Mailing List Archive

Natanael Copa wrote:
> Should I create a bug for every vulnerable package
That's not strictly necessary. You can file a single bug with the list
of packages affected. Maintainers of the affected packages can be added
to the cc of the bug. As they address it in their packages, they will
remove themselves, leaving only the affected maintainers still on the bug.

--
Joshua Nichols
Gentoo/Ruby
Gentoo/Java
http://technicalpickles.com
--
gentoo-dev@gentoo.org mailing list

On 8/21/07, Natanael Copa <natanael.copa@gmail.com> wrote:
> Hi,
>
> I use the gentoo framework to build binary packages. I noticed that most
> packages creates the ssl certificate during src_install(). This makes
> all binary packages contain the ssl certs which is a security threat.
>
> The net-nds/openldap package has understood this and calls docert from
> pkg_postinst() and even includes this comment:
>
> # You cannot build SSL certificates during src_install that will make
> # binary packages containing your SSL key, which is both a security risk
> # and a misconfiguration if multiple machines use the same key and cert.
> # Additionally, it overwrites
>
> The net-im/ejabberd seems to create ssl cert from antoher script.
>
> The vulnerable packages are:
>
> app-admin/conserver
> mail-mta/postfix
> net-analyzer/sguil-server
> net-firewall/nufw
> net-ftp/netkit-ftpd
> net-irc/ptlink-ircd
> net-irc/unrealircd
> net-mail/cyrus-imapd
> net-mail/cyrus-imspd
> net-mail/dovecot
> net-misc/stunnel
> net-nntp/inn
> www-servers/nginx
>
> Should I create a bug for every vulnerable package?
>
> >From a binary packagers perspective I would really prefer to create the
> certs from init.d script.

Generating certs from init.d is a bad idea IMHO. It makes it way too
easy to automatically generate new certs in the event that old ones
are moved (if you are talking about the service starting, detecting no
certs, generating some, then using them). I guess you could do like
/etc/init.d/SERVICE certgen, but that too is probably a hack (not
really what init scripts are for).

I personally would generate the certs on a trusted server/workstation
and then push them to the machine post-install using slack or cfengine
or puppet. I don't see why (in a generic package like a gentoo
ebuild) you would do anything but create a generic cert 'so it works
out of the box'.

You are certainly entitled to edit the ebuild's postinst to do whatever :)

PS: I'll try to get to these tonight, you can just file a tracker bug for them.

>
> Thanks!
>
> Natanael Copa
>
> --
> gentoo-dev@gentoo.org mailing list
>
>
--
gentoo-dev@gentoo.org mailing list

On Tue, Aug 21, 2007 at 04:12:32PM +0200, Natanael Copa wrote:
> I use the gentoo framework to build binary packages. I noticed that most
> packages creates the ssl certificate during src_install(). This makes
> all binary packages contain the ssl certs which is a security threat.
I filed bug #174759 to the security team back in April on this issue,
and then fixed the openldap package where I had originally found it.

Anybody using binpkgs obtained from a public repository that contain SSL
certs should ensure that they regenerate the SSL certs on each machine.

For packages, there are two possible fixes:
1. Move the docert call into pkg_postinst.
2. Provide scripts that generate certs (courier-imap and qmail do this).

--
Robin Hugh Johnson
Gentoo Linux Developer & Council Member
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

On Tuesday 21 August 2007, Robin H. Johnson wrote:
> On Tue, Aug 21, 2007 at 04:12:32PM +0200, Natanael Copa wrote:
> > I use the gentoo framework to build binary packages. I noticed that most
> > packages creates the ssl certificate during src_install(). This makes
> > all binary packages contain the ssl certs which is a security threat.
>
> I filed bug #174759 to the security team back in April on this issue,
> and then fixed the openldap package where I had originally found it.
>
> Anybody using binpkgs obtained from a public repository that contain SSL
> certs should ensure that they regenerate the SSL certs on each machine.
>
> For packages, there are two possible fixes:
> 1. Move the docert call into pkg_postinst.

there it is
-mike

On Tue, 21 Aug 2007, Natanael Copa wrote:

> Hi,
>
> I use the gentoo framework to build binary packages. I noticed that most
> packages creates the ssl certificate during src_install(). This makes
> all binary packages contain the ssl certs which is a security threat.


Hi,

If you are really concerned by security, then you do not want to use
such automatically-generated certificates. They generally contains fake
CN names (e.g. "CN=localhost") and they are not expected in a PKI
environment: they can't be checked nor trusted. You will generate your
own certificates with your own root CA, your own CRL and your own
policy.

>
> The net-nds/openldap package has understood this and calls docert from
> pkg_postinst() and even includes this comment:
>
> # You cannot build SSL certificates during src_install that will make
> # binary packages containing your SSL key, which is both a security risk
> # and a misconfiguration if multiple machines use the same key and cert.

i guess openldap generates self-signed certificates with generic CN
names, and this problem is not solved this way.

Cheers,
--
Raphael Marichez aka Falco
Gentoo/Security

On Wed, 2007-08-22 at 13:29 +0200, Raphael Marichez wrote:
> On Tue, 21 Aug 2007, Natanael Copa wrote:
>
> > Hi,
> >
> > I use the gentoo framework to build binary packages. I noticed that most
> > packages creates the ssl certificate during src_install(). This makes
> > all binary packages contain the ssl certs which is a security threat.
>
>
> Hi,
>
> If you are really concerned by security, then you do not want to use
> such automatically-generated certificates. They generally contains fake
> CN names (e.g. "CN=localhost") and they are not expected in a PKI
> environment: they can't be checked nor trusted. You will generate your
> own certificates with your own root CA, your own CRL and your own
> policy.

Ofcourse. I'm just telling that there are some public keys available in
the binary packages so joe user might believe he has encrytion of his
traffic out of the box.

> >
> > The net-nds/openldap package has understood this and calls docert from
> > pkg_postinst() and even includes this comment:
> >
> > # You cannot build SSL certificates during src_install that will make
> > # binary packages containing your SSL key, which is both a security risk
> > # and a misconfiguration if multiple machines use the same key and cert.
>
> i guess openldap generates self-signed certificates with generic CN
> names, and this problem is not solved this way.

Difficult to decrypt traffic even if it uses self signed keys. Trivial
if you have the private keys.

Do whatever you want with it. I was just surprised to find private keys
in my binary packages.

> Cheers,

--
gentoo-dev@gentoo.org mailing list