Bug 1093943 (CVE-2014-3209)

Summary: CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, dkholia, jkurik, jrusnack, kseifried, leon, pwouters, thoger, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-21 11:43:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1093945, 1093946    
Bug Blocks: 1093944    

Description Kurt Seifried 2014-05-03 18:21:24 UTC 
Jonas Smedegaard reports:


The ldns-keygen tool creates a keypair, one of which should be kept
private.  The tool apparently use default access rights for all files,
leading to the private key being created world readable.

====

This has been confirmed:

# ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net
Kexample.net.+007+63434
 # ls -la
total 20
drwxr-xr-x.  2 root root 4096 May  3 11:34 .
dr-xr-x---. 11 root root 4096 May  3 11:34 ..
-rw-r--r--.  1 root root   70 May  3 11:34 Kexample.net.+007+63434.ds
-rw-r--r--.  1 root root  242 May  3 11:34 Kexample.net.+007+63434.key
-rw-r--r--.  1 root root  943 May  3 11:34 Kexample.net.+007+63434.private

External references:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
Comment 1 Kurt Seifried 2014-05-03 18:30:58 UTC 
Created ldns tracking bugs for this issue:

Affects: fedora-all [bug 1093945]
Affects: epel-all [bug 1093946]
Comment 2 Murray McAllister 2014-05-05 07:09:40 UTC 
MITRE assigned CVE-2014-3209 to this issue:

http://seclists.org/oss-sec/2014/q2/241
Comment 5 Leon Weber 2014-05-05 14:55:30 UTC 
For reference, I’ve reported this upstream a month ago: <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573>
Comment 8 Martin Prpič 2014-11-21 11:43:58 UTC 
Statement:

This issue affects the versions of ldns as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.