Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664324 (CVE-2018-14348) - <dev-libs/libcgroup-0.41-r5: cgrulesengd creates log files with insecure permissions (CVE-2018-14348)
Summary: <dev-libs/libcgroup-0.41-r5: cgrulesengd creates log files with insecure perm...
Status: RESOLVED FIXED
Alias: CVE-2018-14348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:03 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-20 00:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:03:59 UTC
CVE-2018-14348 (https://nvd.nist.gov/vuln/detail/CVE-2018-14348):
  libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
  regardless of the configured umask, leading to disclosure of information.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:05:03 UTC
Upstream patch: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
Comment 2 Anthony Basile gentoo-dev 2018-08-23 00:22:44 UTC
(In reply to Thomas Deutschmann from comment #1)
> Upstream patch:
> https://sourceforge.net/p/libcg/libcg/ci/
> 0d88b73d189ea3440ccaab00418d6469f76fa590/

Thanks for the report!  I've added the patch in libcgroup-0.41-r5.ebuild and will rapid stabilize it soon.
Comment 3 Anthony Basile gentoo-dev 2018-08-23 00:53:22 UTC
I just marked libcgroup-0.41-r5.ebuild stable on amd64 and x86 and removed the vulnerable version.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 03:51:29 UTC
Tree is clean.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:01:40 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2020-06-20 00:40:11 UTC
tree is clean