Related Vulnerabilities: CVE-2014-3209

Source

Debian Bug report logs - #752092
softhsm-keyconv creates security-sensibe file world-readable

Package: softhsm; Maintainer for softhsm is Debian DNS Team <team+dns@tracker.debian.org>; Source for softhsm is src:softhsm2 (PTS, buildd, popcon).

Reported by: Jonas Smedegaard <dr@jones.dk>

Date: Thu, 19 Jun 2014 14:54:07 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version softhsm/1.3.3-2

Fixed in version softhsm/1.3.7-2

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.opendnssec.org/browse/SUPPORT-136

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Thu, 19 Jun 2014 14:54:12 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ondřej Surý <ondrej@debian.org>. (Thu, 19 Jun 2014 14:54:12 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: softhsm
Version: 1.3.3-2
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

the softshm-keyconv tool creates its output files with default access
rights, i.e. group and aworld readable on a default Debian setup.

I believe the correct thing would be to instead create files readable
only by the user invoking the tool, or inherit access rights from the
input file of the conversion process.

 - Jonas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQF8BAEBCgBmBQJTotFzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0
RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vWnZ4H/iCM68hXXw/FkkZl9xjU3iNz
seEjspR1KTPjiwo/NncbXUWPERc0BR+nN/aUrqCkYONVOLberQJKCXgVG4AoudXT
rGD+mrcBqavz/k0VlDMSQY3g8cksqe+k7yjeiqnscoWdDOSeSgyKes7n2uDllOsi
J5GcNI8LQCUhWm5byK6/zF0gUVK7rHvD36F8HRmxAlkMOywngj0vimJFo2qfXv/3
jAlG2psLxNd3c8kMwkO6LVOcW//CUKY6KyOGV7GQiNdEyJQT+mqFVt55Bn0Hh5JN
QxDTOcPmHu9znKS0v1qq3E91GHGTJZA8ktm1SA3nNnwA5dUze5giB1yGLfq9zTU=
=qBC7
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Thu, 19 Jun 2014 15:12:16 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Thu, 19 Jun 2014 15:12:16 GMT) (full text, mbox, link).

Message #10 received at 752092@bugs.debian.org (full text, mbox, reply):

Control: forwarded -1 https://issues.opendnssec.org/browse/SUPPORT-136

Funny, I have just fixed exactly same bug in ldns.

Will push that forward...

O.

On Thu, Jun 19, 2014, at 14:03, Jonas Smedegaard wrote:
> Package: softhsm
> Version: 1.3.3-2
> Severity: important
> Tags: security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> the softshm-keyconv tool creates its output files with default access
> rights, i.e. group and aworld readable on a default Debian setup.
> 
> I believe the correct thing would be to instead create files readable
> only by the user invoking the tool, or inherit access rights from the
> input file of the conversion process.
> 
>  - Jonas
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQF8BAEBCgBmBQJTotFzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0
> RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vWnZ4H/iCM68hXXw/FkkZl9xjU3iNz
> seEjspR1KTPjiwo/NncbXUWPERc0BR+nN/aUrqCkYONVOLberQJKCXgVG4AoudXT
> rGD+mrcBqavz/k0VlDMSQY3g8cksqe+k7yjeiqnscoWdDOSeSgyKes7n2uDllOsi
> J5GcNI8LQCUhWm5byK6/zF0gUVK7rHvD36F8HRmxAlkMOywngj0vimJFo2qfXv/3
> jAlG2psLxNd3c8kMwkO6LVOcW//CUKY6KyOGV7GQiNdEyJQT+mqFVt55Bn0Hh5JN
> QxDTOcPmHu9znKS0v1qq3E91GHGTJZA8ktm1SA3nNnwA5dUze5giB1yGLfq9zTU=
> =qBC7
> -----END PGP SIGNATURE-----


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Set Bug forwarded-to-address to 'https://issues.opendnssec.org/browse/SUPPORT-136'. Request was from Ondřej Surý <ondrej@sury.org> to 752092-submit@bugs.debian.org. (Thu, 19 Jun 2014 15:12:16 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Fri, 20 Jun 2014 05:48:12 GMT) (full text, mbox, link).

Acknowledgement sent to mmcallis@redhat.com:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Fri, 20 Jun 2014 05:48:12 GMT) (full text, mbox, link).

Message #17 received at 752092@bugs.debian.org (full text, mbox, reply):

Hi Ondřej,

As noted in <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092>, 
you fixed a similar issue in ldns. Are you able to share in details 
about what the issue in ldns is?

Thanks,

--
Murray McAllister / Red Hat Product Security

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Fri, 20 Jun 2014 05:48:16 GMT) (full text, mbox, link).

Acknowledgement sent to mmcallis@redhat.com:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Fri, 20 Jun 2014 05:48:16 GMT) (full text, mbox, link).

Message #22 received at 752092@bugs.debian.org (full text, mbox, reply):

Good morning,

As reported in

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092

and

https://issues.opendnssec.org/browse/SUPPORT-136

softhsm-keyconv tool creates world-readable files. Based on the 
description of the tool at [1], my uneducated guess is it would allow an 
unprivileged user to control (if the output file is created in a 
directory they can access) a DNS server via rndc.

