Bug#638027: prosody: Generated SSL private key publicly readable

Tue, 16 Aug 2011 10:15:17 -0700 

Package: prosody
Version: 0.8.2-1
Severity: normal
Tags: patch

The postinst script generate a SSL key pair, but the private key is publicly
readable.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages prosody depends on:
ii  adduser                       3.113      add and remove users and groups
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libidn11                      1.22-2     GNU Libidn library, implementation
ii  liblua5.1-0                   5.1.4-10   Shared library for the Lua interpr
ii  liblua5.1-expat0              1.2.0-3    libexpat bindings for the Lua lang
ii  liblua5.1-filesystem0         1.5.0-2    luafilesystem library for the Lua 
ii  liblua5.1-socket2             2.0.2-6    TCP/UDP socket library for Lua 5.1
ii  libssl1.0.0                   1.0.0d-3   SSL shared libraries
ii  lua5.1                        5.1.4-10   Simple, extensible, embeddable pro
ii  openssl                       1.0.0d-3   Secure Socket Layer (SSL) binary a

Versions of packages prosody recommends:
ii  liblua5.1-event0              0.3.1-3    asynchronous event notification li
ii  liblua5.1-sec1                0.4-5      SSL socket library for the Lua lan

prosody suggests no packages.

-- Configuration Files:
/etc/prosody/conf.avail/example.com.cfg.lua [Errno 13] Permission denied: 
u'/etc/prosody/conf.avail/example.com.cfg.lua'
/etc/prosody/conf.avail/localhost.cfg.lua [Errno 13] Permission denied: 
u'/etc/prosody/conf.avail/localhost.cfg.lua'
/etc/prosody/prosody.cfg.lua [Errno 13] Permission denied: 
u'/etc/prosody/prosody.cfg.lua'

-- no debconf information

diff -ru prosody-0.8.2.old/debian/prosody.postinst prosody-0.8.2/debian/prosody.postinst
--- prosody-0.8.2.old/debian/prosody.postinst	2011-07-21 21:54:30.000000000 +0200
+++ prosody-0.8.2/debian/prosody.postinst	2011-08-16 19:01:44.224345471 +0200
@@ -90,6 +90,7 @@
 			-out "/etc/prosody/certs/localhost.cert" \
 			-keyout "/etc/prosody/certs/localhost.key" \
 			-subj "/C=../ST=./L=./O=$DOMAIN/OU=$HOST/CN=localhost/emailAddress=root@$HOST.$DOMAIN"
+		chmod 600 "/etc/prosody/certs/localhost.key"
 	fi
 
 	if grep -q 'require "util.ztact"' /etc/prosody/prosody.cfg.lua; then

Reply via email to