Bug 1098188
Summary: | opendnssec: incorrect permissions on /var/softhsm/slot0.db and /var/opendnssec/kasp.db | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Petr Spacek <pspacek> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jrusnack, mmcallis, puiterwijk, pwouters, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-23 17:27:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1111335, 1111336 | ||
Bug Blocks: |
Description
Petr Spacek
2014-05-15 12:59:52 UTC
This has been reported upstream by the looks of things, similar issue: https://issues.opendnssec.org/browse/SUPPORT-136 I'm actually going to turn this into a Security bug and file Fedora/EPEL6 trackers. Created opendnssec tracking bugs for this issue: Affects: fedora-all [bug 1111335] Affects: epel-6 [bug 1111336] (In reply to Vincent Danen from comment #1) > This has been reported upstream by the looks of things, similar issue: > > https://issues.opendnssec.org/browse/SUPPORT-136 I am not sure if this bugzilla is a security issue or not. Possible CVE request and reasoning here: http://www.openwall.com/lists/oss-security/2014/06/20/3 Regarding the SUPPORT-136 issue, CVE request is here: http://www.openwall.com/lists/oss-security/2014/06/20/4 https://issues.opendnssec.org/browse/SUPPORT-136 is https://bugzilla.redhat.com/show_bug.cgi?id=1111474 (In reply to Vincent Danen from comment #2) > I'm actually going to turn this into a Security bug and file Fedora/EPEL6 > trackers. Please note that original Fedora packaging prevents OpenDNSSEC from creating any key in the database. The slot0.db file if world-readable but write-able only by root. OpenDNSSEC is running under user "ods" by default so it can't effectively write any keys to the database so there is nothing to leak until somebody fixes file permissions. That is the reason why I considered this to be simple packaking bug instead of a security problem - it simply prevents OpenDNSSEC from working. Well, the bug does make this a non-issue then. It's ideal to keep this open so that when is fixed the other is fixed as well, but Fedora (and presumably EPEL?) wouldn't be affected out of the box then, if this bug prevents anything interesting from being written in the first place. I'm leaving the Fedora/EPEL trackers open so that they will get fixed there, but as far as a security flaw goes, I'm closing this bug since it is not a flaw. |