[gentoo-announce] [ GLSA 200411-15 ] OpenSSL, Groff: Insecure tempfile handling - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200411-15 ] OpenSSL, Groff: Insecure tempfile handling
Date:	Mon, 08 Nov 2004 10:47:30
Message-Id:	`418F4C64.9020707@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200411-15

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: OpenSSL, Groff: Insecure tempfile handling

9

      Date: November 08, 2004

10

      Bugs: #68404, #68407

11

        ID: 200411-15

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

groffer, included in the Groff package, and the der_chop script,

19

included in the OpenSSL package, are both vulnerable to symlink

20

attacks, potentially allowing a local user to overwrite arbitrary

21

files with the rights of the user running the utility.

22

23

Background

24

==========

25

26

OpenSSL is a toolkit implementing the Secure Sockets Layer and

27

Transport Layer Security protocols as well as a general-purpose

28

cryptography library. It includes the der_chop script, which is used to

29

convert DER-encoded certificates to PEM format. Groff (GNU Troff) is a

30

typesetting package which reads plain text mixed with formatting

31

commands and produces formatted output. It includes groffer, a command

32

used to display groff files and man pages on X and tty.

33

34

Affected packages

35

=================

36

37

    -------------------------------------------------------------------

38

     Package           /   Vulnerable   /                   Unaffected

39

    -------------------------------------------------------------------

40

  1  dev-libs/openssl      < 0.9.7d-r2                    >= 0.9.7d-r2

41

  2  sys-apps/groff        < 1.19.1-r2                    >= 1.19.1-r2

42

    -------------------------------------------------------------------

43

     2 affected packages on all of their supported architectures.

44

    -------------------------------------------------------------------

45

46

Description

47

===========

48

49

groffer and the der_chop script create temporary files in

50

world-writeable directories with predictable names.

51

52

Impact

53

======

54

55

A local attacker could create symbolic links in the temporary files

56

directory, pointing to a valid file somewhere on the filesystem. When

57

groffer or der_chop is executed, this would result in the file being

58

overwritten with the rights of the user running the utility, which

59

could be the root user.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

All Groff users should upgrade to the latest version:

70

71

    # emerge --sync

72

    # emerge --ask --oneshot --verbose ">=sys-apps/groff-1.19.1-r2"

73

74

All OpenSSL users should upgrade to the latest version:

75

76

    # emerge --sync

77

    # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7d-r2"

78

79

Note: /etc/ssl/misc/der_chop is protected by Portage as a configuration

80

file. Don't forget to use etc-update and overwrite the old version with

81

the new one.

82

83

References

84

==========

85

86

  [ 1 ] CAN-2004-0969

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969

88

  [ 2 ] CAN-2004-0975

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975

90

91

Availability

92

============

93

94

This GLSA and any updates to it are available for viewing at

95

the Gentoo Security Website:

96

97

  http://security.gentoo.org/glsa/glsa-200411-15.xml

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

http://bugs.gentoo.org.

107

108

License

109

=======

110

111

Copyright 2004 Gentoo Foundation, Inc; referenced text

112

belongs to its owner(s).

113

114

The contents of this document are licensed under the

115

Creative Commons - Attribution / Share Alike license.

116

117

http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200411-15
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenSSL, Groff: Insecure tempfile handling
9	Date: November 08, 2004
10	Bugs: #68404, #68407
11	ID: 200411-15
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	groffer, included in the Groff package, and the der_chop script,
19	included in the OpenSSL package, are both vulnerable to symlink
20	attacks, potentially allowing a local user to overwrite arbitrary
21	files with the rights of the user running the utility.
22
23	Background
24	==========
25
26	OpenSSL is a toolkit implementing the Secure Sockets Layer and
27	Transport Layer Security protocols as well as a general-purpose
28	cryptography library. It includes the der_chop script, which is used to
29	convert DER-encoded certificates to PEM format. Groff (GNU Troff) is a
30	typesetting package which reads plain text mixed with formatting
31	commands and produces formatted output. It includes groffer, a command
32	used to display groff files and man pages on X and tty.
33
34	Affected packages
35	=================
36
37	-------------------------------------------------------------------
38	Package / Vulnerable / Unaffected
39	-------------------------------------------------------------------
40	1 dev-libs/openssl < 0.9.7d-r2 >= 0.9.7d-r2
41	2 sys-apps/groff < 1.19.1-r2 >= 1.19.1-r2
42	-------------------------------------------------------------------
43	2 affected packages on all of their supported architectures.
44	-------------------------------------------------------------------
45
46	Description
47	===========
48
49	groffer and the der_chop script create temporary files in
50	world-writeable directories with predictable names.
51
52	Impact
53	======
54
55	A local attacker could create symbolic links in the temporary files
56	directory, pointing to a valid file somewhere on the filesystem. When
57	groffer or der_chop is executed, this would result in the file being
58	overwritten with the rights of the user running the utility, which
59	could be the root user.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	All Groff users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.19.1-r2"
73
74	All OpenSSL users should upgrade to the latest version:
75
76	# emerge --sync
77	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7d-r2"
78
79	Note: /etc/ssl/misc/der_chop is protected by Portage as a configuration
80	file. Don't forget to use etc-update and overwrite the old version with
81	the new one.
82
83	References
84	==========
85
86	[ 1 ] CAN-2004-0969
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969
88	[ 2 ] CAN-2004-0975
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975
90
91	Availability
92	============
93
94	This GLSA and any updates to it are available for viewing at
95	the Gentoo Security Website:
96
97	http://security.gentoo.org/glsa/glsa-200411-15.xml
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	http://bugs.gentoo.org.
107
108	License
109	=======
110
111	Copyright 2004 Gentoo Foundation, Inc; referenced text
112	belongs to its owner(s).
113
114	The contents of this document are licensed under the
115	Creative Commons - Attribution / Share Alike license.
116
117	http://creativecommons.org/licenses/by-sa/1.0