From 46692eecab887d77069b377801b929f717612b76 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 13 Nov 2025 13:17:58 -0400 Subject: [PATCH] HSEC-2025-0006: [crypton-]x509-store private key leak --- .../crypton-x509-store/HSEC-2025-0006.md | 1 + .../hackage/x509-store/HSEC-2025-0006.md | 1 + advisories/published/2025/HSEC-2025-0006.md | 38 +++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 120000 advisories/hackage/crypton-x509-store/HSEC-2025-0006.md create mode 120000 advisories/hackage/x509-store/HSEC-2025-0006.md create mode 100644 advisories/published/2025/HSEC-2025-0006.md diff --git a/advisories/hackage/crypton-x509-store/HSEC-2025-0006.md b/advisories/hackage/crypton-x509-store/HSEC-2025-0006.md new file mode 120000 index 00000000..43f2e9e0 --- /dev/null +++ b/advisories/hackage/crypton-x509-store/HSEC-2025-0006.md @@ -0,0 +1 @@ +../../published/2025/HSEC-2025-0006.md \ No newline at end of file diff --git a/advisories/hackage/x509-store/HSEC-2025-0006.md b/advisories/hackage/x509-store/HSEC-2025-0006.md new file mode 120000 index 00000000..43f2e9e0 --- /dev/null +++ b/advisories/hackage/x509-store/HSEC-2025-0006.md @@ -0,0 +1 @@ +../../published/2025/HSEC-2025-0006.md \ No newline at end of file diff --git a/advisories/published/2025/HSEC-2025-0006.md b/advisories/published/2025/HSEC-2025-0006.md new file mode 100644 index 00000000..79f555c6 --- /dev/null +++ b/advisories/published/2025/HSEC-2025-0006.md @@ -0,0 +1,38 @@ +```toml +[advisory] +id = "HSEC-2025-0006" +keywords = ["crypto"] +cwe = [403] + +[[references]] +type = "FIX" +url = "https://github.com/kazu-yamamoto/crypton-certificate/commit/e353d450c381c9d6b903c4257927e0c89c97acb1" + +[[affected]] +package = "x509-store" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" +[[affected.versions]] +introduced = "0.1" + +[[affected]] +package = "crypton-x509-store" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" +[[affected.versions]] +introduced = "1.6.9" +fixed = "1.6.12" +``` + +# Private key leak via inherited file descriptor + +The X.509 key reading function `readKeyFile` opened a file +descriptor to the private key without setting the *close-on-exec* +flag. If a child process is `exec`ed at the same time, it would +inherit that file descriptor and could read the private key +material. + +Impact is limited to child processes that run untrusted code, but +that do not close inherited file descriptors. (For example, the +`su(1)` command.) + +This leak was fixed by setting the *close-on-exec* flag on +unix-based systems.