CVE request: opencryptoki insecure lock files handling

[Raphael Geissert <geissert () debian org>]

Hi,

Niels Heinen (Google) discovered that openCryptoki 2.4.0 and older, when 
spinlocks are used, incorrectly handle lock files stored in /tmp. It is 
possible for an attacker to replace the lock files with symlinks and have 
pkcsslotd (or others) fchmod the target of the symlink to make it world-
writable, create arbitrary files, etc.
In response, upstream released 2.4.1[1] which fixed the fchmod issue (commits 
[3] and [4]).
Niels discovered that 2.4.1 still allowed arbitrary files creation by 
following symlinks. Upstream then released 2.4.2[2], fixing this last issue 
(commits [5] and [6]).

Even with the fixes in 2.4.2, members of the pkcs11 group could still use 
symlink attacks. However, as per upstream's documentation, members of such 
group are expected to be trusted[7].

Could CVE ids be assigned?

[1] 2.4.1 announcement:
http://sourceforge.net/mailarchive/message.php?msg_id=28878345
[2] 2.4.2 announcement:
http://sourceforge.net/mailarchive/message.php?msg_id=29191022
[3]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
[4]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
[5]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
[6]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
[7]http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blobdiff;f=man/man7/opencryptoki.7.in;h=5030bd2f6f698119e50926679041d0efcb2693df;hp=659a97976799cc6256df7a796c224bd30ba349d4;hb=7744b6224e80848596ac80a07745c7a588eef2a0;hpb=24950e95a84d125180a0e418a4822a97236f2cb0

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net