93558 – app-text/silvercity-0.9.5 contains world writable executables

Bug 93558 - app-text/silvercity-0.9.5 contains world writable executables

Summary: app-text/silvercity-0.9.5 contains world writable executables

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2? [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-05-22 08:17 UTC by Jürgen Hötzel
Modified:	2005-06-08 08:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch for silvercity-0.9.5.ebuild (silvercity-0.9.5-r1.ebuild.patch,499 bytes, patch) 2005-05-22 08:18 UTC, Jürgen Hötzel	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürgen Hötzel 2005-05-22 08:17:39 UTC

# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

J

Comment 1 Jürgen Hötzel 2005-05-22 08:17:39 UTC

# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

Jürgen

Comment 2 Jürgen Hötzel 2005-05-22 08:18:48 UTC

Created attachment 59544 [details, diff]
Patch for silvercity-0.9.5.ebuild

Comment 3 Jürgen Hötzel 2005-05-31 14:39:32 UTC

This is also a security issue: Users can modify silvercity executables.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-06-01 00:54:01 UTC

web-apps: please patch

Comment 5 Aaron Walker (RETIRED) gentoo-dev

2005-06-01 08:57:30 UTC

0.9.5-r1 in cvs, x86 stable. ppc please stable, and if you'd be so kind remove
that old ebuild.

Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-06-02 14:17:53 UTC

Stable on ppc.

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-06-03 00:42:06 UTC

Ready for GLSA vote.
This is somewhat between a "default config" and vulnerability so I'm not sure. I
guess we should issue one...

Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev

2005-06-06 04:59:06 UTC

I think we should issue one.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-06-06 11:24:03 UTC

solar voted yes. Let's have a GLSA

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-08 08:49:37 UTC

GLSA 200506-05