Debian Bug report logs - #683665
openvswitch-pki: creates world writable directories: /var/lib/openvswitch/pki/*ca/incoming/

version graph

Package: openvswitch-pki; Maintainer for openvswitch-pki is Open vSwitch developers <dev@openvswitch.org>; Source for openvswitch-pki is src:openvswitch.

Reported by: Andreas Beckmann <debian@abeckmann.de>

Date: Thu, 2 Aug 2012 16:27:02 UTC

Severity: grave

Tags: security

Found in version openvswitch/1.4.2+git20120612-7

Fixed in version openvswitch/1.4.2+git20120612-8

Done: Ben Pfaff <pfaffben@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#683665; Package openvswitch-pki. (Thu, 02 Aug 2012 16:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Open vSwitch developers <dev@openvswitch.org>. (Thu, 02 Aug 2012 16:27:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openvswitch-pki: creates world writable directories: /var/lib/openvswitch/pki/*ca/incoming/
Date: Thu, 02 Aug 2012 18:25:40 +0200
Package: openvswitch-pki
Version: 1.4.2+git20120612-7
Severity: grave
Tags: security
User: debian-qa@lists.debian.org
Usertags: piuparts

Hi,

openvswitch-pki creates the following world writable directories during
installation:

    drwx-wx-wx 2 root root 40 Aug  1 05:32 /var/lib/openvswitch/pki/controllerca/incoming
    drwx-wx-wx 2 root root 40 Aug  1 05:32 /var/lib/openvswitch/pki/switchca/incoming

Even if an ordinary local user cannot list the contents of the
directory, he may correctly derive/guess filenames (unless they are
exclusively $(mktemp)) and delete and replace files in there.

I don't know how openvswitch-pki works, how it uses this directory,
what probelms could possibly arise out of this.

Andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#683665; Package openvswitch-pki. (Thu, 02 Aug 2012 19:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
Extra info received and forwarded to list. Copy sent to Open vSwitch developers <dev@openvswitch.org>. (Thu, 02 Aug 2012 19:18:04 GMT) Full text and rfc822 format available.

Message #10 received at 683665@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: 683665@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug #683665 - Fwd: openvswitch world writable directories (CVE-2012-3449)
Date: Thu, 02 Aug 2012 21:16:25 +0200

-------- Original Message --------
Subject: openvswitch world writable directories (CVE-2012-3449)
Date: Thu, 02 Aug 2012 13:08:37 -0600
From: Kurt Seifried <kseifried@redhat.com>
To: oss-security@lists.openwall.com <oss-security@lists.openwall.com>,
      debian@abeckmann.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Beckmann debian@abeckmann.de reports:

openvswitch-pki creates the following world writable directories during
installation:

    drwx-wx-wx 2 root root 40 Aug  1 05:32
/var/lib/openvswitch/pki/controllerca/incoming
    drwx-wx-wx 2 root root 40 Aug  1 05:32
/var/lib/openvswitch/pki/switchca/incoming

Even if an ordinary local user cannot list the contents of the
directory, he may correctly derive/guess filenames (unless they are
exclusively $(mktemp)) and delete and replace files in there.

I don't know how openvswitch-pki works, how it uses this directory,
what probelms could possibly arise out of this.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665


Please note on Fedora 16 and 17 run the command:

/usr/bin/ovs-pki --force init

to create the directories.

