der_chop script has file in /tmp security holes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Debian) |
Fix Released
|
Unknown
|
|||
openssl (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #278260 http://
CVE References
In Debian Bug tracker #278260, Christoph Martin (martin-uni-mainz) wrote : Re: Bug#278260: der_chop script has file in /tmp security holes | #1 |
In Debian Bug tracker #278260, Joey Hess (joeyh) wrote : | #2 |
Christoph Martin wrote:
> How should I fix it in the source package? They are supposed to be the
> unchanged archives from upstream. I could however include a fix in the
> diff. But that will not prevent anyone from using the upstream source.
> But if a fixed upstream version is released I will release it for Debian.
Fixing it in the diff would be fine, that'd how we typically fix
security problems after all. Or just forward it upstream and let them
fix it there.
--
see shy jo
In Debian Bug tracker #278260, Martin Pitt (pitti) wrote : | #3 |
severity 278260 grave
tag 278260 patch
thanks
Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as
/usr/lib/
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
The patch is at
http://
Please do not use the RedHat patch (with doing things like
`mktemp ..`
this is flawed and a bit too much overhead. The perl module File::Temp
is portable and works fine. Please also submit this patch upstream.
Thanks,
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Debian Bug Importer (debzilla) wrote : | #4 |
Automatically imported from Debian bug report #278260 http://
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 16:00:18 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: der_chop script has file in /tmp security holes
--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: openssl
Version: 0.9.7d-5
Severity: normal
Tags: security
The der_chop script that is in the source only of openssl (not in any
debs) is vulnerable to a file in /tmp security hole, according to
CAN-2004-0975:
Phase: Assigned (20041019)
Reference: TRUSTIX:2004-0050
Reference: URL:http://
Reference: CONFIRM:http://
6302
Reference: BID:11293
Reference: URL:http://
Description:
The der_chop script in the openssl package in Trustix Secure Linux 1.5 thro=
ugh 2.1, and possibly other operating systems, allows local users to overwr=
ite files via a symlink attack on temporary files.=20
This should be fixed just in case someone finds it in the source package..
--=20
see shy jo
--82I3+IH0IqGh5yIs
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfVtSd8H
hbWBuLiPtJrG5uI
=ZX5f
-----END PGP SIGNATURE-----
--82I3+
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 11:24:28 +0200
From: Christoph Martin <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278260: der_chop script has file in /tmp security holes
-------
Content-Type: text/plain; charset=ISO-8859-1
Content-
Hi Joey,
Joey Hess schrieb:
> Package: openssl
> Version: 0.9.7d-5
> Severity: normal
> Tags: security
>
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
>
> Phase: Assigned (20041019)
> Reference: TRUSTIX:2004-0050
> Reference: URL:http://
> Reference: CONFIRM:http://
> Reference: BID:11293
> Reference: URL:http://
>
> Description:
> The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
>
> This should be fixed just in case someone finds it in the source package..
How should I fix it in the source package? They are supposed to be the
unchanged archives from upstream. I could however include a fix in the
diff. But that will not prevent anyone from using the upstream source.
But if a fixed upstream version is released I will release it for Debian.
Christoph
--
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFBfhfMgeV
lyPDPoSkkIs20lZ
=EkkB
-----END PGP SIGNATURE-----
-------
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:19:59 -0400
From: Joey Hess <email address hidden>
To: Christoph Martin <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278260: der_chop script has file in /tmp security holes
--+pHx0qQiF2pBVqBT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Christoph Martin wrote:
> How should I fix it in the source package? They are supposed to be the
> unchanged archives from upstream. I could however include a fix in the
> diff. But that will not prevent anyone from using the upstream source.
> But if a fixed upstream version is released I will release it for Debian.
Fixing it in the diff would be fine, that'd how we typically fix
security problems after all. Or just forward it upstream and let them
fix it there.
--=20
see shy jo
--+pHx0qQiF2pBVqBT
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfnkud8H
wFA3Jyn3vBKRtYD
=mkqz
-----END PGP SIGNATURE-----
--+pHx0qQiF2pBV
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Thu, 11 Nov 2004 11:47:59 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: der_chop script has file in /tmp security holes
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-
Content-
severity 278260 grave
tag 278260 patch
thanks
Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as
/usr/lib/
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
The patch is at
http://
Please do not use the RedHat patch (with doing things like
`mktemp ..`
this is flawed and a bit too much overhead. The perl module File::Temp
is portable and works fine. Please also submit this patch upstream.
