Bug#750103: marked as done (openssl: open+chmod race when creating ~/.rnd)

Mon, 09 Jun 2014 03:10:35 -0700 

Your message dated Mon, 09 Jun 2014 10:06:35 +0000
with message-id <[email protected]>
and subject line Bug#750103: fixed in openssl 1.0.1h-2
has caused the Debian Bug report #750103,
regarding openssl: open+chmod race when creating ~/.rnd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
750103: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750103
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openssl
Version: 1.0.1g-4
Tags: security
openssl creates the ~/.rnd file with default permissions, then chmods it to 0600. In the race window between the two operations, local malicious user could open the file (and then keep it open as long as they wish). 

Proof:
$ strace -o '| grep -F .rnd' openssl rand 42 -out /dev/null
stat64("/home/jwilk/.rnd", 0xff990380)  = -1 ENOENT (No such file or directory)
stat64("/home/jwilk/.rnd", 0xff9903a0)  = -1 ENOENT (No such file or directory)
open("/home/jwilk/.rnd", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
chmod("/home/jwilk/.rnd", 0600)         = 0



-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.18-7
ii  libssl1.0.0  1.0.1g-4

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: openssl
Source-Version: 1.0.1h-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Jun 2014 11:21:51 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc 
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1h-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description: 
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Closes: 750103
Changes: 
 openssl (1.0.1h-2) unstable; urgency=medium
 .
   * Use upstream git snapshot:
     - Fix resumption problem when using tls_session_secret_cb
     - Create ~/.rnd with mode 0600 (Closes: #750103)
     - Fix building on heartbeat test, drop patch to disable it.
Checksums-Sha1: 
 5f0368caf41283b877c91c812d36a23bdd9d2040 2231 openssl_1.0.1h-2.dsc
 6a951f9cf66d38c65fcbb63f22914e62b666b97b 84620 openssl_1.0.1h-2.debian.tar.xz
 291abc22fd852ae17cfe6ca07dc3b14542d8c416 1137518 libssl-doc_1.0.1h-2_all.deb
 9d92ca286ec7ba152137af23c44c390c13649294 666078 openssl_1.0.1h-2_amd64.deb
 b34e693748cd9f94f0a17627671918b81b0e6f03 1012962 libssl1.0.0_1.0.1h-2_amd64.deb
 bdc0e4fb95df557ef68535a66611c708518b2edf 624612 
libcrypto1.0.0-udeb_1.0.1h-2_amd64.udeb
 ed3a8f5fe5430ba7247242ca3e6aa508e8ed40d7 1244710 libssl-dev_1.0.1h-2_amd64.deb
 ac8c97b778fad5b568ca79254ef00e9de99c1bc2 2831274 
libssl1.0.0-dbg_1.0.1h-2_amd64.deb
Checksums-Sha256: 
 7626f51a2fee4786502099a1c06083c2fc63e99753fca33e8359fe924a726c10 2231 
openssl_1.0.1h-2.dsc
 6a5964ecd6515ca4b001857701e49e3e7b56c7728dc5043441295f35b9baff12 84620 
openssl_1.0.1h-2.debian.tar.xz
 195360082f3fd8bb591546b92686ead81427f88fc9afdab89ab1596c11a3d5ec 1137518 
libssl-doc_1.0.1h-2_all.deb
 daca0fb72a1b4a72add1cdc4352243f52fcea2dfce053cf5f5047b5a553c7983 666078 
openssl_1.0.1h-2_amd64.deb
 0ef5d171edec0b5fd6a2f81042efeb3ea7e99f197c51ad6600e185a201cc68fc 1012962 
libssl1.0.0_1.0.1h-2_amd64.deb
 37d8142002e9a91f24cb539c65a66b93615115224bb084db5a1fb6266a57afdb 624612 
libcrypto1.0.0-udeb_1.0.1h-2_amd64.udeb
 371c51e20e327c4455aa90b856442d9921fd1c12ce219473e733d26bb1cc9dad 1244710 
libssl-dev_1.0.1h-2_amd64.deb
 90d9c3cbb61f43fac8633f70b489b71fd41157b97b61180c45b1eef837a41ece 2831274 
libssl1.0.0-dbg_1.0.1h-2_amd64.deb
Files: 
 fa8c5ccff88713a168283b3547cc6a70 1137518 doc optional 
libssl-doc_1.0.1h-2_all.deb
 d8287cff948a6f98445b711b11c15ad6 666078 utils optional 
openssl_1.0.1h-2_amd64.deb
 3d61ad1c49397da1f803e6f944b017e8 1012962 libs important 
libssl1.0.0_1.0.1h-2_amd64.deb
 46eeafa92f9a79ade7d756d378a064ea 624612 debian-installer optional 
libcrypto1.0.0-udeb_1.0.1h-2_amd64.udeb
 3c93c0b05999af090e0a291d6d7d1769 1244710 libdevel optional 
libssl-dev_1.0.1h-2_amd64.deb
 65d98342b34d51fe2cc91586af9a409e 2831274 debug extra 
libssl1.0.0-dbg_1.0.1h-2_amd64.deb
 ccb58748d992e46382c85370ea5255e5 2231 utils optional openssl_1.0.1h-2.dsc
 e9e476e92e0b3411ce99293b694db5ce 84620 utils optional 
openssl_1.0.1h-2.debian.tar.xz
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTlX8VAAoJEKGfLDAaVSLdgB4QAIQ3+Ocb9cLXJRJhDWN4ulbU
GAgBiXnhfyJtRHa6cDhXWNn7Dyrt+WbAQ6KiTeN+e/uq4VGDMUrQNb8x4v6umhgD
09yLUpDPA6nqOJ93+SyhGIb1wNfLdItYQZFZHLIU0G7atp64JEYcj59SVzq0rOwl
X8FU3TF3zl9VG2eowPRe5d80eOH+bXWls40BwfCEvddn7IU6BA+W4rbyD8Y0hUUy
16FuF93V7RYQUylrTJ/6lEKZ7jMkiJvy1DoySaA9a3s7iCJnKhw9D5e0jNeO3XXH
xB6Y+t5X6o2xeppPUrYM+P2SDnRdub3+Wjt5ZB0DtKUDzvTBv2+YJkdmN66Hptik
kY/T5wwZ2GQP2a28Sg5EOz5xZEYkzUwubl1LlSx/9GG9+ht+Gxz5zPbcnrOM1ISZ
209g5v5jqK/7s6q58Aw9UawezSZEipsYP+PK2LHuoUpruFgmX39LEFVL0eGepphQ
tULC91f4+HhGvUjA5HeUePN2Wccq3L7X3nzQ86ytV6sIhow9WBAbmkatrjLRnoUt
uju1eXChInDiUxh2UVJa1lQBdZeu0dGQCH6HXsW9pg1vC8lAaLScb832GA7iHwP6
ozRHyVJDmzEHxHoKxDScLBU7aDmo6CQeXiJ6ceMhh7K9fgi2b5/vjYlabux9Kdnn
Ce3Idg9hvqjyoKXFieqh
=Ms/r
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to