oss-sec mailing list archives
CVE Request for ceph-deploy world-readable keyring permissions
From: Andreas Stieger <astieger () suse de>
Date: Thu, 09 Apr 2015 17:38:34 +0200
Hello, ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a keyring containing private key material. The 1.5.23 changelog states: "Fix an issue where keyring permissions were world readable" The problem was that the keyring file would be created with 644 mode. If ceph-deploy was run as a dedicated non-root admin user, the keys would be readable to all other (non-admin) users of the same group, thus leaking authentication credentials. The upstream pull request and commits are: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f References: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f https://bugzilla.suse.com/show_bug.cgi?id=920926 Could I get a CVE ID assigned please? Thanks Andreas Stieger -- Andreas Stieger <astieger () suse de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request for ceph-deploy world-readable keyring permissions Andreas Stieger (Apr 09)
- Re: CVE Request for ceph-deploy world-readable keyring permissions cve-assign (Apr 09)