Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 09 Apr 2015 17:38:34 +0200
From: Andreas Stieger <astieger@...e.de>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: CVE Request for ceph-deploy world-readable keyring permissions

Hello,

ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a
keyring containing private key material.

The 1.5.23 changelog states:
"Fix an issue where keyring permissions were world readable"

The problem was that the keyring file would be created with 644 mode. If
ceph-deploy was run as a dedicated non-root admin user, the keys would
be readable to all other (non-admin) users of the same group, thus
leaking authentication credentials.

The upstream pull request and commits are:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f

References:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f
https://bugzilla.suse.com/show_bug.cgi?id=920926

Could I get a CVE ID assigned please?

Thanks
Andreas Stieger

-- 
Andreas Stieger <astieger@...e.de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) 



Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.