OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/coolkey?expand=0&rev=3

2007-10-30 00:08:18 +00:00 · 2007-10-30 00:08:18 +00:00 · 1f4c5f5f8d
commit 1f4c5f5f8d
parent 2d29b35d85
5 changed files with 312 additions and 4 deletions
--- a/coolkey-cache-dir-move.patch
+++ b/coolkey-cache-dir-move.patch
@ -0,0 +1,192 @@
 CVE-2007-4129 coolkey file and directory permission flaw
 Steve Grubb reported: "It looks like coolkey creates /tmp/.pk11ipc1 as a 
 world writable directory without the sticky bit. And...it creates the files 
 under that potentially as world writable with the execute bit turned on or 
 uses the file without any sanity check. coolkey runs as root sometimes and 
 that makes it susceptible to doing symlink attacks."
 I know some folks ship coolkey here, so we've set an embargo of 20070904, 
 but as it's low severity are happy to extend if anyone wishes.
 CVE-2007-4129 for this issue.
 Proposed patch from Bob Relyea attached.
 ===================================================================
 Index: src/coolkey/machdep.cpp
 ===================================================================
 RCS file: /cvs/dirsec/coolkey/src/coolkey/machdep.cpp,v
 retrieving revision 1.4
 diff -u -r1.4 machdep.cpp
 --- src/coolkey/machdep.cpp	14 Feb 2007 00:46:28 -0000	1.4
 +++ src/coolkey/machdep.cpp	15 Aug 2007 01:41:11 -0000
@@ -185,12 +185,20 @@
 #define MAP_INHERIT 0
 #endif
 +#ifndef BASEPATH
 +#ifdef MAC
 +#define BASEPATH "/var"
 +#else
 +#define BASEPATH "/var/cache"
 +#endif
 +#endif
 +
 #ifdef FULL_CLEANUP
 #define RESERVED_OFFSET 256
 -#define MEMSEGPATH "/tmp/.pk11ipc"
 +#define MEMSEGPATH BASEPATH"/coolkey-lock"
 #else 
 #define RESERVED_OFFSET 0
 -#define MEMSEGPATH "/tmp/.pk11ipc1"
 +#define MEMSEGPATH BASEPATH"/coolkey"
 #endif
 struct SHMemData {
@@ -208,11 +216,6 @@
 #ifdef FULL_CLEANUP
 	flock(fd,LOCK_EX);
 	unsigned long ref = --(*(unsigned long *)addr); 
 -#ifdef notdef
 -	if (ref == 0) {
 -	    unlink(path);
 -	}
 -#endif
 	flock(fd, LOCK_UN);
 #endif
 	munmap(addr,size+RESERVED_OFFSET);
@@ -225,6 +228,73 @@
     }
 }
 +/*
 + * The cache directory is shared and accessible by anyone, make
 + * sure the cache file we are opening is really a valid cache file.
 + */
 +int safe_open(char *path, int flags, int mode, int size)
 +{
 +    struct stat buf;
 +    int fd, ret;
 +
 +    fd = open (path, flags|O_NOFOLLOW, mode);
 +
 +    if (fd < 0) {
 +	return fd;
 +    }
 +
 +    ret = fstat(fd, &buf);
 +    if (ret < 0) {
 +	close (fd);
 +	return ret;
 +    }
 +
 +    /* our cache files are pretty specific, make sure we are looking
 +     * at the correct one */
 +
 +    /* first, we should own the file ourselves, don't open a file
 +     * that someone else wanted us to see. */
 +    if (buf.st_uid != getuid()) {
 +	close(fd);
 +	errno = EACCES;
 +	return -1;
 +    }
 +
 +    /* next, there should only be one link in this file. Don't
 +     * use this code to trash another file */
 +    if (buf.st_nlink != 1) {
 +	close(fd);
 +	errno = EMLINK;
 +	return -1;
 +    }
 +
 +    /* next, This better be a regular file */
 +    if (!S_ISREG(buf.st_mode)) {
 +	close(fd);
 +	errno = EACCES;
 +	return -1;
 +    }
 +
 +    /* if the permissions don't match, something is wrong */
 +    if ((buf.st_mode & 03777) != mode) {
 +	close(fd);
 +	errno = EACCES;
 +	return -1;
 +    }
 +
 +    /* finally the file should be the correct size. This 
 +     * check isn't so much to protect from an attack, as it is to
 +     * detect a corrupted cache file */
 +    if (buf.st_size != size) {
 +	close(fd);
 +	errno = EACCES;
 +	return -1;
 +    }
 +
 +    /* OK, the file checked out, ok to continue */
 +    return fd;
 +}
 +
 SHMem::SHMem(): shmemData(0) {}
 SHMem *
@@ -248,7 +318,7 @@
 	return NULL;
     }
