[Debian-med-packaging] Bug#683647: Fwd: CVE ASSIGNMENT: logol: creates world writable directory: /var/lib/logol/results
Andreas Beckmann
debian at abeckmann.de
Fri Aug 3 18:24:10 UTC 2012
-------- Original Message --------
Subject: CVE ASSIGNMENT: logol: creates world writable directory:
/var/lib/logol/results
Date: Fri, 03 Aug 2012 12:07:31 -0600
From: Kurt Seifried <kseifried at redhat.com>
To: oss-security at lists.openwall.com <oss-security at lists.openwall.com>,
Andreas Beckmann <debian at abeckmann.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
logol: creates world writable directory: /var/lib/logol/results
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683647
Package: logol
Version: 1.5.0-2
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa at lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed that your packages creates a world
writable directory:
drwxrwxrwx 2 root root 40 Jul 1 21:59 /var/lib/logol/results
There any local user may delete/replace arbitrary files that were not
created by the user himself.
Andreas
Please use CVE-2012-3453 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJQHBNiAAoJEBYNRVNeJnmTIqQQANPvksz6G4rNQERjkF9lJgxo
9yVY8WINtOzHXnSxKl5fmyMxDkTTH0Rr268X1tPN13htoFRNJwyxl0VLnyUUWRhe
i+wsrBhbGZmHW2f7ZJ3PmMkAehlj7PTfbnmx1wdcmvAtXxDjStQfwDfSnuT3PvLa
8WkdQ3RpYuZrDpi6+d9A2nI3Y9EwWLhwS5Pp/BwlZhkGf+jtXGb0aJhvQ8zprdkU
4gEkoscgIm7AFYvUveKBwJCIHlqFVjSMRNOPxMpWpGYKQWrLxW3UNwxcmpWWiADg
zLRJFsjgXiE4qNAjJNZPU2rMbpdgIAQCQ0HDL1zutoEjMglm5vEisEdnk2AjYevR
GlohleGU3e6X7JyN1HDX+8Vh2dLYBvYCU2/Hpfdk28RtM5vjAd9cYh9QcpwyK9ot
14p4FaG7HyMBbINtbmSACQaZp0MrVa0N35/++/h5Bq+G5t0/L+hBpYEswShYyMvj
cNrqbPsZwWeB/6obxZdMcav4IYTXYUktsaM/kp3EDVG/JpmFXRTMnHQ6c9BuEDaZ
lrc2tsHFaaYWtfzItlC9UZOTObWLv/pLX/1u9cvCcP8mrqs4Kjj3XvTk2gehxuEZ
KA4F/G+sO7WC2y1oC/ejc3J92E1uyMoFm5lXMxuve0v2n+ItzSFa6nw9ZHHwHjyK
dzIBQKWkfG4GOaDQyVjN
=eGgi
-----END PGP SIGNATURE-----
More information about the Debian-med-packaging
mailing list