Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509632 (CVE-2014-3209) - <net-dns/ldns-utils-1.7.0 : ldns-keygen generates keys with world readable permissions
Summary: <net-dns/ldns-utils-1.7.0 : ldns-keygen generates keys with world readable pe...
Status: RESOLVED FIXED
Alias: CVE-2014-3209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-05 18:17 UTC by Agostino Sarubbo
Modified: 2018-01-25 00:12 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/ldns-utils-1.7.0-r1 net-libs/ldns-1.7.0-r2
Runtime testing required: ---
zlogene: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-05 18:17:36 UTC
From ${URL} :

Jonas Smedegaard reports:


The ldns-keygen tool creates a keypair, one of which should be kept
private.  The tool apparently use default access rights for all files,
leading to the private key being created world readable.

====

This has been confirmed:

# ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net
Kexample.net.+007+63434
 # ls -la
total 20
drwxr-xr-x.  2 root root 4096 May  3 11:34 .
dr-xr-x---. 11 root root 4096 May  3 11:34 ..
-rw-r--r--.  1 root root   70 May  3 11:34 Kexample.net.+007+63434.ds
-rw-r--r--.  1 root root  242 May  3 11:34 Kexample.net.+007+63434.key
-rw-r--r--.  1 root root  943 May  3 11:34 Kexample.net.+007+63434.private

External references:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-22 19:56:56 UTC
Upstream bug at https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573 including patch. I don't see any upstream release for it at this time ( The latest release is 1.6.17, dating Jan 10, 2014)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-06-26 02:58:40 UTC
The commit for the Fix is here:

http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b

Debian also released a version for this under:
1.6.17-4
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-07-29 22:59:40 UTC
Ping!

It has been a month since last message, upstream has not released any new packages just a patch in GIT. Do we just want to patch like Debian?
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 00:10:17 UTC
CVE-2014-3209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3209):
  The ldns-keygen tool in ldns 1.6.x uses the current umask to set the
  privileges of the private key, which might allow local users to obtain the
  private key by reading the file.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 23:42:38 UTC
CC'ing new maintainer.

@ Marc: Please see comment #3
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 18:35:24 UTC
From 

https://www.nlnetlabs.nl

Version 1.7.0 is available since 12/2016 and has fixed the bug.

Maintainer, could you please comment the status from the last ebuild, is it already stable? If not, is there something that we can help with?

Thanks
Comment 7 Harri Nieminen (Moiman) 2017-12-02 09:27:41 UTC
Please CC arches to start stabilization.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-02 10:25:08 UTC
Arches, go ahead please and stabilize

net-dns/ldns-utils-17.0

Thanks!
Comment 9 Stabilization helper bot gentoo-dev 2017-12-02 11:01:25 UTC
An automated check of this bug failed - repoman reported dependency errors (137 lines truncated): 

> dependency.bad net-dns/ldns-utils/ldns-utils-1.7.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=net-libs/ldns-1.7.0[dane?,ecdsa?,gost?,ssl?]']
> dependency.bad net-dns/ldns-utils/ldns-utils-1.7.0.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=net-libs/ldns-1.7.0[dane?,ecdsa?,gost?,ssl?]']
> dependency.bad net-dns/ldns-utils/ldns-utils-1.7.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=net-libs/ldns-1.7.0[dane?,ecdsa?,gost?,ssl?]']
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-03 21:12:57 UTC
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-12-04 14:41:49 UTC
amd64 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-08 20:42:23 UTC
x86 stable
Comment 13 Rolf Eike Beer archtester 2017-12-10 22:00:21 UTC
Please update the package list.
Comment 14 Markus Meier gentoo-dev 2017-12-12 18:37:43 UTC
arm stable
Comment 15 Harri Nieminen (Moiman) 2017-12-13 15:00:36 UTC
Updated package list to fix build of net-libs/ldns without ssl flag (It is now removed) and net-dns/ldns-utils update adds missing REQUIRED_USE.

See following bugs for more info:
https://bugs.gentoo.org/640142
https://bugs.gentoo.org/640132
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-14 15:08:31 UTC
x86 stable
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-14 20:23:00 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2017-12-14 20:27:17 UTC
amd64 stable
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-14 22:49:12 UTC
ppc/ppc64 stable
Comment 20 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-15 23:23:06 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 21 Markus Meier gentoo-dev 2017-12-21 19:26:28 UTC
arm stable
Comment 22 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-31 23:36:09 UTC
hppa stable (thanks to Rolf Eike Beer)
Comment 23 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 16:27:20 UTC
@alpha, ping!
Comment 24 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 21:18:20 UTC
Alpha has no stable version and still hasn't stabilized.

@maintainer, can we please cleanup the vulnerable versions?
Comment 25 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-20 11:50:53 UTC
Stable on alpha, sorry for the delay.
Comment 26 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 14:22:07 UTC
(In reply to Tobias Klausmann from comment #25)
> Stable on alpha, sorry for the delay.

Thanks, Tobias!

@maintainer, please clean the vulnerable versions from the tree.