     int mask = umask(0);
 -    int ret = mkdir (MEMSEGPATH, 0777);
 +    int ret = mkdir (MEMSEGPATH, 1777);
     umask(mask);
     if ((ret == -1) && (errno != EEXIST)) {
 	delete shmemData;
@@ -264,21 +334,16 @@
     shmemData->path[sizeof(MEMSEGPATH)-1] = '/';
     strcpy(&shmemData->path[sizeof(MEMSEGPATH)],name);
 -    int mode = 0777;
 -    if (strcmp(name,"token_names") != 0) {
 -	/* each user gets his own uid array */
 -    	sprintf(uid_str, "-%u",getuid());
 -    	strcat(shmemData->path,uid_str);
 -	mode = 0700;
 -    } 
 +    sprintf(uid_str, "-%u",getuid());
 +    strcat(shmemData->path,uid_str);
 +    int mode = 0600;
 +
     shmemData->fd = open(shmemData->path, 
 		O_CREAT|O_RDWR|O_EXCL|O_APPEND|O_EXLOCK, mode);
 -    if (shmemData->fd  < 0) {
 -	needInit = false;
 -	shmemData->fd = open(shmemData->path,O_RDWR|O_EXLOCK, mode);
 -    }  else {
 +    if (shmemData->fd >= 0) {
 	char *buf;
 	int len = size+RESERVED_OFFSET;
 +	int ret;
 	buf = (char *)calloc(1,len);
 	if (!buf) {
@@ -289,8 +354,22 @@
 	    delete shmemData;
 	    return NULL;
 	}
 -	write(shmemData->fd,buf,len);
 +	ret = write(shmemData->fd,buf,len);
 +	if (ret != len) {
 +	    unlink(shmemData->path);
 +#ifdef FULL_CLEANUP
 +	    flock(shmemData->fd, LOCK_UN);
 +#endif
 +	    delete shmemData;
 +	    return NULL;
 +	}
 +	
 	free(buf);
 +    } else if (errno == EEXIST) {
 +	needInit = false;
 +
 +	shmemData->fd = safe_open(shmemData->path,O_RDWR|O_EXLOCK, mode,
 +				  size+RESERVED_OFFSET);
     }
     if (shmemData->fd < 0) {
 	delete shmemData;
--- a/coolkey-implicit-declaration.patch
+++ b/coolkey-implicit-declaration.patch
@ -0,0 +1,73 @@
 https://bugzilla.redhat.com/show_bug.cgi?id=356971
 In file included from object.cpp:22:
 object.h:94: warning: type qualifiers ignored on function return type
 object.cpp: In member function 'void PKCS11Object::getAttributeValue(CK_ATTRIBUTE*, CK_ULONG, Log*) const':
 object.cpp:373: error: 'memcpy' was not declared in this scope
 object.cpp: In member function 'const char* PKCS11Object::getLabel()':
 object.cpp:417: error: 'memcpy' was not declared in this scope
 object.cpp: In member function 'CK_OBJECT_CLASS PKCS11Object::getClass()':
 object.cpp:442: error: 'memcpy' was not declared in this scope
 object.cpp: In member function 'void PKCS11Object::setAttribute(CK_ATTRIBUTE_TYPE, const char*)':
 object.cpp:465: error: 'strlen' was not declared in this scope
 object.cpp: In function 'SECStatus GetCN(const CKYByte*, unsigned int, CCItem*)':
 object.cpp:979: error: 'memcmp' was not declared in this scope
 object.cpp: In function 'char* GetUserName(const CKYBuffer*)':
 object.cpp:1010: error: 'memcpy' was not declared in this scope
 machdep.cpp: In static member function 'static SHMem* SHMem::initSegment(const char*, int, bool&)':
 machdep.cpp:328: error: 'strlen' was not declared in this scope
 machdep.cpp:333: error: 'memcpy' was not declared in this scope
 machdep.cpp:335: error: 'strcpy' was not declared in this scope
 machdep.cpp:338: error: 'strcat' was not declared in this scope
 machdep.cpp:348: error: 'calloc' was not declared in this scope
 machdep.cpp:367: error: 'free' was not declared in this scope
 log.cpp: In member function 'virtual void SysLog::log(const char*, ...)':
 log.cpp:100: error: 'strlen' was not declared in this scope
 log.cpp:100: error: 'malloc' was not declared in this scope
 log.cpp:102: error: 'strcpy' was not declared in this scope
 log.cpp:103: error: 'strcat' was not declared in this scope
 log.cpp:106: error: 'free' was not declared in this scope
 slot.cpp:36: error: 'std::auto_ptr' has not been declared
 ================================================================================
 --- src/coolkey/log.cpp
 +++ src/coolkey/log.cpp
@@ -21,6 +21,8 @@
