Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93558 - app-text/silvercity-0.9.5 contains world writable executables
Summary: app-text/silvercity-0.9.5 contains world writable executables
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-22 08:17 UTC by Jürgen Hötzel
Modified: 2005-06-08 08:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for silvercity-0.9.5.ebuild (silvercity-0.9.5-r1.ebuild.patch,499 bytes, patch)
2005-05-22 08:18 UTC, Jürgen Hötzel
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jürgen Hötzel 2005-05-22 08:17:39 UTC
# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

J
Comment 1 Jürgen Hötzel 2005-05-22 08:17:39 UTC
# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

Jürgen
Comment 2 Jürgen Hötzel 2005-05-22 08:18:48 UTC
Created attachment 59544 [details, diff]
Patch for silvercity-0.9.5.ebuild
Comment 3 Jürgen Hötzel 2005-05-31 14:39:32 UTC
This is also a security issue: Users can modify silvercity executables.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-01 00:54:01 UTC
web-apps: please patch
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-06-01 08:57:30 UTC
0.9.5-r1 in cvs, x86 stable. ppc please stable, and if you'd be so kind remove
that old ebuild.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-02 14:17:53 UTC
Stable on ppc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-03 00:42:06 UTC
Ready for GLSA vote.
This is somewhat between a "default config" and vulnerability so I'm not sure. I
guess we should issue one...
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-06 04:59:06 UTC
I think we should issue one.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-06 11:24:03 UTC
solar voted yes. Let's have a GLSA
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-08 08:49:37 UTC
GLSA 200506-05