Date: Fri, 20 Jun 2014 15:46:30 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: 752092@...s.debian.org Subject: CVE request: softhsm, softhsm-keyconv tool creates world-readable files Good morning, As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092 and https://issues.opendnssec.org/browse/SUPPORT-136 softhsm-keyconv tool creates world-readable files. Based on the description of the tool at , my uneducated guess is it would allow an unprivileged user to control (if the output file is created in a directory they can access) a DNS server via rndc. Could a CVE be assigned if one has not been already? The Debian bug also notes a similar issue was fixed in ldns - I've asked for more details about that in the bug).  http://manpages.ubuntu.com/manpages/precise/man1/softhsm-keyconv.1.html Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.