https://bugzilla.redhat.com/show_bug.cgi?id=845350

Please use CVE-2012-3449 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQGtA1AAoJEBYNRVNeJnmTETMP/iUw/f1q01JnQdyeY1f1R+E0
FYVJb1lE/oS6K5Dan/ZEeXkz4h5vPsB0hwB+CN0rHpMf0rj+RXS2ydbR1/Yhc5cj
49GkKjq+AO9qUOYkwGZyercil7r34yQHMivmCcvIMv3gpaEfA+X7oD4640hmggk3
tbtBmJBAQJNnUkBOdTBZxkCfpTS0/DSnezvF82G77//nb5wHtkgKHP7QeTnZmH4p
1nKxrQoPIpQOchNxWk15jo8+Y3tLTvMNV0jtciKM+/ufb7WcWt/wSZID5z1RWyfN
ErRU3kGZgUlKHjOOVY9hajCE7FtfRwvubPMlCBLbpKenEEOv1R7glO6cWBwii1oJ
3MeaNx0IgeQRnJRz2W+pqi2rZAuMwz17/9D8BD+ALghAGgpHBRY7YmrTq/voCrNV
qFuuJoBocPsTygeqsl+1e0uV4HpkiFo2bwwYT7wFN9D1zay/4/05A8xpd58lH1O6
fhyyGV8NsBpiP+dyFQWXb2qdm+djd7YKyGm2uCTvvD62etC/3ptqGAzMIv9k/6E7
wgqSZeGJxsIq3+p6wDgUlbHhSUnNa4ZhyE/sL//CucesX1L8HZtDbRpyKBJ45ZfA
apOERBRedQcFhysX0BCBWx3gZbQhmFd8Djd9nsCZVNeOb8w3/YBXOnpFU/hWrg5E
1Xsh6Mg+iWBVLsGdBudi
=vHIS
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Open vSwitch developers <dev@openvswitch.org>:
Bug#683665; Package openvswitch-pki. (Thu, 02 Aug 2012 21:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Pfaff <blp@nicira.com>:
Extra info received and forwarded to list. Copy sent to Open vSwitch developers <dev@openvswitch.org>. (Thu, 02 Aug 2012 21:03:06 GMT) Full text and rfc822 format available.

Message #15 received at 683665@bugs.debian.org (full text, mbox):

From: Ben Pfaff <blp@nicira.com>
To: Andreas Beckmann <debian@abeckmann.de>, 683665@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#683665: Bug #683665 - Fwd: openvswitch world writable directories (CVE-2012-3449)
Date: Thu, 2 Aug 2012 14:02:20 -0700
On Thu, Aug 02, 2012 at 09:16:25PM +0200, Andreas Beckmann wrote:
> Even if an ordinary local user cannot list the contents of the
> directory, he may correctly derive/guess filenames (unless they are
> exclusively $(mktemp)) and delete and replace files in there.
> 
> I don't know how openvswitch-pki works, how it uses this directory,
> what probelms could possibly arise out of this.
> 
> References:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
> 
> 
> Please note on Fedora 16 and 17 run the command:
> 
> /usr/bin/ovs-pki --force init
> 
> to create the directories.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=845350
> 
> Please use CVE-2012-3449 for this issue.

Here's the patch I'm planning to include in the next Open vSwitch
upload to Debian:

----------------------------------------------------------------------

Subject: Use mode 0700 for ovs-pki incoming directory, instead of 0733.

Andreas Beckmann <debian@abeckmann.de> reported in bug #683665 that
the openvswitch-pki package creates a world-writable directory during
installation.  I believe that the intended use of this directory is
safe, because the file names are supposed to be the SHA-1 hash of a
freshly generated SSL client certificate, but the feature in question
is one that has not been widely used in Open vSwitch.  I'm not aware of
even a single user, the intended client software is not packaged
for Debian, and I intend to remove the feature from a later version
of Open vSwitch entirely.  Therefore, this patch simply changes the
directory's permissions to be only writable by root.

---
 utilities/ovs-pki.in |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: b/utilities/ovs-pki.in
===================================================================
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira Networks, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -214,7 +214,7 @@ if test "$command" = "init"; then
 
         mkdir -p certs crl newcerts
         mkdir -p -m 0700 private
-        mkdir -p -m 0733 incoming
+        mkdir -p -m 0700 incoming
         touch index.txt
         test -e crlnumber || echo 01 > crlnumber
         test -e serial || echo 01 > serial



Reply sent to Ben Pfaff <pfaffben@debian.org>:
You have taken responsibility. (Fri, 03 Aug 2012 03:06:12 GMT) Full text and rfc822 format available.

Notification sent to Andreas Beckmann <debian@abeckmann.de>:
Bug acknowledged by developer. (Fri, 03 Aug 2012 03:06:12 GMT) Full text and rfc822 format available.

