Gentoo Bug 91465 - maildrop insecure file & directory permissions : informations leak

First Last Prev Next No search results available Search page Enter new bug

Bug#:	91465
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	eromang <eromang@zataz.net>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 91465 depends on:			Show dependency tree Show dependency graph
Bug 91465 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-05-04 11:40 0000

Hello,

maildrop is used for mail delivery or filtering.

The /etc/maildrop/ directory containt the configuration file :

eric maildrop # ls -la
total 14
drwxr-xr-x   2 root root 1024 May  4 19:50 .
drwxr-xr-x  80 root root 4096 May  4 19:50 ..
-rw-r--r--   1 root root 4549 May  4 19:50 maildropldap.cf
-rw-r--r--   1 root root 3163 May  4 19:50 maildropmysql.cf

This files are world readable, a malicious local user could obtain senstive informations.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
This files are world readable.

Expected Results:  
This files should not be world readable

------- Comment #1 From Fernando J. Pereda 2005-05-04 12:42:40 0000 -------

Fixed in CVS, thanks (is 1.7.0-r3)

Cheers,
Ferdy

------- Comment #2 From Fernando J. Pereda 2005-05-04 12:55:39 0000 -------

Shouldn't have resolved that... im going to push 1.8.0 series as stable to fix
this so we can remove the old ebuilds.

BTW, sorry for messing with security bugs, didn't notice the first time.

Cheers,
Ferdy

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-05-04 23:09:52 0000 -------

Arches please mark maildrop-1.8.0-r3 stable.

------- Comment #4 From Bryan Østergaard (RETIRED) 2005-05-05 01:25:38 0000 -------

Alpha stable.

------- Comment #5 From Jeffrey Forman (RETIRED) 2005-05-05 05:18:01 0000 -------

Looks good on Sparc, but I'm not bumping it until I get the nod from
Weeve/Gustavoz

napavalley portage # cd /etc/maildrop
napavalley maildrop # ls -l
total 0
-rw-r-----  1 root root 0 May  5 08:16 maildropmysql.cf

------- Comment #6 From Jeffrey Forman (RETIRED) 2005-05-05 07:36:44 0000 -------

Stable on sparc.

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-05-11 07:24:25 0000 -------

Oops slipped under my radar. This one is ready for GLSA decision. I tend to
vote NO.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-05-12 05:48:42 0000 -------

I agree with NO. Specific subconfig files containing passwords should/could be
restricted post-config on machines with local hostiles...

Closing.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 91465

maildrop insecure file & directory permissions : informations leak

Last modified: 2005-05-12 05:48:42 0000