2009/12/12 Nico Golde <n...@debian.org>: > severity 560771 important > thanks > > * Raphael Geissert <geiss...@debian.org> [2009-12-12 13:23]: >> Package: acpid >> Version: 1.0.4-5 >> Severity: grave >> Tags: security >> >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for acpid. >> >> CVE-2009-4235[0]: >> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users >> | to leverage weak permissions on /var/log/acpid, and obtain sensitive >> | information by reading this file or cause a denial of service by >> | overwriting this file, a different vulnerability than CVE-2009-4033. >> >> If you fix the vulnerability please also make sure to include the >> CVE id in your changelog entry. >> >> The vulnerability only seems to affect oldstable, but I noticed that none of >> the versions remove the log file, so the permissions of the file need to be >> fixed by all the other versions. > > Lowering the severity as in a typical use case this file does not carry > sensitive information and is probably also not used in many scenarios where > the DoS vector is of great relevance.
Ok, although it can still be (ab)used to fill the partition where the log file is stored. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
