#1303 CVE-2015-0234 pki-core: pki-core 10.x: multiple /tmp/ file vulnerabilities [fedora-all]
Closed: Invalid None Opened 5 years ago by mharmsen.

There are several temporary file creation vulnerabilities:


kra/functional/drmtest.py:    certdb_dir = "/tmp/drmtest-certdb"
kra/src/com/netscape/kra/NetkeyKeygenService.java:                   String oFilePath = "/tmp/wrappedPrivKey.bin";
common/python/pki/profile.py:    connection.set_authentication_cert("/tmp/auth.pem")
common/python/pki/cert.py:    connection.set_authentication_cert("/tmp/auth.pem")
util/src/netscape/security/extensions/KerberosName.java:            FileOutputStream os = new FileOutputStream("/tmp/out.der");
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
setup/pkicommon.pm:        $tmp_dir    = "/tmp";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmpfile = "/tmp/admin-$$";
tps-client/lib/perl/PKI/TPS/AdminPanel.pm:    my $tmp = "/tmp/addAgents-$$.ldif";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:        my $filename = "/tmp/random.$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:            my $tmpfile = "/tmp/req$$";
tps-client/lib/perl/PKI/TPS/NamePanel.pm:                my $tmpfile = "/tmp/grep$$"; 
tps-client/lib/perl/PKI/TPS/CAInfoPanel.pm:    my $tmpfile = "/tmp/ca-$$";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    my $tmp = "/tmp/database-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addTokens-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DatabasePanel.pm:    $tmp = "/tmp/addVLVIndexes-$$.ldif";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/lib/perl/PKI/TPS/DonePanel.pm:    my $tmpfile = "/tmp/donepanel-$$";
tps-client/src/include/main/MemoryMgr.h:#define MEM_AUDIT_FILE "/tmp/mem-audit.log" 
tps-client/src/include/main/MemoryMgr.h:#define MEM_DUMP_FILE  "/tmp/mem-dump.log"
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_DEBUG_FILENAME, "/tmp/debug.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_ERROR_FILENAME, "/tmp/error.log"),
tps-client/src/engine/RA.cpp:                             m_cfg->GetConfigAsString(CFG_SELFTEST_FILENAME, "/tmp/selftest.log"),
tps-client/src/engine/RA.cpp:                                      "/tmp/audit.log"),
tps-client/src/engine/RA.cpp:                                  "/tmp/audit.log"),
tps-client/src/tus/tus_db.c:    debug_fd = PR_Open("/tmp/debugTUSdb.log",
tps-client/src/modules/tokendb/mod_tokendb.cpp:    debug_fd = PR_Open( "/tmp/tus-debug.log",
tps-client/setup/create.pl:    $tmpDir = "/tmp";

NOTE: So for Python you want mkstemp and mkdtemp from the tempfile module, for Perl mkstemp() and for C mkstemp() as well.

On 03/11/15, Ade Lee replied:

NACK.  Very few of these changes make any sense.

1. change in cert.py, profile.py, .  This is in code that is used to
unit test the cert.py code.  In order to run the unit test, you have to
specify where the auth file is -- you can't do that with your proposed

In any case, as this is unit test code, its hard to see this as a real
vulnerability.  If you want to remove the /tmp reference, then you
should add a parameter for the user to pass in the correct path.

2. The same thing is true in KerberosName.java.  Its defining the output
file from unit test code.  With your changes, we wont know where the
output will go.

3. The NetkeyKeygenService.java reference is in debug code that has been
commented out.  Why is a change needed here?

4.  The code change in pkicommon.pm is fine, but this code is no longer
used, so do we need to update it?

5.  The code in base/tps-client looks like it is no longer needed.
Rather than trying to patch it, we should remove it unless there is any
reason for it.  It looks like the code for the old TPS.


Based upon comment:4 above, the following email was sent to Kurt Seifried (the originator of the bug from whence this ticket was created):


I have attached the patch to which the NACK below refers.

Additional information regarding 4. and 5. below:

4.  'pkicommon.pm' is still needed by 'pki-setup-proxy', but no calls are made to the offending code.
Additionally, the 'pki-setup-proxy' call is currently slated to be rewritten in Python which will
result in the deletion of this code:

    PKI TRAC #1234 - Rewrite 'pki-setup-proxy' in Python

5. Vast portions of the code in 'base/tps-client' refer to the native-code (C/C++/Perl) version of
the TPS PKI subsystem which has since been re-written in Java.  Unfortunately, we still
utilize the native-code based 'tpsclient' test tool which requires some of the legacy native code
in order to be built.  Once 'tpsclient' is rewritten in Java, all of this code will be removed.

Finally, these changes were to be applied to the upstream Fedora branch (rhbz #1183178) which would
later be merged to the code branch for certificate system 9 (rhbz #1183179).

Therefore, based upon these findings, I would like to propose closing the tickets/bugs associated with this as WONTFIX.

Please let us know if you are agreeable to this suggestion.

-- Matt

As we await to hear back, we have deemed this ticket non-critical to the release of Dogtag 10.2.2 for Fedora 22, and may end up moving it forward to the Dogtag 10.2.3 milestone if it cannot be closed as WONTFIX.

Per request from nkinder on 03/13/2015: 10.2.3

Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: 10.3 (not even certain if these are vulnerabilities)

On 05/07/15 23:15, Kurt Seifried wrote:

Sorry lost track of this, in short if all the code is removed/unused we
can classify this as NOTABUG and close it up.

Metadata Update from @mharmsen:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.3.0

3 years ago

Login to comment on this ticket.