Bug#429736: world readable passwords in /var/cache/debconf/config.dat
A Mennucc
debdev at tonelli.sns.it
Wed Jun 20 07:29:45 UTC 2007
On Tue, Jun 19, 2007 at 09:28:05PM +0100, Stefano Zacchiroli wrote:
> Package: zope-debhelper
> Version: 0.3.9
> Severity: grave
> Tags: security
>
> The maintainer scripts generated by zope-debhelper leave passwords in
> /var/cache/debconf/config.dat. Passwords are therefor world readable by
> any user of the system. Tagging this bug a security since this is a
> local privilege escalation: users can access instances as the
> administrator user.
they should go in /var/cache/debconf/passwords.dat instead
(and that is where zope-common did put them AFAICT)
a.
--
Andrea Mennucc
"The EULA sounds like it was written by a team of lawyers who want to tell
me what I can't do, and the GPL sounds like it was written by a human
being who wants me to know what I can do."
Anonymous, http://www.securityfocus.com/columnists/420
More information about the pkg-zope-developers
mailing list