[Pki-devel] [PATCH] Patch for /tmp/file vulnerabilities
Ade Lee
alee at redhat.com
Wed Mar 11 17:03:18 UTC 2015
NACK. Very few of these changes make any sense.
1. change in cert.py, profile.py, . This is in code that is used to
unit test the cert.py code. In order to run the unit test, you have to
specify where the auth file is -- you can't do that with your proposed
changes.
In any case, as this is unit test code, its hard to see this as a real
vulnerability. If you want to remove the /tmp reference, then you
should add a parameter for the user to pass in the correct path.
2. The same thing is true in KerberosName.java. Its defining the output
file from unit test code. With your changes, we wont know where the
output will go.
3. The NetkeyKeygenService.java reference is in debug code that has been
commented out. Why is a change needed here?
4. The code change in pkicommon.pm is fine, but this code is no longer
used, so do we need to update it?
5. The code in base/tps-client looks like it is no longer needed.
Rather than trying to patch it, we should remove it unless there is any
reason for it. It looks like the code for the old TPS.
Ade
On Tue, 2015-03-03 at 14:12 -0700, Matthew Harmsen wrote:
> Please review the attached patch which addresses the following:
> * Bugzilla Bug #1183176 - (CVE-2015-0234) CVE-2015-0234 pki-core
> 10.x: multiple /tmp/ file vulnerabilities
> * Bugzilla Bug #1183178 - CVE-2015-0234 pki-core: pki-core 10.x:
> multiple /tmp/ file vulnerabilities [fedora-all]
> The attached patch was tested using the Dogtag 10.2.2 source code on the 'master' branch as of 02/27/2015.
>
> It was successfully tested for a shared instance CA, KRA, OCSP, TKS, and TPS including successfully running the 'tpsclient' tool.
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list