Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 162700 - app-i18n/kurso-de-esperanto-3.0 - world writeable bit on all files
Summary: app-i18n/kurso-de-esperanto-3.0 - world writeable bit on all files
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B3?? [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-18 20:10 UTC by Flemming Richter
Modified: 2007-02-10 19:43 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Flemming Richter 2007-01-18 20:10:28 UTC 
When I try to emerge app-i18n/kurso-de-esperanto-3.0, I get this notice on all the files:

 * QA Notice: Pre-stripped files found:
 * /var/tmp/portage/app-i18n/kurso-de-esperanto-3.0/image/opt/kurso/bin/kurso3
/var/tmp/portage/app-i18n/kurso-de-esperanto-3.0/image/opt/kurso/lib/libborqt-6.9-qt2.3.so
QA Security Notice:
- /opt/kurso/fonts/Menu_2.xfm will be a world writable file.
- This may or may not be a security problem, most of the time it is one.
- Please double check that kurso-de-esperanto-3.0 really needs a world writeable bit and file bugs accordingly.


Reproducible: Always

Steps to Reproduce:
1. emerge app-i18n/kurso-de-esperanto-3.0
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-26 12:08:11 UTC 
confirmed... the tarball contains indeed world-writeable files, only had a quick look, but it seems that only fonts/html/... seem to be world-writable, not the binary

vapier, you committed this a long while ago, want to fix it?
otherwise we should mask it until there is a maintainer
Comment 2 SpanKY gentoo-dev 2007-01-27 11:48:07 UTC 
lame, just fix the freaking package

3.0-r1 in portage
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-27 19:03:28 UTC 
unsure about the rating...

security, please vote
Comment 4 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-01-27 21:37:07 UTC 
I vote no.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-27 22:47:52 UTC 
another NO vote.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:43:10 UTC 
closing