Message #20 received at 683665-close@bugs.debian.org (full text, mbox):

From: Ben Pfaff <pfaffben@debian.org>
To: 683665-close@bugs.debian.org
Subject: Bug#683665: fixed in openvswitch 1.4.2+git20120612-8
Date: Fri, 03 Aug 2012 03:03:01 +0000
Source: openvswitch
Source-Version: 1.4.2+git20120612-8

We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683665@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Pfaff <pfaffben@debian.org> (supplier of updated openvswitch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Aug 2012 11:20:21 -0700
Source: openvswitch
Binary: openvswitch-datapath-source openvswitch-datapath-dkms openvswitch-common openvswitch-switch openvswitch-ipsec openvswitch-pki openvswitch-controller openvswitch-brcompat openvswitch-dbg python-openvswitch ovsdbmonitor openvswitch-test
Architecture: source i386 all
Version: 1.4.2+git20120612-8
Distribution: unstable
Urgency: low
Maintainer: Open vSwitch developers <dev@openvswitch.org>
Changed-By: Ben Pfaff <pfaffben@debian.org>
Description: 
 openvswitch-brcompat - Open vSwitch bridge compatibility support
 openvswitch-common - Open vSwitch common components
 openvswitch-controller - Open vSwitch controller implementation
 openvswitch-datapath-dkms - Open vSwitch datapath module source - DKMS version
 openvswitch-datapath-source - Open vSwitch datapath module source - module-assistant version
 openvswitch-dbg - Debug symbols for Open vSwitch packages
 openvswitch-ipsec - Open vSwitch GRE-over-IPsec support
 openvswitch-pki - Open vSwitch public key infrastructure dependency package
 openvswitch-switch - Open vSwitch switch implementations
 openvswitch-test - Open vSwitch test package
 ovsdbmonitor - Open vSwitch graphical monitoring tool
 python-openvswitch - Python bindings for Open vSwitch
Closes: 683665
Changes: 
 openvswitch (1.4.2+git20120612-8) unstable; urgency=low
 .
   * Apply further patches to fix bugs resulting from moving
     /etc/openvswitch/conf.db to /var/lib/openvswitch in -7.
 .
     This required applying the following bug fix patches:
 .
     bug-681880-3-Make-the-location-of-the-database-separately-configu.patch
     bug-681880-4-tests-Slightly-generalize-utility-function-tests.patch
     bug-681880-5-util-New-function-follow_symlinks.patch
     bug-681880-6-lockfile-Be-more-forgiving-about-lockfiles-for-symli.patch
     bug-681880-7-ovsdb-Do-not-replace-symlinks-by-regular-files-durin.patch
     bug-681880-8-Fix-a-typo-in-commit-f973f2af2.patch
     bug-681880-9-dirs-dbdir-default-must-be-based-on-sysconfdir.patch
 .
   * debian/rules: Configure /var/lib/openvswitch as the database directory
     instead of working through symlinks.  (The symlinks are still created
     for compatibility with people and existing software that are
     accustomed to seeing the database in its original location, but the
     Debian packages themselves never use the symlinks.)
 .
   * debian/openvswitch-switch.postrm: Also remove
