Good morning,
As reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752092
and
https://issues.opendnssec.org/browse/SUPPORT-136
softhsm-keyconv tool creates world-readable files. Based on the
description of the tool at [1], my uneducated guess is it would allow an
unprivileged user to control (if the output file is created in a
directory they can access) a DNS server via rndc.
Could a CVE be assigned if one has not been already?
The Debian bug also notes a similar issue was fixed in ldns - I've asked
for more details about that in the bug).
[1] http://manpages.ubuntu.com/manpages/precise/man1/softhsm-keyconv.1.html
Cheers,
--
Murray McAllister / Red Hat Product Security
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
