Date: Sun, 4 May 2014 23:40:47 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: ldns-keygen creates private key world readable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > ldns-keygen creates private key world readable > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758 > > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573 Comment 1 in 573 says "Willem Toorop ... Good catch! ... a patch would be apprectiated." Willem Toorop would be considered the "vendor" according to the http://git.nlnetlabs.nl/ldns/tree/README and http://www.oscon.com/oscon2014/public/schedule/speaker/173326 pages. Use CVE-2014-3209. > Same argument as GPG I suppose, so probably deserves a CVE. A user may have no choice other than to run GPG on a multi-user system that always has untrusted users logged in. The documentation might imply that ldns-keygen is typically run on a DNS server. The vendor could have decided to assert that the permissions were intentional. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTZwgHAAoJEKllVAevmvmsIEcIALy9LDQ3PWHSWgtXqljeLAFA EOm+nv2e5Payp2YNVRRsQEMyoQyNNIv2ao95n9Ya28FXI3LL+YEpWv8caDWOZe2B zkgtMIyxn0YZYSrHLuuv/73kVlWSecn1UlqACJmAVKbNpFAmnJoKwBHTNhIOI07Y 6TKdEKk0j8jCAZarBedDZHjJ9f1CHwNMOgFRq9oRL54MY1SWnQWoMZcdpg8WmbIN aco6ZHvyOOoECxnBhIBmazYg/fV+fA1slveOgpPLS1h635DgExRd8DR+6sfwiHe6 P++/8u8NHGfFMUfvrqfa0z4Y7FQE5tcb7jPZD3Zdl+InkqxBi46piGL7+rw5sEM= =0FSX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.