     /ec/openvswitch/system-id.conf and conf.db backups on purge.
 .
   * utilities/ovs-pki.in: Use mode 0700 instead of 0733 for
     openvswitch-pki "incoming" directory, by applying
     bug-683665-use-mode-700-for-pki-incoming-dir.patch.  See the patch for
     complete rationale.  Closes: #683665.  Thanks to Andreas Beckmann
     <debian@abeckmann.de> for reporting this bug.
 .
   * debian/openvswitch-pki.postinst: Change mode of existing "incoming"
     directories to 0700 at configure time (see above).
Checksums-Sha1: 
 c92c3f18c36747ce13c15937bce5eb9b78de3027 2731 openvswitch_1.4.2+git20120612-8.dsc
 57875b46a5931b2bfa4935bcf4f23fd73cf438dc 175866 openvswitch_1.4.2+git20120612-8.debian.tar.gz
 dd0e2c86efaa6181759917b35939150aaa5890fb 564312 openvswitch-common_1.4.2+git20120612-8_i386.deb
 087971fd4a3f2ab19e8ed27b700a3874b6a77f1d 1310704 openvswitch-switch_1.4.2+git20120612-8_i386.deb
 7ae4d907a701b3fd21b6cdf7059b972bd43fd9cc 30918 openvswitch-ipsec_1.4.2+git20120612-8_i386.deb
 76e0d5c50f9bcce9c040a55eac684b691ef306cd 195876 openvswitch-controller_1.4.2+git20120612-8_i386.deb
 a0c61d201aacf01369697ed293164ceab828edfc 343600 openvswitch-brcompat_1.4.2+git20120612-8_i386.deb
 96b6563d07bc583ba3f7f508984f73ba48c60438 338390 openvswitch-dbg_1.4.2+git20120612-8_i386.deb
 f3143aa1ff77161ed0d40bb1ed5eaf771af17e1d 2018420 openvswitch-datapath-source_1.4.2+git20120612-8_all.deb
 2b95a6c6158ac173a6e1bebcaae914e8bacda1de 1958212 openvswitch-datapath-dkms_1.4.2+git20120612-8_all.deb
 18b07a639f8dde9e4ba472e2579c4126a9899e4f 24334 openvswitch-pki_1.4.2+git20120612-8_all.deb
 c60d0328e9bd95315011a445a6b211cd571c8060 72494 python-openvswitch_1.4.2+git20120612-8_all.deb
 3f54c53e38f917fd05f279c3dcd74100c50d1d01 46990 ovsdbmonitor_1.4.2+git20120612-8_all.deb
 067f9c10e36bd049ef5b36fc34aba50a6863844f 33350 openvswitch-test_1.4.2+git20120612-8_all.deb
Checksums-Sha256: 
 9998d3319e10c2d347da0373d9fc78585511de8227916ab9a328c1cf47dab7f9 2731 openvswitch_1.4.2+git20120612-8.dsc
 e0bd4306fac0fd68f9a99411d965cd6f8fbd648ae110fc5221d64396bab4031d 175866 openvswitch_1.4.2+git20120612-8.debian.tar.gz
 6577c41066454d95df12f1b02262ec0d22403fd88e4077dbaacd70c2c95027d2 564312 openvswitch-common_1.4.2+git20120612-8_i386.deb
 97fe78e4c096df76b20ed580bdabc40937e0c1a70d862517bd5675b9930ece46 1310704 openvswitch-switch_1.4.2+git20120612-8_i386.deb
 011c90d4aab1820acc7996bd1e4f52745d759d88f307f71b53190c80e351f499 30918 openvswitch-ipsec_1.4.2+git20120612-8_i386.deb
 9aecd80ea2c781ac883596c662cedc49045f1012afb71fa0508bd6a494c9c64c 195876 openvswitch-controller_1.4.2+git20120612-8_i386.deb
 676ff6112d217542fe86bacf4932c9eeac3399661c24f10919f98a1ebb391b53 343600 openvswitch-brcompat_1.4.2+git20120612-8_i386.deb
 87eba0344b03f532d5dd4924bec6d998a46f270266b0a6297b8f50cb63b71188 338390 openvswitch-dbg_1.4.2+git20120612-8_i386.deb
 56f1e110aea4f5c9b27681361339aaa19efdbfd7e10ae170c2ca16c70786852c 2018420 openvswitch-datapath-source_1.4.2+git20120612-8_all.deb
