From 1f4c5f5f8dc759c5776b2745cd7d2b0e9766d51be107ac289a0bcce488777a55 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 30 Oct 2007 00:08:18 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/coolkey?expand=0&rev=3 --- coolkey-cache-dir-move.patch | 192 +++++++++++++++++++++++++++++ coolkey-implicit-declaration.patch | 73 +++++++++++ coolkey-null.patch | 22 ++++ coolkey.changes | 11 ++ coolkey.spec | 18 ++- 5 files changed, 312 insertions(+), 4 deletions(-) create mode 100644 coolkey-cache-dir-move.patch create mode 100644 coolkey-implicit-declaration.patch create mode 100644 coolkey-null.patch diff --git a/coolkey-cache-dir-move.patch b/coolkey-cache-dir-move.patch new file mode 100644 index 0000000..07479da --- /dev/null +++ b/coolkey-cache-dir-move.patch @@ -0,0 +1,192 @@ +CVE-2007-4129 coolkey file and directory permission flaw + +Steve Grubb reported: "It looks like coolkey creates /tmp/.pk11ipc1 as a +world writable directory without the sticky bit. And...it creates the files +under that potentially as world writable with the execute bit turned on or +uses the file without any sanity check. coolkey runs as root sometimes and +that makes it susceptible to doing symlink attacks." + +I know some folks ship coolkey here, so we've set an embargo of 20070904, +but as it's low severity are happy to extend if anyone wishes. + +CVE-2007-4129 for this issue. + +Proposed patch from Bob Relyea attached. +=================================================================== +Index: src/coolkey/machdep.cpp +=================================================================== +RCS file: /cvs/dirsec/coolkey/src/coolkey/machdep.cpp,v +retrieving revision 1.4 +diff -u -r1.4 machdep.cpp +--- src/coolkey/machdep.cpp 14 Feb 2007 00:46:28 -0000 1.4 ++++ src/coolkey/machdep.cpp 15 Aug 2007 01:41:11 -0000 +@@ -185,12 +185,20 @@ + #define MAP_INHERIT 0 + #endif + ++#ifndef BASEPATH ++#ifdef MAC ++#define BASEPATH "/var" ++#else ++#define BASEPATH "/var/cache" ++#endif ++#endif ++ + #ifdef FULL_CLEANUP + #define RESERVED_OFFSET 256 +-#define MEMSEGPATH "/tmp/.pk11ipc" ++#define MEMSEGPATH BASEPATH"/coolkey-lock" + #else + #define RESERVED_OFFSET 0 +-#define MEMSEGPATH "/tmp/.pk11ipc1" ++#define MEMSEGPATH BASEPATH"/coolkey" + #endif + + struct SHMemData { +@@ -208,11 +216,6 @@ + #ifdef FULL_CLEANUP + flock(fd,LOCK_EX); + unsigned long ref = --(*(unsigned long *)addr); +-#ifdef notdef +- if (ref == 0) { +- unlink(path); +- } +-#endif + flock(fd, LOCK_UN); + #endif + munmap(addr,size+RESERVED_OFFSET); +@@ -225,6 +228,73 @@ + } + } + ++/* ++ * The cache directory is shared and accessible by anyone, make ++ * sure the cache file we are opening is really a valid cache file. ++ */ ++int safe_open(char *path, int flags, int mode, int size) ++{ ++ struct stat buf; ++ int fd, ret; ++ ++ fd = open (path, flags|O_NOFOLLOW, mode); ++ ++ if (fd < 0) { ++ return fd; ++ } ++ ++ ret = fstat(fd, &buf); ++ if (ret < 0) { ++ close (fd); ++ return ret; ++ } ++ ++ /* our cache files are pretty specific, make sure we are looking ++ * at the correct one */ ++ ++ /* first, we should own the file ourselves, don't open a file ++ * that someone else wanted us to see. */ ++ if (buf.st_uid != getuid()) { ++ close(fd); ++ errno = EACCES; ++ return -1; ++ } ++ ++ /* next, there should only be one link in this file. Don't ++ * use this code to trash another file */ ++ if (buf.st_nlink != 1) { ++ close(fd); ++ errno = EMLINK; ++ return -1; ++ } ++ ++ /* next, This better be a regular file */ ++ if (!S_ISREG(buf.st_mode)) { ++ close(fd); ++ errno = EACCES; ++ return -1; ++ } ++ ++ /* if the permissions don't match, something is wrong */ ++ if ((buf.st_mode & 03777) != mode) { ++ close(fd); ++ errno = EACCES; ++ return -1; ++ } ++ ++ /* finally the file should be the correct size. This ++ * check isn't