Summary: | <net-wireless/hostapd-1.0-r2 : world-readable /etc/hostapd/hostapd.conf (CVE-2012-2389) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gurligebis, kripton, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2012-07-13 23:43:19 UTC
Please go ahead and stabilize it :) (In reply to comment #1) > Please go ahead and stabilize it :) Arches, please test and mark stable: =net-wireless/hostapd-1.0-r1 Target KEYWORDS: "amd64 ppc x86" x86 stable amd64 stable Guys, correct me if I'm wrong, but this vulnerability should be fixed in the Gentoo's ebuild. It's our script installs it with 0644 permissions. ps. I've installed version 1.0 but the config file still has that permission: ls -al /etc/hostapd/hostapd.conf -rw-r--r-- 1 root root 46191 Jul 17 18:48 /etc/hostapd/hostapd.conf ppc stable. Thanks, folks. GLSA Vote: yes. GLSA vote: no. Did you all really stabilize this without fixing the issue???? Seriously guys: ozzie ~ # emerge hostapd::gentoo -va1 --nodeps These are the packages that would be merged, in order: [ebuild R ] net-wireless/hostapd-1.0-r1 USE="crda ipv6 ssl wps -debug -logwatch -madwifi" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Would you like to merge these packages? [Yes/No] no Quitting. ozzie ~ # ls -al /etc/hostapd/hostapd.conf -rw-r--r-- 1 root root 45989 Sep 24 11:10 /etc/hostapd/hostapd.conf ozzie ~ # qfile /etc/hostapd/hostapd.conf net-wireless/hostapd (/etc/hostapd/hostapd.conf) Someone really needs to throw this line into src_install chmod -R 600 "${ED}"/etc/hostapd I can do it, but should I bump the rev again for this unresolved security issue? Per Ago I have fixed this issue in -r2 without removing the keywords for this issue. Please don't misunderstand what has happened here though. You should all be embarrassed. Not because you messed up, that happens, but to not even respond to Anton after he pointed out (much more politely than I) how you failed. Today I fix a bug just so I can be less embarrassed to be a gentoo developer. Please, don't ignore the users, without them this is all a bit pointless. Vote: NO. Oh, didn't see Sean's vote first. Closing noglsa now. |