 #include "mypkcs11.h"
 #include <assert.h>
 #include <stdio.h>
 +#include <string.h>
 +#include <stdlib.h>
 #include "log.h"
 #include <cstdarg>
 #include "PKCS11Exception.h"
 --- src/coolkey/machdep.cpp
 +++ src/coolkey/machdep.cpp
@@ -27,6 +27,8 @@
 #include <unistd.h>
 #include <errno.h>
 #include <fcntl.h>
 +#include <string.h>
 +#include <stdlib.h>
 #include <sys/file.h>
 #include <sys/types.h>
 #include <sys/time.h>
 --- src/coolkey/object.cpp
 +++ src/coolkey/object.cpp
@@ -21,6 +21,8 @@
 #include "PKCS11Exception.h"
 #include "object.h"
 #include <algorithm>
 +#include <string.h>
 +#include <stdlib.h>
 using std::find_if;
 --- src/coolkey/slot.cpp
 +++ src/coolkey/slot.cpp
@@ -18,6 +18,7 @@
  * ***** END COPYRIGHT BLOCK *****/
 #include <string>
 +#include <memory>
 #include "mypkcs11.h"
 #include <stdio.h>
 #include <assert.h>
--- a/coolkey-null.patch
+++ b/coolkey-null.patch
@ -0,0 +1,22 @@
 https://bugzilla.redhat.com/show_bug.cgi?id=356971
 coolkey.cpp:37:1: error: "NULL" redefined
 In file included from /usr/include/alloca.h:25,
                 from /usr/include/stdlib.h:612,
                 from /usr/include/c++/4.3.0/cstdlib:73,
                 from /usr/include/c++/4.3.0/bits/stl_algo.h:65,
                 from /usr/include/c++/4.3.0/algorithm:67,
                 from slot.h:27,
                 from coolkey.cpp:33:
 /usr/lib64/gcc/x86_64-suse-linux/4.3.0/include/stddef.h:400:1: error: this is the location of the previous definition
 ================================================================================
 --- src/coolkey/coolkey.cpp
 +++ src/coolkey/coolkey.cpp
@@ -34,8 +34,6 @@
 #include "cky_base.h"
 #include "params.h"
 -#define NULL 0
 -
 /* static module data --------------------------------  */
 static Log *log = NULL;
--- a/coolkey.changes
+++ b/coolkey.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Mon Oct 29 17:50:46 CET 2007 - sbrabec@suse.cz
 - Fixed gcc 4.3 build errors.
 -------------------------------------------------------------------
 Mon Sep 10 13:28:16 CEST 2007 - sbrabec@suse.cz
 - Fixed file and directory permission flaw (#304180,
  CVE-2007-4129).
 -------------------------------------------------------------------
 Thu Sep  6 21:03:20 CEST 2007 - jberkman@novell.com
--- a/coolkey.spec
+++ b/coolkey.spec
@ -11,16 +11,19 @@
 Name:           coolkey
 Version:        1.1.0
-Release:        10
+Release:        22
 Summary:        CoolKey PKCS #11 PKI Module for Smart Cards
-License:        LGPL v2 only
+License:        LGPL v2.1 only
 Group:          Productivity/Security
-URL:            http://directory.fedoraproject.org/wiki/CoolKey
+Url:            http://directory.fedoraproject.org/wiki/CoolKey
 Source:         %{name}-%{version}.tar.bz2
 Patch:          coolkey-configure-syntax-error.patch
 Patch1:         coolkey-string-literal-comparison.patch
 Patch2:         coolkey-amflags.patch
 Patch3:         coolkey-1.1.0-evoandooo.patch
 Patch4:         coolkey-cache-dir-move.patch
 Patch5:         coolkey-null.patch
 Patch6:         coolkey-implicit-declaration.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gcc-c++ mozilla-nss-devel pcsc-lite-devel pkg-config zlib-devel
 #Requires:       pcsc-lite 
@ -83,6 +86,9 @@ card and USB Fob form factors.
 %patch1
 %patch2
 %patch3 -p1
 %patch4
 %patch5
 %patch6
 %build
 autoreconf -f -i
@ -119,8 +125,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libckyapplet.so
 %{_libdir}/pkgconfig/*.pc
 %{_includedir}/*.h
 %changelog
 * Mon Oct 29 2007 - sbrabec@suse.cz
 - Fixed gcc 4.3 build errors.
 * Mon Sep 10 2007 - sbrabec@suse.cz
 - Fixed file and directory permission flaw (#304180,
  CVE-2007-4129).
 * Thu Sep 06 2007 - jberkman@novell.com
 - install pk11install
 - teach pk11install about evolution and openoffice