so much to protect from an attack, as it is to ++ * detect a corrupted cache file */ ++ if (buf.st_size != size) { ++ close(fd); ++ errno = EACCES; ++ return -1; ++ } ++ ++ /* OK, the file checked out, ok to continue */ ++ return fd; ++} ++ + SHMem::SHMem(): shmemData(0) {} + + SHMem * +@@ -248,7 +318,7 @@ + return NULL; + } + int mask = umask(0); +- int ret = mkdir (MEMSEGPATH, 0777); ++ int ret = mkdir (MEMSEGPATH, 1777); + umask(mask); + if ((ret == -1) && (errno != EEXIST)) { + delete shmemData; +@@ -264,21 +334,16 @@ + shmemData->path[sizeof(MEMSEGPATH)-1] = '/'; + strcpy(&shmemData->path[sizeof(MEMSEGPATH)],name); + +- int mode = 0777; +- if (strcmp(name,"token_names") != 0) { +- /* each user gets his own uid array */ +- sprintf(uid_str, "-%u",getuid()); +- strcat(shmemData->path,uid_str); +- mode = 0700; +- } ++ sprintf(uid_str, "-%u",getuid()); ++ strcat(shmemData->path,uid_str); ++ int mode = 0600; ++ + shmemData->fd = open(shmemData->path, + O_CREAT|O_RDWR|O_EXCL|O_APPEND|O_EXLOCK, mode); +- if (shmemData->fd < 0) { +- needInit = false; +- shmemData->fd = open(shmemData->path,O_RDWR|O_EXLOCK, mode); +- } else { ++ if (shmemData->fd >= 0) { + char *buf; + int len = size+RESERVED_OFFSET; ++ int ret; + + buf = (char *)calloc(1,len); + if (!buf) { +@@ -289,8 +354,22 @@ + delete shmemData; + return NULL; + } +- write(shmemData->fd,buf,len); ++ ret = write(shmemData->fd,buf,len); ++ if (ret != len) { ++ unlink(shmemData->path); ++#ifdef FULL_CLEANUP ++ flock(shmemData->fd, LOCK_UN); ++#endif ++ delete shmemData; ++ return NULL; ++ } ++ + free(buf); ++ } else if (errno == EEXIST) { ++ needInit = false; ++ ++ shmemData->fd = safe_open(shmemData->path,O_RDWR|O_EXLOCK, mode, ++ size+RESERVED_OFFSET); + } + if (shmemData->fd < 0) { + delete shmemData; diff --git a/coolkey-implicit-declaration.patch b/coolkey-implicit-declaration.patch new file mode 100644 index 0000000..cc9b796 --- /dev/null +++ b/coolkey-implicit-declaration.patch @@ -0,0 +1,73 @@ +https://bugzilla.redhat.com/show_bug.cgi?id=356971 +In file included from object.cpp:22: +object.h:94: warning: type qualifiers ignored on function return type +object.cpp: In member function 'void PKCS11Object::getAttributeValue(CK_ATTRIBUTE*, CK_ULONG, Log*) const': +object.cpp:373: error: 'memcpy' was not declared in this scope +object.cpp: In member function 'const char* PKCS11Object::getLabel()': +object.cpp:417: error: 'memcpy' was not declared in this scope +object.cpp: In member function 'CK_OBJECT_CLASS PKCS11Object::getClass()': +object.cpp:442: error: 'memcpy' was not declared in this scope +object.cpp: In member function 'void PKCS11Object::setAttribute(CK_ATTRIBUTE_TYPE, const char*)': +object.cpp:465: error: 'strlen' was not declared in this scope +object.cpp: In function 'SECStatus GetCN(const CKYByte*, unsigned int, CCItem*)': +object.cpp:979: error: 'memcmp' was not declared in this scope +object.cpp: In function 'char* GetUserName(const CKYBuffer*)': +object.cpp:1010: error: 'memcpy' was not declared in this scope +machdep.cpp: In static member function 'static SHMem* SHMem::initSegment(const char*, int, bool&)': +machdep.cpp:328: error: 'strlen' was not declared in this scope +machdep.cpp:333: error: 'memcpy' was not declared in this scope +machdep.cpp:335: error: 'strcpy' was not declared in this scope +machdep.cpp:338: error: 'strcat' was not declared in this scope +machdep.cpp:348: error: 'calloc' was not declared in this scope +machdep.cpp:367: error: 'free' was not declared in this scope +log.cpp: In member function 'virtual void SysLog::log(const char*, ...)': +log.cpp:100: error: 'strlen' was not declared in this scope +log.cpp:100: error: 'malloc' was not declared in this scope +log.cpp:102: error: 'strcpy' was not declared in this scope +log.cpp:103: error: 'strcat' was not