Thanks,
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--cWoXeonUoKmBZSoM
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBk0NfDec
gtq0uqlzGM86g3k
=gy/H
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZ
Martin Pitt (pitti) wrote : | #9 |
How nice to see one's own Debian reports bounced back :-)
Package is prepared and ready for upload, but needs to be reviewed.
In Debian Bug tracker #278260, Christoph Martin (martin-uni-mainz) wrote : [Fwd: Bug#278260: der_chop script has file in /tmp security holes] | #10 |
Hi folks,
are you aware of this bug in the der_chop script?
A fix is in
http://
Christoph
--
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
Package: openssl
Version: 0.9.7d-5
Severity: normal
Tags: security
The der_chop script that is in the source only of openssl (not in any
debs) is vulnerable to a file in /tmp security hole, according to
CAN-2004-0975:
Phase: Assigned (20041019)
Reference: TRUSTIX:2004-0050
Reference: URL:http://
Reference: CONFIRM:http://
Reference: BID:11293
Reference: URL:http://
Description:
The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
This should be fixed just in case someone finds it in the source package..
--
see shy jo
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 12 Nov 2004 13:29:39 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: [Fwd: Bug#278260: der_chop script has file in /tmp security holes]
-------
Content-Type: multipart/mixed;
boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=ISO-8859-1
Content-
Hi folks,
are you aware of this bug in the der_chop script?
A fix is in
http://
Christoph
--
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------
Content-Type: message/rfc822;
name="Bug#278260: der_chop script has file in /tmp security holes"
Content-
Content-
Received: via dmail-2000(11) for martin; Mon, 25 Oct 2004 22:09:23 +0200 (CEST)
Return-Path: <email address hidden>
Received: from mailgate2.
by wintermute.
for <email address hidden>; Mon, 25 Oct 2004 22:08:57 +0200
Received: from exfront01.
by mailgate2.
for <email address hidden>; Mon, 25 Oct 2004 22:08:56 +0200 (CEST)
Received: from spamgate2.
Microsoft SMTPSVC(
Received: from mailgate2.
by spamgate2.
for <email address hidden>; Mon, 25 Oct 2004 22:08:50 +0200 (MEST)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
by mailgate2.
for <email address hidden>; Mon, 25 Oct 2004 22:08:49 +0200 (CEST)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1CMB3Z-0004D4-00; Mon, 25 Oct 2004 13:03:05 -0700
X-Loop: <email address hidden>
Subject: Bug#278260: der_chop script has file in /tmp security holes
Reply-To: Joey Hess <email address hidden>, <email address hidden>
Resent-From: Joey Hess <email address hidden>
Resent-To: <email address hidden>
Resent-Cc: Christoph Martin <email address hidden>
Resent-Date: Mon, 25 Oct 2004 20:03:04 UTC
Resent-Message-ID: <email address hidden>
X-Debian-
X-Debian-
X-Debian-
Received: via spool by <email address hidden> id=B.1098734335
(code B ref -1); Mon, 25 Oc...
In Debian Bug tracker #278260, Christoph Martin (christoph-martin) wrote : Bug#278260: fixed in openssl 0.9.7e-1 | #12 |
Source: openssl
Source-Version: 0.9.7e-1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.
to pool/main/
libssl-
to pool/main/
libssl0.
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Martin <email address hidden> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.7
Date: Fri, 12 Nov 2004 14:11:15 +0100
Source: openssl
Binary: libssl-dev openssl libcrypto0.9.7-udeb libssl0.9.7
Architecture: source i386
Version: 0.9.7e-1
Distribution: unstable
Urgency: high
Maintainer: Christoph Martin <email address hidden>
Changed-By: Christoph Martin <email address hidden>
Description:
libcrypto0.
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.7 - SSL shared libraries
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 253126 260357 272479 273517 275224 278260 280225
Changes:
openssl (0.9.7e-1) unstable; urgency=high
.
* SECURITY UPDATE: fix insecure temporary file handling
* apps/der_chop:
- replaced $$-style creation of temporary files with
- removed unused temporary file name in do_certificate()
* References:
CAN-2004-0975 (closes: #278260)
* fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
* New upstream release with security fixes
- Avoid a race condition when CRLs are checked in a multi threaded
environment.
- Various fixes to s3_pkt.c so alerts are sent properly.
- Reduce the chances of duplicate issuer name and serial numbers (in
violation of RFC3280) using the OpenSSL certificate creation
utilities.
