|Summary:||<net-analyzer/prewikka-0.9.14-r2 password disclosure due to world-readable file (CVE-2010-2058)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Robert Buchholz (RETIRED) 2009-05-16 13:38:39 UTC
From [SECURITY] Fedora 9 Update: prewikka-0.9.14-2.fc9: ... The permissions on the prewikka.conf file are world readable and contain the sql database password used by prewikka. This update makes it readable just by the apache group. ... We suffer from the same issue. Also, the link referenced in the postinst is gone.
Comment 1 Mark Loeser (RETIRED) 2009-05-16 18:53:33 UTC
Our prewikka doesn't depend upon apache though, since we let you pick whatever http server you want, so I'm not sure what is the best way to go about this.
Comment 2 Robert Buchholz (RETIRED) 2009-05-16 19:42:28 UTC
I would suggest to install the file o-r and add pkg_postinst message suggesting a chgrp to the web server / scripting group.
Comment 3 Mark Loeser (RETIRED) 2009-05-16 23:13:58 UTC
(In reply to comment #2) > I would suggest to install the file o-r and add pkg_postinst message suggesting > a chgrp to the web server / scripting group. > I made this change and bumped 0.9.14's revision. net-analyzer/prewikka-0.9.14-r1 should be the stable candidate. Its been in the tree for a month without a problem, and I've been using it on a few machines without incident.
Comment 4 Robert Buchholz (RETIRED) 2009-05-17 17:30:28 UTC
(In reply to comment #3) > I made this change and bumped 0.9.14's revision. The ebuild installs both a default and a sample file. Is that intended? Also, only the -sample file is caught by the fperms call. Furthermore, I noticed this: rm: cannot remove `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file or directory Is my system at fault?
Comment 5 Mark Loeser (RETIRED) 2009-05-17 19:10:38 UTC
(In reply to comment #4) > (In reply to comment #3) > > I made this change and bumped 0.9.14's revision. > > The ebuild installs both a default and a sample file. Is that intended? I didn't even notice that, thanks for catching that. I guess it didn't always install one, so we kept our own sample around. I just move their file into the sample's spot now, and then fperms it. > Furthermore, I noticed this: > rm: cannot remove > `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file > or directory > > Is my system at fault? Nope, I have no idea what this was supposed to accomplish, so its gone now. net-analyzer/prewikka-0.9.14-r2 is now in the tree. Thanks for catching my screw up :)
Comment 6 Robert Buchholz (RETIRED) 2009-05-17 19:15:11 UTC
Thanks for fixing so fast! Arches, please test and mark stable: =net-analyzer/prewikka-0.9.14-r2 Target keywords : "ppc sparc x86"
Comment 7 Christian Faulhammer (RETIRED) 2009-05-18 15:59:26 UTC
Comment 8 Brent Baude (RETIRED) 2009-05-18 19:46:25 UTC
Comment 9 Raúl Porcel (RETIRED) 2009-06-02 16:39:19 UTC
Comment 10 Tobias Heinlein (RETIRED) 2009-06-03 18:18:10 UTC
Ready for vote, I vote YES.
Comment 11 Stefan Behte (RETIRED) 2009-06-23 20:26:17 UTC
Yes, too. Request filed.
Comment 12 Stefan Behte (RETIRED) 2010-06-01 22:53:18 UTC
Comment 13 Stefan Behte (RETIRED) 2010-06-25 21:37:24 UTC
CVE-2010-2058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2058): setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable permissions, which allows local users to obtain the SQL database password.
Comment 14 Stefan Behte (RETIRED) 2010-08-01 12:34:10 UTC
CVE added to glsa request.
Comment 15 Sergey Popov 2012-10-17 16:41:48 UTC
Prewikka was removed from tree(together with Prelude packages) some time ago, i think this bug should be closed
Comment 16 GLSAMaker/CVETool Bot 2012-10-20 11:59:00 UTC
This issue was resolved and addressed in GLSA 201101-07 at http://security.gentoo.org/glsa/glsa-201101-07.xml by GLSA coordinator Sean Amoss (ackle).