Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198209 (CVE-2007-5827)

Summary: sys-block/iscsitarget < 0.4.15-r1 insecure file permission (CVE-2007-5827)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27483/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-05 20:51:50 UTC 
Description:
A weakness has been discovered in iSCSI Enterprise Target, which can be exploited by malicious, local users to disclose sensitive information.

The weakness is caused due to the install script applying world readable permissions to the "/etc/ietd.conf" file, which can be exploited to e.g. disclose user names and passwords.

The weakness is confirmed in version 0.4.15. Other versions may also be affected.

Solution:
Apply correct file permissions to "/etc/ietd.conf".

Provided and/or discovered by:
Reported in a Debian bug by Martin Zobel-Helas.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448873
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-05 20:54:38 UTC 
robbat2, please provide a fixed ebuild.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-06 00:42:41 UTC 
in cvs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 01:14:19 UTC 
Thanks for the fast fix.