Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 250715

Summary: www-misc/zoneminder allow any user to read configuration-files (CVE-2008-6756)
Product: Gentoo Security Reporter: Rune Andresen <andresen-gentoo>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Rune Andresen 2008-12-12 16:54:17 UTC 
The ebuild /usr/portage/www-misc/zoneminder/zoneminder-1.23.3.ebuild has the following:

        fperms 0644 /etc/zm.conf

This allows any user to read the database user and password. I belive, it would better with:

        fperms 0640 /etc/zm.conf



Reproducible: Always

Steps to Reproduce:
1.Install ZoneMinder
2.
3.

Actual Results:  
Any user can read the configuration.

Expected Results:  
Only apache should read the username/password

It's easy to correct (just do a chmod o-r /etc/zm.conf).
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 21:50:06 UTC 
fixed in cvs. albeit without bumping the revision as I'm considering masking the package anyhow (see bug #236517). webapps done.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:25:47 UTC 
thanks, closing.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 11:18:02 UTC 
CVE-2008-6756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6756):
  ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for
  /etc/zm.conf, which allows local users to obtain the database
  username and password by reading this file.