Bug#405510: Build process sets the eog-$VER directory perms to 777

Sami Liedes sliedes at cc.hut.fi
Thu Jan 4 04:02:59 CET 2007 

Package: eog
Version: 2.16.2-1
Severity: grave
Tags: security
Justification: user security hole

This is a user security hole only on systems where the package is
built. Sorry if this doesn't qualify it for the grave severity.

The build process of eog sets the perms of the entire eog-$VERSION
subdirectory and all its subdirectories to 777 before compilation.
This allows a local attacker to do any nastiness to the source files
or scripts that subsequently get packaged in a .deb. The attacker can
also choose to run any code as the user building the package.

	Sami


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=C, LC_CTYPE=fi_FI at euro (charmap=ISO-8859-15)

Versions of packages eog depends on:
ii  gconf2                       2.16.0-3    GNOME configuration database syste
ii  libart-2.0-2                 2.3.17-1    Library of functions for 2D graphi
ii  libc6                        2.3.6.ds1-9 GNU C Library: Shared libraries
ii  libexif12                    0.6.13-5    library to parse EXIF files
ii  libgconf2-4                  2.16.0-3    GNOME configuration database syste
ii  libglade2-0                  1:2.6.0-4   library to load .glade files at ru
ii  libglib2.0-0                 2.12.6-2    The GLib library of C routines
ii  libgnome-desktop-2           2.14.3-1    Utility library for loading .deskt
ii  libgnome2-0                  2.16.0-2    The GNOME 2 library - runtime file
ii  libgnomecanvas2-0            2.14.0-2    A powerful object-oriented display
ii  libgnomeprint2.2-0           2.12.1-7    The GNOME 2.2 print architecture -
ii  libgnomeprintui2.2-0         2.12.1-4    GNOME 2.2 print architecture User 
ii  libgnomeui-0                 2.14.1-2+b1 The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0               2.14.2-4    GNOME virtual file-system (runtime
ii  libgtk2.0-0                  2.8.20-3    The GTK+ graphical user interface 
ii  libjpeg62                    6b-13       The Independent JPEG Group's JPEG 
ii  liblcms1                     1.15-1      Color management library
ii  libpango1.0-0                1.14.8-4    Layout and rendering of internatio
ii  libx11-6                     2:1.0.3-4   X11 client-side library

Versions of packages eog recommends:
ii  librsvg2-common               2.14.4-2   SAX-based renderer library for SVG

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20070104/404837b0/attachment.pgp

More information about the Pkg-gnome-maintainers mailing list