Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 68407

Summary: dev-libs/openssl: Insecure tmpfile use
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: aliz, crypto+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa] koon
Package list:
Runtime testing required: ---
Description Flags
Patch from RedHat bug none

Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 07:59:41 UTC

The der_chop script in the openssl package in Trustix Secure Linux 1.5
through 2.1, and possibly other operating systems, allows local users
to overwrite files via a symlink attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:08:20 UTC
Created attachment 42317 [details, diff]
Patch from RedHat bug

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:11:23 UTC
Our /etc/ssl/misc/der_chop is affected.
Its use looks deprecated. It should be patched or removed.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-10-25 00:34:57 UTC
This is no-herd and aliz doesn't seem active ATM. Looks like we'll have to fix this one ourselves.

If it's really deprecated (like they say on the RedHat bug), then it should probably be removed rather than fixed.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:25:40 UTC
Crypto herd : there is no sign from Aliz. I know openssl is technically no-herd, but I thought you could help.

The idea is to patch or remove the der_chop script. Thanks is advance :)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 06:23:35 UTC
Given patch applies cleanly to 0.9.7d-r1
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 07:16:55 UTC
Thx to dragonheart for the patch.
Arches please test and mark 0.9.7d-r2 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-05 07:34:34 UTC
>>> md5 src_uri ;-) openssl-0.9.7d.tar.gz
>>> md5 src_uri ;-) openssl-0.9.6m.tar.gz
>>> Unpacking source...
>>> Unpacking openssl-0.9.7d.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
>>> Unpacking openssl-0.9.6m.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
 * Applying openssl-0.9.7c-tempfile.patch ...                                               [ ok ] * Applying openssl-0.9.7d-gentoo.diff ...                                                  [ ok ] * Applying openssl-0.9.7d-smime.patch ...                                                  [ ok ]sed: -e expression #1, char 88: Unknown option to `s'

!!! ERROR: dev-libs/openssl-0.9.7d-r2 failed.
!!! Function src_unpack, Line 98, Exitcode 1
!!! sed failed
!!! If you need support, post the topmost build error, NOT this status message.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2004-11-05 13:09:15 UTC
works for me (ebuild/patch and ssl itself).

stable on ppc64.

Comment 9 Karol Wojtaszek (RETIRED) gentoo-dev 2004-11-05 14:34:07 UTC
Stable on amd64
Comment 10 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-11-05 17:46:49 UTC
Stable on alpha.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2004-11-05 19:52:02 UTC
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 01:13:47 UTC
Security, please vote on GLSA need. I /think/ this doesn't warrant a GLSA (der_chop being quite deprecated), but we issued other GLSAs for Netatalk's and krb5's Maybe a grouped GLSA with the davfs and groff ones ? 
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-06 04:01:12 UTC
I vote for a grouped GLSA.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 05:36:12 UTC
Waiting for davfs
Comment 15 Joshua Kinard gentoo-dev 2004-11-07 01:51:22 UTC
mips stable.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-11-07 10:26:44 UTC
davfs will take too much time, issuing GLSA with only openssl and groff
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-11-08 02:50:46 UTC
GLSA 200411-15
arm hppa ia64 s390 : please mark stable to benefit from GLSA