posted 2020-12-28
The OpenDKIM test suite relies on a fixed path under the world-writable /tmp for its temporary keys. The dangers of this are well-known. An attacker can exploit the situation to overwrite files belonging to the user who runs the test suite.
The libopendkim portion of the OpenDKIM test suite uses a set of temporary keys to test itself. The temporary keys are created in libopendkim/tests/t-setup.c, which is intended to be the first test executed by the suite:
#include "t-testdata.h"
...
f = fopen(KEYFILE, "w");
assert(f != NULL);
fprintf(f, "%s.%s.%s ", SELECTOR, DKIM_DNSKEYNAME, DOMAIN);
for (p = PUBLICKEY; *p != '\0'; p++)
{
if (*p != '\n')
putc(*p, f);
}
fprintf(f, "\n");
...
fclose(f);
The corresponding KEYFILE path is defined in
libopendkim/tests/t-testdata.h,
That path is generally world-writable, and is public knowledge
because it's written down right there in that file. As a result, an
attacker can hijack the KEYFILE path before the test
suite is run, causing the “setup” test to overwrite a
file belonging to someone else. For example, any user can symlink
/tmp/testkeys to
/etc/passwd. If the OpenDKIM test suite is
later run as root, the system's password file will be
overwritten with garbage.
Until the issue is fixed, users can edit libopendkim/tests/t-testdata.h and replace /tmp with a directory that is only writable by the user building the software. OpenDKIM's own build directory might suffice.