oss-sec mailing list archives
CVE request: softhsm, softhsm-keyconv tool creates world-readable files
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 20 Jun 2014 15:46:30 +1000
Good morning, As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092 and https://issues.opendnssec.org/browse/SUPPORT-136softhsm-keyconv tool creates world-readable files. Based on the description of the tool at [1], my uneducated guess is it would allow an unprivileged user to control (if the output file is created in a directory they can access) a DNS server via rndc.
Could a CVE be assigned if one has not been already?The Debian bug also notes a similar issue was fixed in ldns - I've asked for more details about that in the bug).
[1] http://manpages.ubuntu.com/manpages/precise/man1/softhsm-keyconv.1.html Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- CVE request: softhsm, softhsm-keyconv tool creates world-readable files Murray McAllister (Jun 19)
- Re: CVE request: softhsm, softhsm-keyconv tool creates world-readable files Salvatore Bonaccorso (Jun 19)
- Re: CVE request: softhsm, softhsm-keyconv tool creates world-readable files Murray McAllister (Jun 19)
- Re: CVE request: softhsm, softhsm-keyconv tool creates world-readable files Salvatore Bonaccorso (Jun 19)