Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 4 May 2014 23:40:47 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: ldns-keygen creates private key world readable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> ldns-keygen creates private key world readable
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
> 
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573

Comment 1 in 573 says "Willem Toorop ... Good catch! ... a patch would
be apprectiated." Willem Toorop would be considered the "vendor"
according to the http://git.nlnetlabs.nl/ldns/tree/README and
http://www.oscon.com/oscon2014/public/schedule/speaker/173326 pages.

Use CVE-2014-3209.

> Same argument as GPG I suppose, so probably deserves a CVE.

A user may have no choice other than to run GPG on a multi-user system
that always has untrusted users logged in. The documentation might
imply that ldns-keygen is typically run on a DNS server. The vendor
could have decided to assert that the permissions were intentional.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTZwgHAAoJEKllVAevmvmsIEcIALy9LDQ3PWHSWgtXqljeLAFA
EOm+nv2e5Payp2YNVRRsQEMyoQyNNIv2ao95n9Ya28FXI3LL+YEpWv8caDWOZe2B
zkgtMIyxn0YZYSrHLuuv/73kVlWSecn1UlqACJmAVKbNpFAmnJoKwBHTNhIOI07Y
6TKdEKk0j8jCAZarBedDZHjJ9f1CHwNMOgFRq9oRL54MY1SWnQWoMZcdpg8WmbIN
aco6ZHvyOOoECxnBhIBmazYg/fV+fA1slveOgpPLS1h635DgExRd8DR+6sfwiHe6
P++/8u8NHGfFMUfvrqfa0z4Y7FQE5tcb7jPZD3Zdl+InkqxBi46piGL7+rw5sEM=
=0FSX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.