Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Sep 2012 20:03:20 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: opencryptoki insecure lock files handling

Hi,

Niels Heinen (Google) discovered that openCryptoki 2.4.0 and older, when 
spinlocks are used, incorrectly handle lock files stored in /tmp. It is 
possible for an attacker to replace the lock files with symlinks and have 
pkcsslotd (or others) fchmod the target of the symlink to make it world-
writable, create arbitrary files, etc.
In response, upstream released 2.4.1[1] which fixed the fchmod issue (commits 
[3] and [4]).
Niels discovered that 2.4.1 still allowed arbitrary files creation by 
following symlinks. Upstream then released 2.4.2[2], fixing this last issue 
(commits [5] and [6]).

Even with the fixes in 2.4.2, members of the pkcs11 group could still use 
symlink attacks. However, as per upstream's documentation, members of such 
group are expected to be trusted[7].

Could CVE ids be assigned?

[1] 2.4.1 announcement:
http://sourceforge.net/mailarchive/message.php?msg_id=28878345
[2] 2.4.2 announcement:
http://sourceforge.net/mailarchive/message.php?msg_id=29191022
[3]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
[4]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
[5]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
[6]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
[7]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blobdiff;f=man/man7/opencryptoki.7.in;h=5030bd2f6f698119e50926679041d0efcb2693df;hp=659a97976799cc6256df7a796c224bd30ba349d4;hb=7744b6224e80848596ac80a07745c7a588eef2a0;hpb=24950e95a84d125180a0e418a4822a97236f2cb0

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