Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431744 (CVE-2012-3449)

Summary: <net-misc/openvswitch-1.9.0: World writable permissions (CVE-2012-3449)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: dev-zero, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-08-17 14:18:59 UTC 
CVE-2012-3449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3449):
  Open vSwitch 1.4.2 uses world writable permissions for (1)
  /var/lib/openvswitch/pki/controllerca/incoming/ and (2)
  /var/lib/openvswitch/pki/switchca/incoming/, which allows local users to
  delete and overwrite arbitrary files.


It looks like net-misc/openvswitch-1.6.1-r2 is also affected, but we use /etc/openvswitch/pki/controllerca/incoming and /etc/openvswitch/pki/switchca/incoming. 

Debian patched their package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665#15
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2013-04-08 19:41:24 UTC 
For 1.9.0 I moved the PKI dir to /etc/ssl/openvswitch and set 0750 explicitly.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-08 20:58:03 UTC 
Thank you, Tiziano. Please don't forget to drop the vulnerable version.

Closing noglsa for ~arch only.