lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.1.10.0903092046510.10914@mail.xtdnet.nl>
Date: Mon, 9 Mar 2009 21:12:41 +0100 (CET)
From: Paul Wouters <paul@...net.nl>
To: Robert Buchholz <rbu@...too.org>
Cc: Paul Wouters <paul@...erance.com>, gentoo-announce@...too.org,
	cve@...re.org, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk, security-alerts@...uxsecurity.com
Subject: Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation

On Mon, 9 Mar 2009, Robert Buchholz wrote:

> Subject: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation

Once again, thanks to everyone for not contacting the Openswan Project
in this matter just like they did not do this 6 months ago when this
"vulnerability" came out originally.

>  Severity: Normal
>     Title: Openswan: Insecure temporary file creation
>      Date: March 09, 2009
>      Bugs: #238574
>        ID: 200903-18

> An insecure temporary file usage has been reported in Openswan,
> allowing for symlink attacks.

> Dmitry E. Oboukhov reported that the IPSEC livetest tool does not
> handle the ipseclive.conn and ipsec.olts.remote.log temporary files
> securely.

> A local attacker could perform symlink attacks to execute arbitrary
> code and overwrite arbitrary files with the privileges of the user
> running the application.

The ipsec livetest command was never called or used by anything in
openswan as it was not finished. Furthermore, it was no longer 
installed AND explicitely disabled since:

commit 4661d345b676d5412a52b6d1289568fc4ab31eac
Author: Paul Wouters <paul@...erance.com>
Date:   Fri Nov 21 23:52:38 2008 -0600

     Skip installing livetest

when we added:

$ head -5 programs/livetest/livetest.in 
#!/bin/sh

echo "currently not used"
exit

> Workaround
> ==========
>
> There is no known workaround at this time.

The ipsec livetest is not even used by anything within the openswan
software. It is never called. No parts of openswan are called without
root privs. This whole thing is moot. Please bury it. Or just remove
the install of the livetest command in your build environment.

Or just ship a newer version of openswanm like 2.6.20 instead of the
latest "vulnerable" version in 2.6.16.

> Resolution
> ==========
>
> All Openswan users should upgrade to the latest version:
>
>    # emerge --sync
>    # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.13-r2"

Ahh. gentoo still uses the openswan-2.4.x version which has been EOL since
early 2008.

Also note that to problematic use was in wget -O. Perhaps one should talk
to the wget people about symlink attack in their code instead?

Paul

Powered by blists - more mailing lists