235227 – <net-mail/uw-imap-2007e-r1: possible exposure of SSL keys (missing ssl-cert.eclass usage)

Bug 235227 - <net-mail/uw-imap-2007e-r1: possible exposure of SSL keys (missing ssl-cert.eclass usage)

Summary: <net-mail/uw-imap-2007e-r1: possible exposure of SSL keys (missing ssl-cert.e...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-08-19 20:24 UTC by Christian Hoffmann (RETIRED)
Modified:	2011-10-08 21:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Hoffmann (RETIRED) gentoo-dev

2008-08-19 20:24:44 UTC

net-mail/uw-imap generates SSL certificates in src_compile and as such they'll be part of binpkgs (similar to bug 174759).
It should use `install_cert` from ssl-cert.eclass.

net-mail, should I take care of it or do you wanto to handle it yourself?

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-11-30 17:10:38 UTC

Seems they don't care if you do it.

Comment 2 Robert Wolf 2009-01-09 21:08:51 UTC

uw-imap package generates new key and cert and while installation it overwrites these files in /etc/ssl/certs. It should check, if these files exist and do not overwrite. Either ask to overwrite, or (probably better) is to handle update of these files as config files (make update using etc-update).

Comment 3 Robert Wolf 2009-01-09 21:11:00 UTC

(In reply to comment #2)
> uw-imap package generates new key and cert and while installation it overwrites
> these files in /etc/ssl/certs. It should check, if these files exist and do not
> overwrite. Either ask to overwrite, or (probably better) is to handle update of
> these files as config files (make update using etc-update).

*** ehm, which is done in install_cert from ssl-cert.eclass ... does anyone update this ebuild?

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-01-13 16:03:06 UTC

It should not be able to write to /etc directly. Robert, if you want to fasten up this bug, please provide a patch. Look for ssl-cert.eclass for details on those functions.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2009-02-12 19:28:46 UTC

net-mail, the uw-imap-2007e version still generates this key and exposes it in binary packages. Please make sure it is deleted and a proper way of generating a default key (ssl-cert.eclass) is being used.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 16:30:18 UTC

*ping*

Comment 7 Eray Aslan gentoo-dev

2011-06-03 05:44:10 UTC

+*uw-imap-2007e-r1 (01 Jun 2011)
+
+  01 Jun 2011; Eray Aslan <eras@gentoo.org> +uw-imap-2007e-r1.ebuild:
+  Fix patching - bug #368785. Proper SSL key generation - bug #235227. Tidy up
+  and EAPI bump.
+

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-06-03 16:34:46 UTC

Arches, please test and mark stable:
=net-mail/uw-imap-2007e-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 9 Agostino Sarubbo gentoo-dev

2011-06-03 19:23:53 UTC

amd64 ok

Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-06-04 08:20:57 UTC

x86 stable

Comment 11 Markos Chandras (RETIRED) gentoo-dev

2011-06-05 09:58:59 UTC

amd64 done. Thanks Agostino

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2011-06-05 20:05:03 UTC

Stable for HPPA.

Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-06-07 14:12:09 UTC

ppc/ppc64 stable

Comment 14 Raúl Porcel (RETIRED) gentoo-dev

2011-06-12 11:44:06 UTC

alpha/ia64/sparc stable

Comment 15 Tim Sammut (RETIRED) gentoo-dev

2011-06-12 18:28:49 UTC

Thanks, folks. GLSA Vote: no.

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2011-10-08 21:47:52 UTC

voting no too, and closing.