Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68407 - dev-libs/openssl: Insecure tmpfile use
Summary: dev-libs/openssl: Insecure tmpfile use
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] koon
Depends on:
Reported: 2004-10-21 07:59 UTC by Thierry Carrez (RETIRED)
Modified: 2004-11-09 22:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch from RedHat bug (openssl-0.9.7c-tempfile.patch,2.13 KB, patch)
2004-10-21 08:08 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 07:59:41 UTC

The der_chop script in the openssl package in Trustix Secure Linux 1.5
through 2.1, and possibly other operating systems, allows local users
to overwrite files via a symlink attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:08:20 UTC
Created attachment 42317 [details, diff]
Patch from RedHat bug

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:11:23 UTC
Our /etc/ssl/misc/der_chop is affected.
Its use looks deprecated. It should be patched or removed.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-10-25 00:34:57 UTC
This is no-herd and aliz doesn't seem active ATM. Looks like we'll have to fix this one ourselves.

If it's really deprecated (like they say on the RedHat bug), then it should probably be removed rather than fixed.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:25:40 UTC
Crypto herd : there is no sign from Aliz. I know openssl is technically no-herd, but I thought you could help.

The idea is to patch or remove the der_chop script. Thanks is advance :)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 06:23:35 UTC
Given patch applies cleanly to 0.9.7d-r1
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 07:16:55 UTC
Thx to dragonheart for the patch.
Arches please test and mark 0.9.7d-r2 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-05 07:34:34 UTC
>>> md5 src_uri ;-) openssl-0.9.7d.tar.gz
>>> md5 src_uri ;-) openssl-0.9.6m.tar.gz
>>> Unpacking source...
>>> Unpacking openssl-0.9.7d.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
>>> Unpacking openssl-0.9.6m.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
 * Applying openssl-0.9.7c-tempfile.patch ...                                               [ ok ] * Applying openssl-0.9.7d-gentoo.diff ...                                                  [ ok ] * Applying openssl-0.9.7d-smime.patch ...                                                  [ ok ]sed: -e expression #1, char 88: Unknown option to `s'

!!! ERROR: dev-libs/openssl-0.9.7d-r2 failed.
!!! Function src_unpack, Line 98, Exitcode 1
!!! sed failed
!!! If you need support, post the topmost build error, NOT this status message.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2004-11-05 13:09:15 UTC
works for me (ebuild/patch and ssl itself).

stable on ppc64.

Comment 9 Karol Wojtaszek (RETIRED) gentoo-dev 2004-11-05 14:34:07 UTC
Stable on amd64
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-11-05 17:46:49 UTC
Stable on alpha.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2004-11-05 19:52:02 UTC
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 01:13:47 UTC
Security, please vote on GLSA need. I /think/ this doesn't warrant a GLSA (der_chop being quite deprecated), but we issued other GLSAs for Netatalk's and krb5's Maybe a grouped GLSA with the davfs and groff ones ? 
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-06 04:01:12 UTC
I vote for a grouped GLSA.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 05:36:12 UTC
Waiting for davfs
Comment 15 Joshua Kinard gentoo-dev 2004-11-07 01:51:22 UTC
mips stable.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-11-07 10:26:44 UTC
davfs will take too much time, issuing GLSA with only openssl and groff
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-11-08 02:50:46 UTC
GLSA 200411-15
arm hppa ia64 s390 : please mark stable to benefit from GLSA