michael orlitzky

CVE-2020-35766: OpenDKIM unsafe /tmp usage

posted 2020-12-28

Versions affected
2.10.3 and earlier
Published on
Bug report


The OpenDKIM test suite relies on a fixed path under the world-writable /tmp for its temporary keys. The dangers of this are well-known. An attacker can exploit the situation to overwrite files belonging to the user who runs the test suite.


The libopendkim portion of the OpenDKIM test suite uses a set of temporary keys to test itself. The temporary keys are created in libopendkim/tests/t-setup.c, which is intended to be the first test executed by the suite:

#include "t-testdata.h"
f = fopen(KEYFILE, "w");
assert(f != NULL);

fprintf(f, "%s.%s.%s ", SELECTOR, DKIM_DNSKEYNAME, DOMAIN);
for (p = PUBLICKEY; *p != '\0'; p++)
  if (*p != '\n')
    putc(*p, f);
fprintf(f, "\n");

The corresponding KEYFILE path is defined in libopendkim/tests/t-testdata.h,

#define	KEYFILE        "/tmp/testkeys"

That path is generally world-writable, and is public knowledge because it's written down right there in that file. As a result, an attacker can hijack the KEYFILE path before the test suite is run, causing the “setup” test to overwrite a file belonging to someone else. For example, any user can symlink /tmp/testkeys to /etc/passwd. If the OpenDKIM test suite is later run as root, the system's password file will be overwritten with garbage.


Until the issue is fixed, users can edit libopendkim/tests/t-testdata.h and replace /tmp with a directory that is only writable by the user building the software. OpenDKIM's own build directory might suffice.