Vasudev Kamath asked me to include this information in the bug report. From: Florian Weimer <f...@deneb.enyo.de> Subject: Re: Accepted surf 0.4.1-6 (source i386) To: Vasudev Kamath <kamathvasu...@gmail.com> Date: Fri, 10 Feb 2012 23:18:36 +0100 Message-ID: <87vcnemiwz....@mid.deneb.enyo.de>
* Vasudev Kamath: > surf (0.4.1-6) unstable; urgency=high > . > * QA upload. > * debian/patches: > + Added fix-insecure-permissions.patch to fix world readable cookie jar > vulnerability CVE-2012-0842. (Closes: #659296) - g_mkdir_with_parents(apath, 0755); + g_mkdir_with_parents(apath, 0700); I think you should also downgrade the permissions from 0755 if the directory exists (in case we want to keep the package alive, which I doubt). [Addendum: It is sufficient to do this with just one component of the path.] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
