Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250715 - www-misc/zoneminder allow any user to read configuration-files (CVE-2008-6756)
Summary: www-misc/zoneminder allow any user to read configuration-files (CVE-2008-6756)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-12 16:54 UTC by Rune Andresen
Modified: 2009-05-01 11:18 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rune Andresen 2008-12-12 16:54:17 UTC 
The ebuild /usr/portage/www-misc/zoneminder/zoneminder-1.23.3.ebuild has the following:

        fperms 0644 /etc/zm.conf

This allows any user to read the database user and password. I belive, it would better with:

        fperms 0640 /etc/zm.conf



Reproducible: Always

Steps to Reproduce:
1.Install ZoneMinder
2.
3.

Actual Results:  
Any user can read the configuration.

Expected Results:  
Only apache should read the username/password

It's easy to correct (just do a chmod o-r /etc/zm.conf).
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 21:50:06 UTC 
fixed in cvs. albeit without bumping the revision as I'm considering masking the package anyhow (see bug #236517). webapps done.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:25:47 UTC 
thanks, closing.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 11:18:02 UTC 
CVE-2008-6756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6756):
  ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for
  /etc/zm.conf, which allows local users to obtain the database
  username and password by reading this file.