der_chop script has file in /tmp security holes

Automatically imported from Debian bug report #278260 http://bugs.debian.org/278260

Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 16:00:18 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: der_chop script has file in /tmp security holes

--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: openssl
Version: 0.9.7d-5
Severity: normal
Tags: security

The der_chop script that is in the source only of openssl (not in any
debs) is vulnerable to a file in /tmp security hole, according to
CAN-2004-0975:

Phase: Assigned (20041019)
Reference: TRUSTIX:2004-0050
Reference: URL:http://www.trustix.org/errata/2004/0050
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D13=
6302
Reference: BID:11293
Reference: URL:http://www.securityfocus.com/bid/11293

Description:
The der_chop script in the openssl package in Trustix Secure Linux 1.5 thro=
ugh 2.1, and possibly other operating systems, allows local users to overwr=
ite files via a symlink attack on temporary files.=20

This should be fixed just in case someone finds it in the source package..

--=20
see shy jo

--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfVtSd8HHehbQuO8RAnUWAJ4waKJ57IqK+EHU74j4ylBJwj+r/ACeOb82
hbWBuLiPtJrG5uINfbbAsaI=
=ZX5f
-----END PGP SIGNATURE-----

--82I3+IH0IqGh5yIs--

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 11:24:28 +0200
From: Christoph Martin <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278260: der_chop script has file in /tmp security holes

--------------enigAE289C488BEB2FC27E7ED777
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Joey,

Joey Hess schrieb:
> Package: openssl
> Version: 0.9.7d-5
> Severity: normal
> Tags: security
>
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
>
> Phase: Assigned (20041019)
> Reference: TRUSTIX:2004-0050
> Reference: URL:http://www.trustix.org/errata/2004/0050
> Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302
> Reference: BID:11293
> Reference: URL:http://www.securityfocus.com/bid/11293
>
> Description:
> The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
>
> This should be fixed just in case someone finds it in the source package..

How should I fix it in the source package? They are supposed to be the
unchanged archives from upstream. I could however include a fix in the
diff. But that will not prevent anyone from using the upstream source.
But if a fixed upstream version is released I will release it for Debian.

Christoph

--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------enigAE289C488BEB2FC27E7ED777
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBfhfMgeVih7XOVJcRAu6uAJsGdOqdfl9Iq/2qfNvfiA34qdOt0QCeJjNu
lyPDPoSkkIs20lZ6uoK2hUA=
=EkkB
-----END PGP SIGNATURE-----

--------------enigAE289C488BEB2FC27E7ED777--

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:19:59 -0400
From: Joey Hess <email address hidden>
To: Christoph Martin <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278260: der_chop script has file in /tmp security holes

--+pHx0qQiF2pBVqBT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Christoph Martin wrote:
> How should I fix it in the source package? They are supposed to be the
> unchanged archives from upstream. I could however include a fix in the
> diff. But that will not prevent anyone from using the upstream source.
> But if a fixed upstream version is released I will release it for Debian.

Fixing it in the diff would be fine, that'd how we typically fix
security problems after all. Or just forward it upstream and let them
fix it there.

--=20
see shy jo

--+pHx0qQiF2pBVqBT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfnkud8HHehbQuO8RAiutAJ9ZaWGmsc3Ojm96PINz8d91IXlxbwCgpcRx
wFA3Jyn3vBKRtYDEp5M4vJA=
=mkqz
-----END PGP SIGNATURE-----

--+pHx0qQiF2pBVqBT--

Message-ID: <email address hidden>
Date: Thu, 11 Nov 2004 11:47:59 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: der_chop script has file in /tmp security holes

--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 278260 grave
tag 278260 patch
thanks

Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:

This is not quite correct, the script is shipped as
/usr/lib/ssl/misc/der_chop, together with some other auxiliary
scripts. Therefore I increase the severity.

I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.

The patch is at

  http://patches.ubuntulinux.org/patches/openssl.CAN-2004-0975.diff

Please do not use the RedHat patch (with doing things like

  `mktemp ..`

this is flawed and a bit too much overhead. The perl module File::Temp
is portable and works fine. Please also submit this patch upstream.

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBk0NfDecnbV4Fd/IRAhJjAKCAO6ApvQzNPdabXSvSUv3EaxEXDgCg+s38
gtq0uqlzGM86g3kH2u5GwSo=
=gy/H
-----END PGP SIGNATURE-----

--cWoXeonUoKmBZSoM--

How nice to see one's own Debian reports bounced back :-)

Package is prepared and ready for upload, but needs to be reviewed.

Message-ID: <email address hidden>
Date: Fri, 12 Nov 2004 13:29:39 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: [Fwd: Bug#278260: der_chop script has file in /tmp security holes]

--------------enig6D8D58F48D875C4579EE2EE4
Content-Type: multipart/mixed;
 boundary="------------070802050901040206090600"

This is a multi-part message in MIME format.
--------------070802050901040206090600
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi folks,

are you aware of this bug in the der_chop script?