Could a CVE be assigned if one has not been already?

The Debian bug also notes a similar issue was fixed in ldns - I've asked 
for more details about that in the bug).

[1] http://manpages.ubuntu.com/manpages/precise/man1/softhsm-keyconv.1.html

Cheers,

--
Murray McAllister / Red Hat Product Security

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Fri, 20 Jun 2014 06:06:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Fri, 20 Jun 2014 06:06:08 GMT) (full text, mbox, link).

Message #27 received at 752092@bugs.debian.org (full text, mbox, reply):

Hello Murray,

(keeping the Cc on the bureport to answer this also there):

On Fri, Jun 20, 2014 at 03:46:30PM +1000, Murray McAllister wrote:
[...]
> The Debian bug also notes a similar issue was fixed in ldns - I've
> asked for more details about that in the bug).

This should be CVE-2014-3209 (dns-keygen generates keys with world
readable permissions ).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Fri, 20 Jun 2014 06:18:09 GMT) (full text, mbox, link).

Acknowledgement sent to mmcallis@redhat.com:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Fri, 20 Jun 2014 06:18:09 GMT) (full text, mbox, link).

Message #32 received at 752092@bugs.debian.org (full text, mbox, reply):

On 06/20/2014 04:02 PM, Salvatore Bonaccorso wrote:
> Hello Murray,
> 
> (keeping the Cc on the bureport to answer this also there):
> 
> On Fri, Jun 20, 2014 at 03:46:30PM +1000, Murray McAllister wrote:
> [...]
>> The Debian bug also notes a similar issue was fixed in ldns - I've
>> asked for more details about that in the bug).
> 
> This should be CVE-2014-3209 (dns-keygen generates keys with world
> readable permissions ).
> 
> Regards,
> Salvatore
> 

Thanks!

Regarding the rndc impact I noted, it seems the softhsm-keyconv is
dnssec related, not the type of keys you would use in a rndc.key file...

--
Murray McAllister / Red Hat Product Security

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 14 Sep 2014 04:21:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Sat, 29 Nov 2014 22:48:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Sat, 29 Nov 2014 22:48:10 GMT) (full text, mbox, link).

Message #39 received at 752092@bugs.debian.org (full text, mbox, reply):

On Thu, Jun 19, 2014 at 05:10:35PM +0200, Ondřej Surý wrote:
> Control: forwarded -1 https://issues.opendnssec.org/browse/SUPPORT-136
> 
> Funny, I have just fixed exactly same bug in ldns.
> 
> Will push that forward...

Can you please upload a fix for jessie?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#752092; Package softhsm. (Mon, 01 Dec 2014 17:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Ondřej Surý <ondrej@debian.org>. (Mon, 01 Dec 2014 17:30:08 GMT) (full text, mbox, link).

Message #44 received at 752092@bugs.debian.org (full text, mbox, reply):

On Sat, Nov 29, 2014, at 23:44, Moritz Mühlenhoff wrote:
> On Thu, Jun 19, 2014 at 05:10:35PM +0200, Ondřej Surý wrote:
> > Control: forwarded -1 https://issues.opendnssec.org/browse/SUPPORT-136
> > 
> > Funny, I have just fixed exactly same bug in ldns.
> > 
> > Will push that forward...
> 
> Can you please upload a fix for jessie?

Yes, I have hoped that upstream will release new version, but that
didn't happen. Thanks for the poke.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 01 Dec 2014 17:39:10 GMT) (full text, mbox, link).

Notification sent to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer. (Mon, 01 Dec 2014 17:39:10 GMT) (full text, mbox, link).

Message #49 received at 752092-close@bugs.debian.org (full text, mbox, reply):

