Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 417267 (CVE-2012-2760) - <www-apache/mod_auth_openid-0.8: Insecure database permissions session ID leak vulnerability (CVE-2012-2760)
Summary: <www-apache/mod_auth_openid-0.8: Insecure database permissions session ID lea...
Status: RESOLVED FIXED
Alias: CVE-2012-2760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/49247/
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-23 14:09 UTC by the_eccentric
Modified: 2014-08-25 22:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description the_eccentric 2012-05-23 14:09:11 UTC 
A security issue has been reported in mod_auth_openid, which can be exploited by malicious, local users to disclose sensitive information.

The security issue is caused due to the application creating a database file (/tmp/mod_auth_openid.db) with insecure world-readable permissions. This can be exploited to disclose the openid sessions.

The security issue is reported in versions prior to 0.7.

Reproducible: Always
Comment 1 the_eccentric 2012-05-23 14:16:31 UTC 
 From secunia security advisory at $URL
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-05-26 05:34:51 UTC 
Version 0.8 is now in the tree. As no version of this package ever was stable no stabilization process is required here.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-26 11:13:22 UTC 
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Version 0.8 is now in the tree. As no version of this package ever was
> stable no stabilization process is required here.

Thank you. Please drop 0.6 and then we can get this bug closed up.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-08-05 00:42:02 UTC 
Maintainer(s), please drop the vulnerable version(s).
Thank you!
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:32:40 UTC 
Maintainer timeout, cleanup done, closing noglsa.