declared in this scope +log.cpp:106: error: 'free' was not declared in this scope +slot.cpp:36: error: 'std::auto_ptr' has not been declared +================================================================================ +--- src/coolkey/log.cpp ++++ src/coolkey/log.cpp +@@ -21,6 +21,8 @@ + #include "mypkcs11.h" + #include + #include ++#include ++#include + #include "log.h" + #include + #include "PKCS11Exception.h" +--- src/coolkey/machdep.cpp ++++ src/coolkey/machdep.cpp +@@ -27,6 +27,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +--- src/coolkey/object.cpp ++++ src/coolkey/object.cpp +@@ -21,6 +21,8 @@ + #include "PKCS11Exception.h" + #include "object.h" + #include ++#include ++#include + + using std::find_if; + +--- src/coolkey/slot.cpp ++++ src/coolkey/slot.cpp +@@ -18,6 +18,7 @@ + * ***** END COPYRIGHT BLOCK *****/ + + #include ++#include + #include "mypkcs11.h" + #include + #include diff --git a/coolkey-null.patch b/coolkey-null.patch new file mode 100644 index 0000000..150cd8f --- /dev/null +++ b/coolkey-null.patch @@ -0,0 +1,22 @@ +https://bugzilla.redhat.com/show_bug.cgi?id=356971 +coolkey.cpp:37:1: error: "NULL" redefined +In file included from /usr/include/alloca.h:25, + from /usr/include/stdlib.h:612, + from /usr/include/c++/4.3.0/cstdlib:73, + from /usr/include/c++/4.3.0/bits/stl_algo.h:65, + from /usr/include/c++/4.3.0/algorithm:67, + from slot.h:27, + from coolkey.cpp:33: +/usr/lib64/gcc/x86_64-suse-linux/4.3.0/include/stddef.h:400:1: error: this is the location of the previous definition +================================================================================ +--- src/coolkey/coolkey.cpp ++++ src/coolkey/coolkey.cpp +@@ -34,8 +34,6 @@ + #include "cky_base.h" + #include "params.h" + +-#define NULL 0 +- + /* static module data -------------------------------- */ + + static Log *log = NULL; diff --git a/coolkey.changes b/coolkey.changes index 8b4f86f..f6769b7 100644 --- a/coolkey.changes +++ b/coolkey.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Oct 29 17:50:46 CET 2007 - sbrabec@suse.cz + +- Fixed gcc 4.3 build errors. + +------------------------------------------------------------------- +Mon Sep 10 13:28:16 CEST 2007 - sbrabec@suse.cz + +- Fixed file and directory permission flaw (#304180, + CVE-2007-4129). + ------------------------------------------------------------------- Thu Sep 6 21:03:20 CEST 2007 - jberkman@novell.com diff --git a/coolkey.spec b/coolkey.spec index 50817b5..6f3e8fc 100644 --- a/coolkey.spec +++ b/coolkey.spec @@ -11,16 +11,19 @@ Name: coolkey Version: 1.1.0 -Release: 10 +Release: 22 Summary: CoolKey PKCS #11 PKI Module for Smart Cards -License: LGPL v2 only +License: LGPL v2.1 only Group: Productivity/Security -URL: http://directory.fedoraproject.org/wiki/CoolKey +Url: http://directory.fedoraproject.org/wiki/CoolKey Source: %{name}-%{version}.tar.bz2 Patch: coolkey-configure-syntax-error.patch Patch1: coolkey-string-literal-comparison.patch Patch2: coolkey-amflags.patch Patch3: coolkey-1.1.0-evoandooo.patch +Patch4: coolkey-cache-dir-move.patch +Patch5: coolkey-null.patch +Patch6: coolkey-implicit-declaration.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ mozilla-nss-devel pcsc-lite-devel pkg-config zlib-devel #Requires: pcsc-lite @@ -83,6 +86,9 @@ card and USB Fob form factors. %patch1 %patch2 %patch3 -p1 +%patch4 +%patch5 +%patch6 %build autoreconf -f -i @@ -119,8 +125,12 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libckyapplet.so %{_libdir}/pkgconfig/*.pc %{_includedir}/*.h - %changelog +* Mon Oct 29 2007 - sbrabec@suse.cz +- Fixed gcc 4.3 build errors. +* Mon Sep 10 2007 - sbrabec@suse.cz +- Fixed file and directory permission flaw (#304180, + CVE-2007-4129). * Thu Sep 06 2007 - jberkman@novell.com - install pk11install - teach pk11install about evolution and openoffice