89141 – app-admin/{webmin|usermin} configuration file permissions vulnerability

Bug 89141 - app-admin/{webmin|usermin} configuration file permissions vulnerability

Summary: app-admin/{webmin|usermin} configuration file permissions vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.webmin.com/changes.html
Whiteboard:	B4 [noglsa] jaervosz
Keywords:

Depends on:	86085
Blocks:
	Show dependency tree

Reported:	2005-04-14 17:21 UTC by Jeremy Huddleston (RETIRED)
Modified:	2020-04-06 20:47 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Huddleston (RETIRED) gentoo-dev

2005-04-14 17:21:36 UTC

Not sure if this is GLSA worthy or not, but I thought I'd mention it anyways.  I'm testing/bumping the version of webmin right now and it should be in portage soon.

Version 1.200 (12 Apr 2005)

        * Fixed a nasty bug that could cause configuration file permissions and ownership to be changed when they are modified.

Comment 1 Jeremy Huddleston (RETIRED) gentoo-dev

2005-04-14 17:22:15 UTC

usermin too, btw: http://www.webmin.com/uchanges.html

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-14 22:13:42 UTC

Thx Jeremy. Please let us know when you have comitted fixed ebuilds.

Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev

2005-04-14 23:29:01 UTC

They're in:
usermin-1.130 : alpha hppa ppc ppc64
webmin-1.200 : alpha hppa mips ppc ppc64 s390

Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-04-15 13:37:47 UTC

Stable on ppc.

Comment 5 Markus Rothe (RETIRED) gentoo-dev

2005-04-16 00:34:43 UTC

I just tested on ppc64. Installs fine, but I cannot login to both packages. I use "root" as login as my local pw for the password. Anything wrong with that?

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2005-04-16 00:40:01 UTC

I just reinstalled both packages. Now it works. Don't know what went wrong the first time.

Stable on ppc64.

Comment 7 Bryan Østergaard (RETIRED) gentoo-dev

2005-04-19 10:39:01 UTC

Stable on alpha.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-04-19 11:15:32 UTC

I vote no GLSA.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-19 11:56:51 UTC

Voting for no GLSA as well -> closing. Feel free to reopen if you disagree.

hppa, mips, s390 don't forget to mark stable:-)

Comment 10 René Nussbaumer (RETIRED) gentoo-dev

2005-06-26 07:30:38 UTC

Already stable on hppa

Comment 11 Wolf Giesen (RETIRED) gentoo-dev

2006-07-25 22:55:37 UTC

Hm, what about

"Version 1.220 (29 June 2006) 
Fixed a security hole that would allow a remote attacker to view any file on the system."?

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-25 23:51:03 UTC

@comment #11 I think that is handled on bug #138552 :-)

Comment 13 Wolf Giesen (RETIRED) gentoo-dev

2006-07-25 23:58:45 UTC

Who even gave me access to this thing? :D
Excuse the noise, please.