The softhsm-keyconv utility can convert BIND private keys to the PKCS#8 format and vice versa. It was reported the softhsm-keyconv created output files (the converted keys) with world-readable permissions. A local, unprivileged user on a system running DNSSEC could use this flaw to obtain DNSSEC keys, if softhsm-keyconv was used to create the converted file in a directory the unprivileged user has access to. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092 https://issues.opendnssec.org/browse/SUPPORT-136 CVE request: http://www.openwall.com/lists/oss-security/2014/06/20/4
Created softhsm tracking bugs for this issue: Affects: fedora-all [bug 1111475] Affects: epel-6 [bug 1111476]
This is corrected in 2.0.0b1, as per the NEWS: SoftHSM 2.0.0b1 - 2014-09-10 ... * SUPPORT-136: softhsm2-keyconv creates files with sensitive material in insecure way. and the commit: https://github.com/bellgrim/SoftHSMv2/commit/492447cd4a2be449e99fb9ad2519ea3277aaad28
Fedora contains 2.0.0b1 now.