From oss-security: Hi, Niels Heinen (Google) discovered that openCryptoki 2.4.0 and older, when spinlocks are used, incorrectly handle lock files stored in /tmp. It is possible for an attacker to replace the lock files with symlinks and have pkcsslotd (or others) fchmod the target of the symlink to make it world- writable, create arbitrary files, etc. In response, upstream released 2.4.1[1] which fixed the fchmod issue (commits [3] and [4]). Niels discovered that 2.4.1 still allowed arbitrary files creation by following symlinks. Upstream then released 2.4.2[2], fixing this last issue (commits [5] and [6]). Even with the fixes in 2.4.2, members of the pkcs11 group could still use symlink attacks. However, as per upstream's documentation, members of such group are expected to be trusted[7]. Could CVE ids be assigned? [1] 2.4.1 announcement: http://sourceforge.net/mailarchive/message.php?msg_id=28878345 [2] 2.4.2 announcement: http://sourceforge.net/mailarchive/message.php?msg_id=29191022 [3]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30 [4]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9 [5]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a [6]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15 [7]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blobdiff;f=man/man7/opencryptoki.7.in;h=5030bd2f6f698119e50926679041d0efcb2693df;hp=659a97976799cc6256df7a796c224bd30ba349d4;hb=7744b6224e80848596ac80a07745c7a588eef2a0;hpb=24950e95a84d125180a0e418a4822a97236f2cb0
CVE-2012-4455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4455): openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/. CVE-2012-4454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4454): openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp.
opencryptoki-2.4.2 in tree. flameeyes: All your backports are in as far as I could see, and of course the broke build again... one small patch. I remember you have a working device, can you please check?
I got a device, as for 'working' it might be stretching it. Will check tomorrow, thanks for working on this, I lost motivation to work with IBM along the way.
(In reply to comment #3) > I got a device, as for 'working' it might be stretching it. Will check > tomorrow, thanks for working on this, I lost motivation to work with IBM > along the way. I fully understand what you mean in this case! Filed a bug[1] with patch. [1] https://sourceforge.net/tracker/?func=detail&atid=710344&aid=3596346&group_id=128009
crypto done.
Thanks, everyone. Closing noglsa for ~arch only.