Debian Bug report logs - #706933
1100-sslcert checks for wrong package; snakeoil cert is not regenerated

version graph

Package: live-config; Maintainer for live-config is Live Systems Maintainers <debian-live@lists.debian.org>; Source for live-config is src:live-config.

Reported by: "Trent W. Buck" <trentbuck@gmail.com>

Date: Mon, 6 May 2013 10:30:07 UTC

Severity: normal

Found in version live-config/3.0.23-1

Fixed in version 4.0~a20-1

Done: Daniel Baumann <daniel.baumann@progress-technologies.net>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Live Systems Maintainers <debian-live@lists.debian.org>:
Bug#706933; Package live-config. (Mon, 06 May 2013 10:30:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Trent W. Buck" <trentbuck@gmail.com>:
New Bug report received and forwarded. Copy sent to Live Systems Maintainers <debian-live@lists.debian.org>. (Mon, 06 May 2013 10:30:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Trent W. Buck" <trentbuck@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: 1100-sslcert checks for wrong package; snakeoil cert is not regenerated
Date: Mon, 06 May 2013 20:28:57 +1000
Package: live-config
Version: 3.0.23-1
Severity: normal

[When asked privately in IRC, dba didn't consider this a security
issue, so I'm reporting it normally.]

It looks like /lib/live/config/1100-sslcert is trying to regenerate
the snakeoil key & cert at boot time, similar to how SSH host keys are
handled in 1170-openssh-server.  AFAICT this code will never run,
because it looks for "sslcert" when it should look for "ssl-cert".

If someone builds a live SOE with a daemon, and that daemon is stupid
enough to use the snakeoil certs instead of generating its own, that
daemon will be using the same key across all boots/instances.  If an
attacker got hold of the SOE, they could extract the build-time
snakeoil key and use it for MITM type things.

(Of course, any daemon that generates its own certs would need an
equivalent to this script, or be similarly affected.  Same thing if
someone builds a live SOE with dropbear or lsh instead of openssh.)



Marked as fixed in versions 4.0~a20-1. Request was from Daniel Baumann <daniel.baumann@progress-technologies.net> to control@bugs.debian.org. (Mon, 06 May 2013 19:03:13 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Daniel Baumann <daniel.baumann@progress-technologies.net> to control@bugs.debian.org. (Mon, 06 May 2013 19:03:14 GMT) Full text and rfc822 format available.

Notification sent to "Trent W. Buck" <trentbuck@gmail.com>:
Bug acknowledged by developer. (Mon, 06 May 2013 19:03:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:25:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.