[Pkg-net-snmp-devel] Bug#389434: /usr/share/snmp/mibs/.index has
mode 0666
Michael Tautschnig
tautschn at model.in.tum.de
Mon Sep 25 17:06:21 UTC 2006
Package: libsnmp-base
Version: 5.2.3-1
Severity: critical
Justification: may lead to DoS
I just noticed that somehow the file /usr/share/snmp/mibs/.index had been
created, probably due to the hplip package using SNMP; despite creating a file
dynamically in /usr probably violates FHS, the permissions of the file impose a
security threat:
-rw-rw-rw- 1 root root 2148 Sep 20 17:50 /usr/share/snmp/mibs/.index
Any user may fill this file with arbitrary data and thus get the partition this
directory resides on completely filled. Furthermore it may introduce other
security risks, if the contents of this file is evaluated; but I don't know
anything about the internals of libsnmp and thus cannot say, whether this really
poses a problem.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20060925/718a65c8/attachment.pgp
More information about the Pkg-net-snmp-devel
mailing list