oss-sec mailing list archives
Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 26 May 2015 10:41:11 -0600
So I found some obvious tmp vulns in Kerberos, but they only exist if
you build with DEBUG_ASN1 on (and if you're in that situation you got
some not fun problems).
However based on the fact that CVE-2014-1692 (the OpenSSH J-PAKE
protocol) it seems that even if the code is not enabled by default, the
fact that it exists is enough to qualify it for a CVE. So with this in
mind I'm sending a CVE request in.
First example from each of the 3 files affected by the DEBUG_ASN1 tmp
file issues (note: print_buffer_bin doesn't do anything clever to be safe):
===================================================
./src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================
#ifdef DEBUG_ASN1
if (cms_msg_type == CMS_SIGN_CLIENT) {
print_buffer_bin(*signed_data, *signed_data_len,
"/tmp/client_pkcs7_signeddata");
} else {
--
===================================================
./src/plugins/preauth/pkinit/pkinit_srv.c
===================================================
#ifdef DEBUG_ASN1
print_buffer_bin(data->contents, data->length, "/tmp/kdc_as_req");
#endif
--
=================================
./src/plugins/preauth/pkinit/pkinit_clnt.c
=================================
#ifdef DEBUG_ASN1
print_buffer_bin((unsigned char *)coded_auth_pack->data,
coded_auth_pack->length,
"/tmp/client_auth_pack");
#endif
--
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1) Kurt Seifried (May 26)