From Debian Security Advisory DSA 830-1 CVE ID : CAN-2005-2962 Drew Parsons noticed that the post-installation script of ntlmaps, an NTLM authorisation proxy server, changes the permissions of the configuration file to be world-readable. It contains the user name and password of the Windows NT system that ntlmaps connects to and, hence, leaks them to lokal users. On Gentoo : -rw-r--r-- 1 root root 8523 Oct 1 12:14 /etc/ntlmaps/server.cfg Here we consider that it's up to the user to protect confidential information with the right permissions, but it's a bad default permission for sure.
Created attachment 69631 [details, diff] Secure the permissions on the config file
net-proxy please advise.
the patch would be ok if the ntlmaps service wouldn't run as user nobody. I'll see what I can do about that.
fixed in 0.9.9.5-r1 and 0.9.9-r2. the later has been commited as x86. now the ebuild creates ntlmaps user & group and run the service as ntlmaps. also the new versions replace the permissions and group of the existing /etc/ntlmaps/server.cfg, which I intend to keep it for awhile.
Thx Alin. Arches please test and mark stable.
Stable on alpha Cheers, Ferdy
ia64 stable.
Should 0.9.9.5-r1 go to stable as well? This bug is a bit unclear about that.
No, 0.9.9.5-r1 doesn't /need/ to go stable.
Why is x86@ still CCed then? Alin committed 0.9.9-r2 directly as stable on x86, see comment #4.
Thx. All stable -> Closing without GLSA.
