91465 2005-05-04 11:40 0000 maildrop insecure file & directory permissions : informations leak 2005-05-12 05:48:42 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A4 [noglsa] jaervosz P2 minor --- 1 eromang@zataz.net security@gentoo.org net-mail@gentoo.org eromang@zataz.net 2005-05-04 11:40:52 0000 Hello, maildrop is used for mail delivery or filtering. The /etc/maildrop/ directory containt the configuration file : eric maildrop # ls -la total 14 drwxr-xr-x 2 root root 1024 May 4 19:50 . drwxr-xr-x 80 root root 4096 May 4 19:50 .. -rw-r--r-- 1 root root 4549 May 4 19:50 maildropldap.cf -rw-r--r-- 1 root root 3163 May 4 19:50 maildropmysql.cf This files are world readable, a malicious local user could obtain senstive informations. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: This files are world readable. Expected Results: This files should not be world readable ferdy@gentoo.org 2005-05-04 12:42:40 0000 Fixed in CVS, thanks (is 1.7.0-r3) Cheers, Ferdy ferdy@gentoo.org 2005-05-04 12:55:39 0000 Shouldn't have resolved that... im going to push 1.8.0 series as stable to fix this so we can remove the old ebuilds. BTW, sorry for messing with security bugs, didn't notice the first time. Cheers, Ferdy jaervosz@gentoo.org 2005-05-04 23:09:52 0000 Arches please mark maildrop-1.8.0-r3 stable. kloeri@gentoo.org 2005-05-05 01:25:38 0000 Alpha stable. jforman@gentoo.org 2005-05-05 05:18:01 0000 Looks good on Sparc, but I'm not bumping it until I get the nod from Weeve/Gustavoz napavalley portage # cd /etc/maildrop napavalley maildrop # ls -l total 0 -rw-r----- 1 root root 0 May 5 08:16 maildropmysql.cf jforman@gentoo.org 2005-05-05 07:36:44 0000 Stable on sparc. jaervosz@gentoo.org 2005-05-11 07:24:25 0000 Oops slipped under my radar. This one is ready for GLSA decision. I tend to vote NO. koon@gentoo.org 2005-05-12 05:48:42 0000 I agree with NO. Specific subconfig files containing passwords should/could be restricted post-config on machines with local hostiles... Closing.