First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 126475
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Mike Auty <ikelos@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 126475 depends on: Show dependency tree
Bug 126475 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-03-16 18:29 0000 
Hi, I wasn't sure whether to post this under the Applications component or the
security component.  I eventually decided on security, but have made it a minor
issue.  Sorry if that's the wrong place...

Whilst emerging portaudio I spotted the following notice:

QA Security Notice:
- /usr/include/portaudio/portaudio.h will be a world writable file.
- This may or may not be a security problem, most of the time it is one.
- Please double check that portaudio-18.1-r3 really needs a world writeable bit
and file bugs accordingly.

I'm guessing the include file doesn't actually have to be installed world
writable, and I guess technically someone malicious could alter it so as to
backdoor any program relying on portaudio, maybe, perhaps.  It's a bit tenuous,
but it seems easily fixed.

If you need any further information, please let me know...

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-03-17 02:02:44 0000 ------- 
sound please check and provide a new ebuild if necessary, thank you.

------- Comment #2 From Jeremy Huddleston (RETIRED) 2006-03-31 22:38:42 0000 ------- 
arm, ia64, and sh should mark stable.  Only 18.1-r3 is affected.  I marked
amd64, sparc, ppc64, and x86 stable since I test on those archs.  I don't think
a GLSA is neccessary.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-03-31 22:49:25 0000 ------- 
Thx Jeremy.

This one is ready for GLSA decision. I tend to vote NO.

arm, ia64, and sh please test and mark stable.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-04-01 02:56:04 0000 ------- 
Bad product/component

------- Comment #5 From Raphael Marichez 2006-04-01 03:32:54 0000 ------- 
>   I don't think
> a GLSA is neccessary.

Same thing here.

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-04-01 06:14:04 0000 ------- 
i tend to say no, too

------- Comment #7 From Thierry Carrez (RETIRED) 2006-04-02 00:55:41 0000 ------- 
No and closing.
First Last Prev Next    No search results available      Search page      Enter new bug