Bug 573 - CVE-2014-3209: ldns-keygen should create private key files with stricter permissions
CVE-2014-3209: ldns-keygen should create private key files with stricter perm...
Status: RESOLVED FIXED
Product: ldns
Classification: Unclassified
Component: drill/tools
1.6.x
Other Linux
: P3 enhancement
Assigned To: LDNS dev team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-07 10:39 CEST by Leon Weber
Modified: 2014-05-06 15:29 CEST (History)
2 users (show)

See Also:


Attachments
Proposed patch (1.74 KB, patch)
2014-05-05 11:44 CEST, Leon Weber
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Leon Weber 2014-04-07 10:39:23 CEST
Currently, ldns-keygen will create private key files with the permissions defined by the current umask, which can be insecure if that umask allows reads by other users.  It would be desirable to have private key files created with stricter permissions, like 600.

(I would have written a patch if the git repository URL wasn’t down :()
Comment 1 Willem Toorop 2014-04-07 14:43:17 CEST
Good catch!
Git should be up again, so if you have time, a patch would be apprectiated.
Thanks!

-- Willem
Comment 2 Leon Weber 2014-05-05 11:44:58 CEST
Created attachment 253 [details]
Proposed patch

Proposed patch attached.

Meanwhile, this bug got assigned CVE-2014-3209.
Comment 3 Willem Toorop 2014-05-05 22:48:08 CEST
(In reply to comment #2)
> Created attachment 253 [details]
> Proposed patch
> 
> Proposed patch attached.
> 
> Meanwhile, this bug got assigned CVE-2014-3209.

Bug?  More a feature request.
Oh well... Thanks for the patch.  Applied verbatim.

http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b

Regards,

-- Willem
Comment 4 Leon Weber 2014-05-06 00:43:09 CEST
Yes, well, I wasn’t careful with my wording.  Thanks for applying!
Comment 5 Willem Toorop 2014-05-06 10:05:31 CEST
No no not commenting on your wording.  And I also think it is a valueable enhancement.
I'm just a bit "surprised" it turned into a CVE.  That's a little excessive if you ask me.  A user doing DNSSEC on a multi-user system (with other untrusted users) should be very aware of security anyway.  They should have read and practise RFC 6841, not?

(In reply to comment #4)
> Yes, well, I wasn't careful with my wording.  Thanks for applying!
Comment 6 Leon Weber 2014-05-06 15:29:12 CEST
I wasn’t involved with the CVE assignment, but here’s MITRE’s argument for assigning a CVE: <http://seclists.org/oss-sec/2014/q2/241>