The der_chop script in the openssl package in Trustix Secure Linux 1.5
through 2.1, and possibly other operating systems, allows local users
to overwrite files via a symlink attack on temporary files.
Created attachment 42317 [details, diff]
Patch from RedHat bug
Patch from RedHat
Our /etc/ssl/misc/der_chop is affected.
Its use looks deprecated. It should be patched or removed.
This is no-herd and aliz doesn't seem active ATM. Looks like we'll have to fix this one ourselves.
If it's really deprecated (like they say on the RedHat bug), then it should probably be removed rather than fixed.
Crypto herd : there is no sign from Aliz. I know openssl is technically no-herd, but I thought you could help.
The idea is to patch or remove the der_chop script. Thanks is advance :)
Given patch applies cleanly to 0.9.7d-r1
Thx to dragonheart for the patch.
Arches please test and mark 0.9.7d-r2 stable
>>> md5 src_uri ;-) openssl-0.9.7d.tar.gz
>>> md5 src_uri ;-) openssl-0.9.6m.tar.gz
>>> Unpacking source...
>>> Unpacking openssl-0.9.7d.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
>>> Unpacking openssl-0.9.6m.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
* Applying openssl-0.9.7c-tempfile.patch ... [ ok ] * Applying openssl-0.9.7d-gentoo.diff ... [ ok ] * Applying openssl-0.9.7d-smime.patch ... [ ok ]sed: -e expression #1, char 88: Unknown option to `s'
!!! ERROR: dev-libs/openssl-0.9.7d-r2 failed.
!!! Function src_unpack, Line 98, Exitcode 1
!!! sed failed
!!! If you need support, post the topmost build error, NOT this status message.
works for me (ebuild/patch and ssl itself).
stable on ppc64.
Stable on amd64
Stable on alpha.
Security, please vote on GLSA need. I /think/ this doesn't warrant a GLSA (der_chop being quite deprecated), but we issued other GLSAs for Netatalk's etc2ps.sh and krb5's send-pr.sh... Maybe a grouped GLSA with the davfs and groff ones ?
I vote for a grouped GLSA.
Waiting for davfs
davfs will take too much time, issuing GLSA with only openssl and groff
arm hppa ia64 s390 : please mark stable to benefit from GLSA