst or config phases?

One patch review comment, in the loop commented with "# Check for previous existence of generated files", we should probably check all 4 file suffixes (.csr is not checked).
Comment 17 Ulrich Müller gentoo-dev 2007-12-04 07:12:33 UTC
(In reply to comment #15)
> Ulrich, how do you propose we proceed now? The commit can only be done if all
> ebuilds (stable and unstable) are fixed for this?

If we rename the function ("install_cert"?) we could add the new one, fix all ebuilds and finally replace docert by a dummy (or remove it completely).

> Just open bugs and bug maintainers?

I would say yes.

(In reply to comment #16)
> unless I'm mistaken, the ones in pkg_postinst should just start to work after
> applying this patch?

Unfortunately they must be changed, too, since they rely on INSDESTTREE.

> we should probably check all 4 file suffixes (.csr is not checked).

It did not check for .csr before. I don't see a reason why it shouldn't, though.
Comment 18 Ulrich Müller gentoo-dev 2007-12-07 22:58:26 UTC
Updated ssl-cert.eclass committed. Function "docert" has been copied to a new function "install_cert", modified according to comment #12.

Adding package maintainers to CC, please fix your packages mentioned in comment #14 to use "install_cert" in pkg_postinst or pkg_config. Since it is a security issue, and we also want to get rid of the duplicate code in the eclass, I will fix any remaining packages after 14 days.

"docert" will then be replaced by a dummy function that forcibly fails.
Comment 19 Ulrich Müller gentoo-dev 2007-12-08 10:42:50 UTC
net-misc/stunnel fixed, bug #197881.
Comment 20 Ulrich Müller gentoo-dev 2007-12-08 11:17:38 UTC
app-admin/conserver fixed (and bumped to 8.1.16) since it's maintainer-needed.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2007-12-08 14:35:19 UTC
Creating seperate bugs.
Comment 22 Konstantin Arkhipov (RETIRED) gentoo-dev 2007-12-09 14:28:58 UTC
www-servers/nginx fixed.
Comment 23 Ulrich Müller gentoo-dev 2008-03-14 13:33:17 UTC
All packages on all supported arches are done.

Only mail-mta/postfix keywording on mips and stabilisation on arm/s390/sh (bug 201671) are still missing. After that, we can replace the docert function in the eclass by a dummy.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-03-20 01:22:34 UTC
This was sent as GLSA 200803-30.

I'll leave this bug open until all packages are fixed and the eclass corrected.
Comment 25 Ulrich Müller gentoo-dev 2008-04-14 06:44:24 UTC
Eclass corrected: "docert" replaced by a dummy function.
All ebuilds that were affected by this issue have been removed from the tree.