- Package:
- src:opencryptoki
- Source:
- src:opencryptoki
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-29 13:09:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for opencryptoki. CVE-2026-23893[0]: | openCryptoki is a PKCS#11 library and provides tooling for Linux and | AIX. Versions 2.3.2 and above are vulnerable to symlink-following | when running in privileged contexts. A token-group user can redirect | file operations to arbitrary filesystem targets by planting symlinks | in group-writable token directories, resulting in privilege | escalation or data exposure. Token and lock directories are 0770 | (group-writable for token users), so any token-group member can | plant files and symlinks inside them. When run as root, the base | code handling token directory file access, as well as several | openCryptoki tools used for administrative purposes, may reset | ownership or permissions on existing files inside the token | directories. An attacker with token-group membership can exploit the | system when an administrator runs a PKCS#11 application or | administrative tool that performs chown on files inside the token | directory during normal maintenance. This issue is fixed in commit | 5e6e4b4, but has not been included in a released version at the time | of publication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23893 https://www.cve.org/CVERecord?id=CVE-2026-23893 [1] https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q [2] https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
opencryptoki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1126268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated opencryptoki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 29 Jun 2026 14:37:31 +0200
Source: opencryptoki
Architecture: source
Version: 3.27.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 749670 1103270 1126268 1136019
Changes:
opencryptoki (3.27.0-1) unstable; urgency=medium
.
* QA upload.
.
[ Andreas Tille ]
* New upstream version
Closes: #749670
Closes: #1126268 (CVE-2026-23893)
Closes: #1136019 (CVE-2026-40253)
* Orphan package (see bug #1138982)
* Maintain package in Debian team on Salsa
* d/watch: version=5
* d/copyright:
- Fix Source
- License name is CPL-1.0
* Standards-Version: 4.7.4 (Removed Priority field)
* Replace FSF postal address with a reference to
https://www.gnu.org/licenses/.
* Set upstream metadata fields: Bug-Database, Repository, Repository-Browse.
* Drop useless get-orig-source target (routine-update)
* Trim trailing whitespace.
* Set upstream metadata fields: Bug-Submit.
* Do not remove doc/README.* from upstream source any more
.
[ Helmut Grohne
* Fix FTCBFS: (Closes: #1103270)
+ Missing Build-Depends: autoconf-archive for AX_CC_FOR_BUILD.
+ cross.patch: Fix missing PKCS_GROUP macro in CFLAGS_FOR_BUILD.
Checksums-Sha1:
7795c0032e20eee96a8ae5c4d22efca3ed025469 2179 opencryptoki_3.27.0-1.dsc
c58de85e69b24502c8be53a05040681fe95c0a25 2570297 opencryptoki_3.27.0.orig.tar.gz
11e72dae82bc929a251ec4fd4d21f13a5360045c 20660 opencryptoki_3.27.0-1.debian.tar.xz
ffbfa345b627fc391fa9d595823081261d47b9bc 7324 opencryptoki_3.27.0-1_amd64.buildinfo
Checksums-Sha256:
51de03c51d93041390bb4d5560ce3fabab625ce5888be08ad40771d81ddbd9c4 2179 opencryptoki_3.27.0-1.dsc
f3f959a9680a4fbfc20f30c86ebc6231c5035f27390e02a8312e538cac49ca09 2570297 opencryptoki_3.27.0.orig.tar.gz
d73617d65c7b56c346988c9f8ad186bfcbca4d59201486f0811d9144c14e1632 20660 opencryptoki_3.27.0-1.debian.tar.xz
7c24f6a5a8f58d53b5ff2448a62ab3793dac850e43b9f627b218fd973497412e 7324 opencryptoki_3.27.0-1_amd64.buildinfo
Files:
44ecbffa02f477272d8ec417fd9404f9 2179 admin optional opencryptoki_3.27.0-1.dsc
3e12625dd801c613a2eddd57aa273abb 2570297 admin optional opencryptoki_3.27.0.orig.tar.gz
85336405f4d61ae112117163885c34df 20660 admin optional opencryptoki_3.27.0-1.debian.tar.xz
67f520ca30c7fa8e975e85306f7a6dc2 7324 admin optional opencryptoki_3.27.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmpCaCQRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEhkg/+LMO1ffXfJ+GLbR4swvjR9g8vgJGJTtsE
EW4fbtJYhAwmB5OAyWEJbr03LK/QKTLBXl+pCOqFScuseyjiudYFJIEeu/bZeyv/
qCxj32mB9Bm+TF/6LCDNFbjrrwMD9UsZMPqMXGxhuZRX7JiTDSQIhwrgkXhb7eKg
4DV4H6gm/b1XzXj0f8b0CaYzgT8srg7y9jGs3cESholhTbotguTr5BQloasYbktu
eRbN2kl/4Jog+OQJfUJdBAwi7j61sxm2L6thEEbTqp2SAcodM9ra0+63Me7JTfc0
rf82/KTxY69dgSeO7LRzQ4OR1eOtlx9mmLDtiveOsKw6f5sPFS3H88lrSubB+FYi
gJZbWy4ek3mn2QSw8tG5m+5EhvUoIhPG8A7n7jwM/0evj3F6U+K3R8EFfkYURs70
EQAzjFjSqqhz9LtR3NeltlWsBqN7XoCdZdCGnk/0S5eUZsZsQAofQnMSLwF9JHNJ
TPPhUiRZ7bXuRhCzVQQmlpvN5D+2a+bYO3R/H0O+syGumFN7GI70uMX5dfDRGusT
KyAwUUVyvtLQ2ivCDpRvbmE6eRZldhY2rsgayV6hXYoisc/Y8NkK4A3hnM4+2p+n
8soDgF/hVwtBUG8QuxdcxiQOe20+Uonw6IGnu6wYiI6c7w8Td29E1nwB5ju50XpP
CKwfQdxQMrQ=
=nsI1
-----END PGP SIGNATURE-----