Source: softhsm
Source-Version: 1.3.7-2

We believe that the bug you reported is fixed in the latest version of
softhsm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated softhsm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Dec 2014 17:52:05 +0100
Source: softhsm
Binary: softhsm-common softhsm libsofthsm-dev libsofthsm softhsm-dbg
Architecture: source amd64
Version: 1.3.7-2
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
 libsofthsm - a cryptographic store accessible through a PKCS #11
 libsofthsm-dev - a cryptographic store accessible through a PKCS #11
 softhsm    - a cryptographic store accessible through a PKCS #11
 softhsm-common - a cryptographic store accessible through a PKCS #11
 softhsm-dbg - Debug symbols for SoftHSM
Closes: 752092
Changes:
 softhsm (1.3.7-2) unstable; urgency=medium
 .
   * Fix softhsm-keyconv creating security-sensibe file world-readable
     (Closes: #752092)
   * Update Vcs-Urls to point to anonscm.debian.org
   * Standardize gbp repository layout
Checksums-Sha1:
 4c35616ee05d048a2375f4cee1436a6b73368c68 2357 softhsm_1.3.7-2.dsc
 c6ff73a951409ac6f903745b1760cc55c9ec2aa4 8828 softhsm_1.3.7-2.debian.tar.xz
 0518fb60f5350f82dcf7901b0d2f0066385e6ff4 10664 softhsm-common_1.3.7-2_amd64.deb
 83fba268f1fd131b057d2bfa27759a52a77a3a18 36342 softhsm_1.3.7-2_amd64.deb
 bd313351be1f9cc74531e8ae31f34d86698f2ff0 55302 libsofthsm-dev_1.3.7-2_amd64.deb
 24020d12d2ab913dda0f69c63ffc8d00c8bfe74c 42530 libsofthsm_1.3.7-2_amd64.deb
 2957155e0e75d437afdc0f6c23b2111348e8f6d9 362020 softhsm-dbg_1.3.7-2_amd64.deb
Checksums-Sha256:
 1a892255d2de9cb84ec2e3b60c314e81f1e0b4cdb1db2bffa3c0ae81958d57a0 2357 softhsm_1.3.7-2.dsc
 fbfa54f534125903493bbba3425844adeac665328808c2a60c86175f15556630 8828 softhsm_1.3.7-2.debian.tar.xz
 fc1a91adeaf6428622ce4dc27e5ab4d94d4d1189134f1f634b68c8c6870edd5d 10664 softhsm-common_1.3.7-2_amd64.deb
 5d03f963dd75ad348311b7efb8195ca310836413abe2e4806836a2b4964b115f 36342 softhsm_1.3.7-2_amd64.deb
 611379a9b87081d04a35e4104383f8b043d04a6b54d6c6e5687c08eccdb3f547 55302 libsofthsm-dev_1.3.7-2_amd64.deb
 b3469ada39383bf8b4739026f364221635e1fd4fe8ca27027c2566366af87969 42530 libsofthsm_1.3.7-2_amd64.deb
 6276210c230ee637ce08dbcc60403c1f5d13584ea3c53aad577664b74f9edcf6 362020 softhsm-dbg_1.3.7-2_amd64.deb
Files:
 223f9b3f0cad7934378ed682c3586264 2357 admin extra softhsm_1.3.7-2.dsc
 315b2804602ca9110a49a39ec9cdc179 8828 admin extra softhsm_1.3.7-2.debian.tar.xz
 97c3802f0978c97dcda7bd863ac13f40 10664 admin extra softhsm-common_1.3.7-2_amd64.deb
 8a91b788bb45e507bc76ff8f98b8d2f2 36342 admin extra softhsm_1.3.7-2_amd64.deb
 9832693ff6b2d124606911be2e7f0215 55302 libdevel extra libsofthsm-dev_1.3.7-2_amd64.deb
 3b6a231af6062514b749a02e1bce233f 42530 libs extra libsofthsm_1.3.7-2_amd64.deb
 884fdeb46dc266637dedd32e00ce15eb 362020 debug extra softhsm-dbg_1.3.7-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUfJ8HXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHsLEQAKiZDQFIBZcH8gRa1nwsPy1Q
fx+mI7ZjREpw/COvGGkn2gWm0DYS8sXmaKhPpbnRtlfJoocfzRZ8E0dlSQWSYArK
R+NvSRBf1GqByloJx7N0FgDVoZuTeYvrGwXtVybXlTzstaCgqRjCTDI00M5p54dt
nqej5sLRNsGtDaFIm6npNRA3B86yA8/VAvhsG1L7Jla5S7FkZNcE0v6BDBHqt91R
yLjeTipvuswZGNBYZQ6yVRUD5i/Brlwa0xJNl4HE5gymbYKeqT9PdapNxSw7/sIl
sHAZPqNKPgOkw0I4+yBMM//xRQQ7dYCrJ+yfrUksbtq002+ZHej4bF0VBb6UYhYi
5xBSFWC+EjKdmyDiaoUbWPG8xpqTn+B5Tr2LoLqOaSCPy5RwepdRaa6xw5FbcSZI
1PbjJSW0jkwmpOMShmb2SVQJ1IyU54Ns0gvDtn1wjV5v3WkBYmSP0hBb4nfxsstT
lED+mciI6ZQJMME8ytenoosFx0sNotOP7EwqWeeoBGRyGK3Vx4Ti4FNdbEUaPSn2
751ynGJ5y76peSMkqN0XWErBSSPnpSKMUfRK8MfFucbZ64cPnV+5O4Snty7lkQRg
2O38NcCIet08SlARqLWS8UhFB5TxSWIw8P3ke7aCrkACFt3LEzZ9wscfe6xVXI6f
Z46CcRH5g8wnEUL+hsHW
=MSkf
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 04 Jan 2015 07:33:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:12:35 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

softhsm-keyconv creates security-sensibe file world-readable

Debian Bug report logs - #752092
softhsm-keyconv creates security-sensibe file world-readable

Vulmon Search

About

Products

Connect

softhsm-keyconv creates security-sensibe file world-readable

Debian Bug report logs - #752092 softhsm-keyconv creates security-sensibe file world-readable

Vulmon Search

About

Products

Connect

Debian Bug report logs - #752092
softhsm-keyconv creates security-sensibe file world-readable