Bug#683647: Fwd: CVE ASSIGNMENT: logol: creates world writable directory: /var/lib/logol/results

Fri, 03 Aug 2012 11:33:04 -0700 


-------- Original Message --------
Subject: CVE ASSIGNMENT: logol: creates world writable directory:
/var/lib/logol/results
Date: Fri, 03 Aug 2012 12:07:31 -0600
From: Kurt Seifried <kseifr...@redhat.com>
To: oss-secur...@lists.openwall.com <oss-secur...@lists.openwall.com>,
      Andreas Beckmann <deb...@abeckmann.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

logol: creates world writable directory: /var/lib/logol/results

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683647

Package: logol
Version: 1.5.0-2
Severity: grave
Tags: security
Justification: user security hole
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed that your packages creates a world
writable directory:

    drwxrwxrwx 2 root root 40 Jul  1 21:59 /var/lib/logol/results

There any local user may delete/replace arbitrary files that were not
created by the user himself.


Andreas

Please use CVE-2012-3453 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQHBNiAAoJEBYNRVNeJnmTIqQQANPvksz6G4rNQERjkF9lJgxo
9yVY8WINtOzHXnSxKl5fmyMxDkTTH0Rr268X1tPN13htoFRNJwyxl0VLnyUUWRhe
i+wsrBhbGZmHW2f7ZJ3PmMkAehlj7PTfbnmx1wdcmvAtXxDjStQfwDfSnuT3PvLa
8WkdQ3RpYuZrDpi6+d9A2nI3Y9EwWLhwS5Pp/BwlZhkGf+jtXGb0aJhvQ8zprdkU
4gEkoscgIm7AFYvUveKBwJCIHlqFVjSMRNOPxMpWpGYKQWrLxW3UNwxcmpWWiADg
zLRJFsjgXiE4qNAjJNZPU2rMbpdgIAQCQ0HDL1zutoEjMglm5vEisEdnk2AjYevR
GlohleGU3e6X7JyN1HDX+8Vh2dLYBvYCU2/Hpfdk28RtM5vjAd9cYh9QcpwyK9ot
14p4FaG7HyMBbINtbmSACQaZp0MrVa0N35/++/h5Bq+G5t0/L+hBpYEswShYyMvj
cNrqbPsZwWeB/6obxZdMcav4IYTXYUktsaM/kp3EDVG/JpmFXRTMnHQ6c9BuEDaZ
lrc2tsHFaaYWtfzItlC9UZOTObWLv/pLX/1u9cvCcP8mrqs4Kjj3XvTk2gehxuEZ
KA4F/G+sO7WC2y1oC/ejc3J92E1uyMoFm5lXMxuve0v2n+ItzSFa6nw9ZHHwHjyK
dzIBQKWkfG4GOaDQyVjN
=eGgi
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to