Bugzilla – Bug 573
CVE-2014-3209: ldns-keygen should create private key files with stricter permissions
Last modified: 2014-05-06 15:29:12 CEST
Currently, ldns-keygen will create private key files with the permissions defined by the current umask, which can be insecure if that umask allows reads by other users. It would be desirable to have private key files created with stricter permissions, like 600.
(I would have written a patch if the git repository URL wasn’t down :()
Git should be up again, so if you have time, a patch would be apprectiated.
Created attachment 253 [details]
Proposed patch attached.
Meanwhile, this bug got assigned CVE-2014-3209.
(In reply to comment #2)
> Created attachment 253 [details]
> Proposed patch
> Proposed patch attached.
> Meanwhile, this bug got assigned CVE-2014-3209.
Bug? More a feature request.
Oh well... Thanks for the patch. Applied verbatim.
Yes, well, I wasn’t careful with my wording. Thanks for applying!
No no not commenting on your wording. And I also think it is a valueable enhancement.
I'm just a bit "surprised" it turned into a CVE. That's a little excessive if you ask me. A user doing DNSSEC on a multi-user system (with other untrusted users) should be very aware of security anyway. They should have read and practise RFC 6841, not?
(In reply to comment #4)
> Yes, well, I wasn't careful with my wording. Thanks for applying!
I wasn’t involved with the CVE assignment, but here’s MITRE’s argument for assigning a CVE: <http://seclists.org/oss-sec/2014/q2/241>