openCryptoki 2.4.1 allows local users to create or set world-writable
permissions on arbitrary files via a symlink attack on the (1)
LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/.
 mdeslaur> 2.4.1 moved lock files from /tmp to /var/lock, but /var/lock is
 mdeslaur> world writable on certain distros, such as debian and ubuntu.
 mdeslaur> 2.4.2 moved them to /var/lock/opencryptoki
 mdeslaur> members of the pkcs11 group are considered trusted by upstream
 mdeslaur> and can escalate privileges to root even after the upstream
 mdeslaur> patches. See oss-security discussion.
 mdeslaur> Moving this to /var/lock/opencryptoki makes the problem worse
 mdeslaur> for members of the pkcs11 group as that directory wouldn't be
 mdeslaur> covered by symlink restrictions. Fix shouldn't be applied to
 mdeslaur> natty+
 mdeslaur> Fixing this in lucid would only prevent users who are not in
 mdeslaur> the pkcs11 group from escalating permissions. Since it is likely
 mdeslaur> that local users that have this installed are in that group,
 mdeslaur> this is downgraded to low.
More Information

Updated: 2019-01-14 21:14:40 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)