Skip to content

Keylime: The keylime.conf file installed as world-readable

High
mpeters published GHSA-fchm-5w2v-qfm8 Jan 27, 2022

Package

keylime (Keylime)

Affected versions

<6.2.0

Patched versions

6.3.0

Description

Impact

Current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

Patches

Users should upgrade to at least 6.3.x.
Fix for the Debian packaging can be found here: utkarsh2102/python-keylime#39

Workarounds

After install of affected versions, run a chmod 600 command against the file to restrict it's readability.
Note that the SUSE package had this issue already fixed in earlier versions.

Credit

Many thanks to Matthias Gerstner for finding this issue and for Alberto Planas for the fix.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-23952

Weaknesses

No CWEs

Credits