* depends openssl on perl-base instead of perl (closes: #280225)
* support powerpc64 in Configure (closes: #275224)
* include cs translation (closes: #273517)
* include nl translation (closes: #272479)
* Fix default dir of c_rehash (closes: #253126)
Files:
a565446b3b148f
a8777164bca38d
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Fri, 12 Nov 2004 11:17:22 -0500
From: Christoph Martin <email address hidden>
To: <email address hidden>
Subject: Bug#278260: fixed in openssl 0.9.7e-1
Source: openssl
Source-Version: 0.9.7e-1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.
to pool/main/
libssl-
to pool/main/
libssl0.
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
openssl_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Martin <email address hidden> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.7
Date: Fri, 12 Nov 2004 14:11:15 +0100
Source: openssl
Binary: libssl-dev openssl libcrypto0.9.7-udeb libssl0.9.7
Architecture: source i386
Version: 0.9.7e-1
Distribution: unstable
Urgency: high
Maintainer: Christoph Martin <email address hidden>
Changed-By: Christoph Martin <email address hidden>
Description:
libcrypto0.
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.7 - SSL shared libraries
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 253126 260357 272479 273517 275224 278260 280225
Changes:
openssl (0.9.7e-1) unstable; urgency=high
.
* SECURITY UPDATE: fix insecure temporary file handling
* apps/der_chop:
- replaced $$-style creation of temporary files with
- removed unused temporary file name in do_certificate()
* References:
CAN-2004-0975 (closes: #278260)
* fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
* New upstream release with security fixes
- Avoid a race condition when CRLs are checked in a multi threaded
environment.
- Various fixes to s3_pkt.c so alerts are sent properly.
- Reduce the chances of duplicate issuer name and serial numbers (in
violation of RFC3280) using the OpenSSL certificate creation
utilities.
* depends openssl on perl-base instead of perl (closes: #280225)
* support powerpc64 in Configure (closes: #275224)
* include cs translation (closes: #273517)
* include nl transl...
Martin Pitt (pitti) wrote : | #14 |
Warty package was fixed a while ago, Hoary is now fixed by syncing the Debian
revision.
In Debian Bug tracker #278260, Helge Kreutzmann (kreutzm) wrote : woody also affected | #15 |
reopen 278260
tags 278260 + woody
thanks
I see things like
in the woody version, and according to
http://
woody is affected.
Greetings
Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Thu, 18 Nov 2004 16:11:58 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: woody also affected
--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-
Content-
reopen 278260
tags 278260 + woody
thanks
I see things like
in the woody version, and according to=20
http://
woody is affected.=20
Greetings
Helge
--=20
Helge Kreutzmann, Dipl.-Phys. <email address hidden>=
er.de
64bit GNU powered http://
tzm
Help keep free software "libre": http://
--VbJkn9YxBvnuCH5J
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBnLu+
jo56DKQtG99xiGQ
=U1lg
-----END PGP SIGNATURE-----
--VbJkn9YxBvnuC
In Debian Bug tracker #278260, Adrian Bunk (bunk) wrote : still present in sarge | #17 |
reopen 278260
tags 278260 -woody
tags 278260 +sarge
thanks
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 16:39:19 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge
reopen 278260
tags 278260 -woody
tags 278260 +sarge
thanks
In Debian Bug tracker #278260, Steve Langasek (vorlon) wrote : it was already asserted that woody was affected | #19 |
tags 278260 -sarge
tags 278260 +woody
thanks
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 20:32:49 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: it was already asserted that woody was affected
tags 278260 -sarge
tags 278260 +woody
thanks
In Debian Bug tracker #278260, Helge Kreutzmann (kreutzm) wrote : Security-Update von openssl has happened | #21 |
close 278260
thanks
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Mon, 13 Dec 2004 14:35:43 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Subject: Security-Update von openssl has happened
close 278260
thanks
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Changed in openssl: | |
status: | Unknown → Fix Released |
Hi Joey,
Joey Hess schrieb: www.trustix. org/errata/ 2004/0050 bugzilla. redhat. com/bugzilla/ show_bug. cgi?id= 136302 www.securityfoc us.com/ bid/11293
> Package: openssl
> Version: 0.9.7d-5
> Severity: normal
> Tags: security
>
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
>
> Phase: Assigned (20041019)
> Reference: TRUSTIX:2004-0050
> Reference: URL:http://
> Reference: CONFIRM:http://
> Reference: BID:11293
> Reference: URL:http://
>
> Description:
> The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
>
> This should be fixed just in case someone finds it in the source package..
How should I fix it in the source package? They are supposed to be the
unchanged archives from upstream. I could however include a fix in the
diff. But that will not prevent anyone from using the upstream source.
But if a fixed upstream version is released I will release it for Debian.
Christoph
-- ======= ======= ======= ======= ======= ======= ======= ======= ======= ======
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856