Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 17:38:34 +0200
From: Andreas Stieger <astieger@...e.de>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: CVE Request for ceph-deploy world-readable keyring permissions

Hello,

ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a
keyring containing private key material.

The 1.5.23 changelog states:
"Fix an issue where keyring permissions were world readable"

The problem was that the keyring file would be created with 644 mode. If
ceph-deploy was run as a dedicated non-root admin user, the keys would
be readable to all other (non-admin) users of the same group, thus
leaking authentication credentials.

The upstream pull request and commits are:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f

References:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f
https://bugzilla.suse.com/show_bug.cgi?id=920926

Could I get a CVE ID assigned please?

Thanks
Andreas Stieger

-- 
Andreas Stieger <astieger@...e.de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG N├╝rnberg) 



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