Bug#683665: Bug #683665 - Fwd: openvswitch world writable directories (CVE-2012-3449)

[Ben Pfaff]

On Thu, Aug 02, 2012 at 09:16:25PM +0200, Andreas Beckmann wrote:
> Even if an ordinary local user cannot list the contents of the
> directory, he may correctly derive/guess filenames (unless they are
> exclusively $(mktemp)) and delete and replace files in there.
> 
> I don't know how openvswitch-pki works, how it uses this directory,
> what probelms could possibly arise out of this.
> 
> References:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
> 
> 
> Please note on Fedora 16 and 17 run the command:
> 
> /usr/bin/ovs-pki --force init
> 
> to create the directories.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=845350
> 
> Please use CVE-2012-3449 for this issue.

Here's the patch I'm planning to include in the next Open vSwitch
upload to Debian:

----------------------------------------------------------------------

Subject: Use mode 0700 for ovs-pki incoming directory, instead of 0733.

Andreas Beckmann <deb...@abeckmann.de> reported in bug #683665 that
the openvswitch-pki package creates a world-writable directory during
installation.  I believe that the intended use of this directory is
safe, because the file names are supposed to be the SHA-1 hash of a
freshly generated SSL client certificate, but the feature in question
is one that has not been widely used in Open vSwitch.  I'm not aware of
even a single user, the intended client software is not packaged
for Debian, and I intend to remove the feature from a later version
of Open vSwitch entirely.  Therefore, this patch simply changes the
directory's permissions to be only writable by root.

---
 utilities/ovs-pki.in |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: b/utilities/ovs-pki.in
===================================================================
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira Networks, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -214,7 +214,7 @@ if test "$command" = "init"; then
 
         mkdir -p certs crl newcerts
         mkdir -p -m 0700 private
-        mkdir -p -m 0733 incoming
+        mkdir -p -m 0700 incoming
         touch index.txt
         test -e crlnumber || echo 01 > crlnumber
         test -e serial || echo 01 > serial


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org