Bug 1093943 – CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1093943 - (CVE-2014-3209) CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions

Summary:	CVE-2014-3209 ldns: ldns-keygen generates keys with world readable permissions

Status:	CLOSED WONTFIX

Aliases:	CVE-2014-3209

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140503,reported=2...
Keywords:	Security

Depends On:	1093945 1093946
Blocks:	1093944
	Show dependency tree / graph

Reported:	2014-05-03 14:21 EDT by Kurt Seifried
Modified:	2017-04-06 11:00 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-11-21 06:43:58 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2014-05-03 14:21:24 EDT

Jonas Smedegaard reports:


The ldns-keygen tool creates a keypair, one of which should be kept
private.  The tool apparently use default access rights for all files,
leading to the private key being created world readable.

====

This has been confirmed:

# ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net
Kexample.net.+007+63434
 # ls -la
total 20
drwxr-xr-x.  2 root root 4096 May  3 11:34 .
dr-xr-x---. 11 root root 4096 May  3 11:34 ..
-rw-r--r--.  1 root root   70 May  3 11:34 Kexample.net.+007+63434.ds
-rw-r--r--.  1 root root  242 May  3 11:34 Kexample.net.+007+63434.key
-rw-r--r--.  1 root root  943 May  3 11:34 Kexample.net.+007+63434.private

External references:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758

Comment 1 Kurt Seifried 2014-05-03 14:30:58 EDT

Created ldns tracking bugs for this issue:

Affects: fedora-all [bug 1093945]
Affects: epel-all [bug 1093946]

Comment 2 Murray McAllister 2014-05-05 03:09:40 EDT

MITRE assigned CVE-2014-3209 to this issue:

http://seclists.org/oss-sec/2014/q2/241

Comment 5 Leon Weber 2014-05-05 10:55:30 EDT

For reference, I’ve reported this upstream a month ago: <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573>

Comment 8 Martin Prpič 2014-11-21 06:43:58 EST

Statement:

This issue affects the versions of ldns as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.