oss-sec mailing list archives

CVE Request for ceph-deploy world-readable keyring permissions

From: Andreas Stieger <astieger () suse de>
Date: Thu, 09 Apr 2015 17:38:34 +0200

Hello,

ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a
keyring containing private key material.

The 1.5.23 changelog states:
"Fix an issue where keyring permissions were world readable"

The problem was that the keyring file would be created with 644 mode. If
ceph-deploy was run as a dedicated non-root admin user, the keys would
be readable to all other (non-admin) users of the same group, thus
leaking authentication credentials.

The upstream pull request and commits are:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f

References:
https://github.com/ceph/ceph-deploy/pull/272
https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f
https://bugzilla.suse.com/show_bug.cgi?id=920926

Could I get a CVE ID assigned please?

Thanks
Andreas Stieger

-- 
Andreas Stieger <astieger () suse de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG 
Nürnberg)

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE Request for ceph-deploy world-readable keyring permissions Andreas Stieger (Apr 09)
- Re: CVE Request for ceph-deploy world-readable keyring permissions cve-assign (Apr 09)