 32084244f56e0cddba250827b6a846a82aeb406d83577cca468d48a0dc61e2ca 1958212 openvswitch-datapath-dkms_1.4.2+git20120612-8_all.deb
 e672890bc610da85e08b434ea5986e13d67985f30be39a7de19543af0107cb2c 24334 openvswitch-pki_1.4.2+git20120612-8_all.deb
 59b00bede60cd911329acf0e6335493eb6bf5385767122ad6aa9fb328873f6fb 72494 python-openvswitch_1.4.2+git20120612-8_all.deb
 ecdb5abdbe98e6a594aec5ff2adc80c9bc30798b44dd2d3c3b671b5d9a26e353 46990 ovsdbmonitor_1.4.2+git20120612-8_all.deb
 9f97a7f4065f2fa1fdcd0a7a3dfaf9455e563890285c9d162cb5d85ddd60cf88 33350 openvswitch-test_1.4.2+git20120612-8_all.deb
Files: 
 90dea9682c3a2fc89ad43dfa89e50177 2731 net extra openvswitch_1.4.2+git20120612-8.dsc
 3afa7b200713a8f8b66d1d999f4f4622 175866 net extra openvswitch_1.4.2+git20120612-8.debian.tar.gz
 b8ca25c1eb5bcabc7e377ad8a8822845 564312 net extra openvswitch-common_1.4.2+git20120612-8_i386.deb
 185dafc75640f65e9ad2ebeefbde250f 1310704 net extra openvswitch-switch_1.4.2+git20120612-8_i386.deb
 709d5f791f1b8778263b71eae57f2555 30918 net extra openvswitch-ipsec_1.4.2+git20120612-8_i386.deb
 48b544c8f697e0f96fada9c57f17ae40 195876 net extra openvswitch-controller_1.4.2+git20120612-8_i386.deb
 2acc35a18f1ec467bb9ead3ab726602a 343600 net extra openvswitch-brcompat_1.4.2+git20120612-8_i386.deb
 2c68fa7f4f4dd7640dc56b953a6d2544 338390 debug extra openvswitch-dbg_1.4.2+git20120612-8_i386.deb
 bff288dbc2f07e96aa24f3b1bfbc7a86 2018420 net extra openvswitch-datapath-source_1.4.2+git20120612-8_all.deb
 cb14ace2772832a742033449d907792f 1958212 net extra openvswitch-datapath-dkms_1.4.2+git20120612-8_all.deb
 96cabffd6d33d6c1d0e5d19a31f7f537 24334 net extra openvswitch-pki_1.4.2+git20120612-8_all.deb
 1765d9a571a52194d9d5bc3ef19119fc 72494 python extra python-openvswitch_1.4.2+git20120612-8_all.deb
 9e8fac6e0c0d5336dd9e5e6dfdd8eba7 46990 utils extra ovsdbmonitor_1.4.2+git20120612-8_all.deb
 c285da473018d83034a3c5fb791b9e0d 33350 net extra openvswitch-test_1.4.2+git20120612-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJQGyzqAAoJEIUZnejGZI6QHccQAItE0I/2/wTFrAEUZDpanL+C
QSqe+H7hx/EDtM3UsNjYjWPoAVMWB57Yh3/8Ki2sDmAQLMNgx1eIqurubg6h+mF4
tNd+svDIt5NGlpABUD2BGIVfKr3c1PjOuwPkcMj1kPO5xqeJcku3sdipOGAAx3Nf
r13AyKUqEB1NbZAzEkmZNya+ELx2uwZreCBrGoc7/5RL/Zs+vxRJzcsi24Erzh5o
2BVoJPH6GDjwGHqjawgVkB3Vzgn8DQVRrIi8H7G2eEXh2wnRWXKUFbn9us6L505Z
nuTYQky5PTjYrEToflJwJ3FUu754wmLuCzqdVosUk2cVCt5NQaJoFkO0FXN9+NGt
bo51p899t+lEBeWDeF/1Q326IBhw3lePGsTIzV/gXZbhtPCbUgsoF7US7kurTwbu
hXlZ41xAn2V08tp9HVBI8T7ZyDg78w8lJ8d6mdLXGoshxjyczFjpiijvy5Dd0f0e
mj4S+zN+ggwxvD7R3yET5NBYoP6cQn9RnBCW2FNAXNHtVNinIwlhT8KavHI3w+NW
bhhqgPbYlV5bwoLfqDSatuzzgwgAQyaqo65Z7yjiC2pAK/nVaODUi6AmBoTmldBG
GkYNxYUcG483GlTQxxhYlZw0xbUvrzEl9moH98dv0D9YLf6B7jo2RJgceZTuSXXn
F2WH2gUFhDHLsMykjN5b
=j/m4
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Sep 2012 07:29:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 11:26:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.