A fix is in
http://patches.ubuntulinux.org/patches/openssl.CAN-2004-0975.diff

Christoph
--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------070802050901040206090600
Content-Type: message/rfc822;
 name="Bug#278260: der_chop script has file in /tmp security holes"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="Bug#278260: der_chop script has file in /tmp security holes"

Received: via dmail-2000(11) for martin; Mon, 25 Oct 2004 22:09:23 +0200 (CEST)
Return-Path: <email address hidden>
Received: from mailgate2.zdv.Uni-Mainz.DE (mailgate2.zdv.Uni-Mainz.DE [134.93.178.130])
 by wintermute.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id i9PK8vjj008177
 for <email address hidden>; Mon, 25 Oct 2004 22:08:57 +0200
Received: from exfront01.zdv.uni-mainz.de (exfront01.zdv.Uni-Mainz.DE [134.93.176.49])
 by mailgate2.zdv.Uni-Mainz.DE (Postfix) with ESMTP id BBB853000305
 for <email address hidden>; Mon, 25 Oct 2004 22:08:56 +0200 (CEST)
Received: from spamgate2.zdv.Uni-Mainz.DE ([134.93.177.66]) by exfront01.zdv.uni-mainz.de with
 Microsoft SMTPSVC(6.0.3790.211); Mon, 25 Oct 2004 22:08:56 +0200
Received: from mailgate2.zdv.Uni-Mainz.DE (mailgate2.zdv.Uni-Mainz.DE [134.93.178.130])
 by spamgate2.zdv.Uni-Mainz.DE (8.12.10/8.12.2) with ESMTP id i9PK8otl018327
 for <email address hidden>; Mon, 25 Oct 2004 22:08:50 +0200 (MEST)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
 by mailgate2.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 2CCF13000305
 for <email address hidden>; Mon, 25 Oct 2004 22:08:49 +0200 (CEST)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
 id 1CMB3Z-0004D4-00; Mon, 25 Oct 2004 13:03:05 -0700
X-Loop: <email address hidden>
Subject: Bug#278260: der_chop script has file in /tmp security holes
Reply-To: Joey Hess <email address hidden>, <email address hidden>
Resent-From: Joey Hess <email address hidden>
Resent-To: <email address hidden>
Resent-Cc: Christoph Martin <email address hidden>
Resent-Date: Mon, 25 Oct 2004 20:03:04 UTC
Resent-Message-ID: <email address hidden>
X-Debian-PR-Message: report 278260
X-Debian-PR-Package: openssl
X-Debian-PR-Keywords: security
Received: via spool by <email address hidden> id=B.109873433515415
 (code B ref -1); Mon, 25 Oc...

Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 11:17:22 -0500
From: Christoph Martin <email address hidden>
To: <email address hidden>
Subject: Bug#278260: fixed in openssl 0.9.7e-1

Source: openssl
Source-Version: 0.9.7e-1

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.7-udeb_0.9.7e-1_i386.udeb
  to pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-1_i386.udeb
libssl-dev_0.9.7e-1_i386.deb
  to pool/main/o/openssl/libssl-dev_0.9.7e-1_i386.deb
libssl0.9.7_0.9.7e-1_i386.deb
  to pool/main/o/openssl/libssl0.9.7_0.9.7e-1_i386.deb
openssl_0.9.7e-1.diff.gz
  to pool/main/o/openssl/openssl_0.9.7e-1.diff.gz
openssl_0.9.7e-1.dsc
  to pool/main/o/openssl/openssl_0.9.7e-1.dsc
openssl_0.9.7e-1_i386.deb
  to pool/main/o/openssl/openssl_0.9.7e-1_i386.deb
openssl_0.9.7e.orig.tar.gz
  to pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <email address hidden> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Fri, 12 Nov 2004 14:11:15 +0100
Source: openssl
Binary: libssl-dev openssl libcrypto0.9.7-udeb libssl0.9.7
Architecture: source i386
Version: 0.9.7e-1
Distribution: unstable
Urgency: high
Maintainer: Christoph Martin <email address hidden>
Changed-By: Christoph Martin <email address hidden>
Description:
 libcrypto0.9.7-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.7 - SSL shared libraries
 openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 253126 260357 272479 273517 275224 278260 280225
Changes:
 openssl (0.9.7e-1) unstable; urgency=high
 .
   * SECURITY UPDATE: fix insecure temporary file handling
   * apps/der_chop:
     - replaced $$-style creation of temporary files with
       File::Temp::tempfile()
     - removed unused temporary file name in do_certificate()
   * References:
     CAN-2004-0975 (closes: #278260)
   * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
   * New upstream release with security fixes
     - Avoid a race condition when CRLs are checked in a multi threaded
       environment.
     - Various fixes to s3_pkt.c so alerts are sent properly.
     - Reduce the chances of duplicate issuer name and serial numbers (in
       violation of RFC3280) using the OpenSSL certificate creation
       utilities.
   * depends openssl on perl-base instead of perl (closes: #280225)
   * support powerpc64 in Configure (closes: #275224)
   * include cs translation (closes: #273517)
   * include nl transl...

Warty package was fixed a while ago, Hoary is now fixed by syncing the Debian
revision.

Message-ID: <email address hidden>
Date: Thu, 18 Nov 2004 16:11:58 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: woody also affected

--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reopen 278260
tags 278260 + woody
thanks

I see things like
        $file=3D"/tmp/a$$.DER";
in the woody version, and according to=20
http://www.securityfocus.com/bid/11293

woody is affected.=20

Greetings

         Helge
--=20
Helge Kreutzmann, Dipl.-Phys. <email address hidden>=
er.de
                       gpg signed mail preferred=20
    64bit GNU powered http://www.itp.uni-hannover.de/~kreu=
tzm
       Help keep free software "libre": http://www.freepatents.org/

--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBnLu+RsxcY/MYpWoRAitDAKCWLHaejvrK5byip1x3wnO9qzO6pQCdH30J
jo56DKQtG99xiGQGJrZSZso=
=U1lg
-----END PGP SIGNATURE-----

--VbJkn9YxBvnuCH5J--

Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 16:39:19 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge

reopen 278260
tags 278260 -woody
tags 278260 +sarge
thanks

Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 20:32:49 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: it was already asserted that woody was affected

tags 278260 -sarge
tags 278260 +woody
thanks

Message-ID: <email address hidden>
Date: Mon, 13 Dec 2004 14:35:43 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Subject: Security-Update von openssl has happened

close 278260
thanks

--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
                       gpg signed mail preferred
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/