Bug#706933: 1100-sslcert checks for wrong package; snakeoil cert is not regenerated

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#706933: 1100-sslcert checks for wrong package; snakeoil cert is not regenerated
From: "Trent W. Buck" <trentbuck@gmail.com>
Date: Mon, 06 May 2013 20:28:57 +1000
Message-id: <[🔎] 20130506102857.5394.15679.reportbug@twb.cyber.com.au>
Reply-to: "Trent W. Buck" <trentbuck@gmail.com>, 706933@bugs.debian.org

Package: live-config
Version: 3.0.23-1
Severity: normal

[When asked privately in IRC, dba didn't consider this a security
issue, so I'm reporting it normally.]

It looks like /lib/live/config/1100-sslcert is trying to regenerate
the snakeoil key & cert at boot time, similar to how SSH host keys are
handled in 1170-openssh-server.  AFAICT this code will never run,
because it looks for "sslcert" when it should look for "ssl-cert".

If someone builds a live SOE with a daemon, and that daemon is stupid
enough to use the snakeoil certs instead of generating its own, that
daemon will be using the same key across all boots/instances.  If an
attacker got hold of the SOE, they could extract the build-time
snakeoil key and use it for MITM type things.

(Of course, any daemon that generates its own certs would need an
equivalent to this script, or be similarly affected.  Same thing if
someone builds a live SOE with dropbear or lsh instead of openssh.)

Reply to:

Prev by Date: Bug#706926: Remove persistent CD udev rules
Next by Date: Bug#702187: Debian Live 7.0: 7.0.0 released
Previous by thread: Bug#706926: Remove persistent CD udev rules
Next by thread: Bug#702187: Debian Live 7.0: 7.0.0 released
Index(es):
- Date
- Thread