Date: Fri, 20 Jun 2014 15:46:30 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: 752092@...s.debian.org Subject: CVE request: softhsm, softhsm-keyconv tool creates world-readable files Good morning, As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092 and https://issues.opendnssec.org/browse/SUPPORT-136 softhsm-keyconv tool creates world-readable files. Based on the description of the tool at , my uneducated guess is it would allow an unprivileged user to control (if the output file is created in a directory they can access) a DNS server via rndc. Could a CVE be assigned if one has not been already? The Debian bug also notes a similar issue was fixed in ldns - I've asked for more details about that in the bug).  http://manpages.ubuntu.com/manpages/precise/man1/softhsm-keyconv.1.html Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