|Summary:||<www-servers/thttpd-2.26.4-r2: world-readable logdir (CVE-2013-0348)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Agostino Sarubbo 2013-02-23 19:03:26 UTC
As reported by me on oss-security at $URL, thttpd, at least on gentoo, has a world-redable log/logdir: # ls -la /var/log/thttpd.log -rw-r--r-- 1 thttpd thttpd 0 Feb 22 14:05 /var/log/thttpd.log
Comment 1 Anthony Basile 2013-02-26 19:40:26 UTC
I committed the fix upstream: http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=commit;h=d2e186dbd58d274a0dea9b59357edc8498b5388d This is not a gentoo only bug. You need to chmod() the log file after its fopen(). I'll push this out to the tree as thttpd-2.26.4-r2 after dealing with other bugs. I don't think this is that big of a deal, and I'm not sure why you think you needed a CVE for it.
Comment 2 Agostino Sarubbo 2013-02-26 19:42:35 UTC
(In reply to comment #1) > I'm not sure why you think you needed a CVE for it. An unauthorized user can disclose sensitive information.
Comment 3 Anthony Basile 2013-02-26 20:05:22 UTC
Okay I've pushed thttpd-2.26.4-r2.
Comment 4 Anthony Basile 2013-03-23 03:55:01 UTC
Okay time to stabilize: TARGETS="amd64 arm ppc ppc64 sparc x86"
Comment 5 Anthony Basile 2013-03-23 04:48:12 UTC
(In reply to comment #4) > Okay time to stabilize: TARGETS="amd64 arm ppc ppc64 sparc x86" Okay I took care of ppc and ppc64
Comment 6 Agostino Sarubbo 2013-03-23 09:14:56 UTC
Comment 7 Agostino Sarubbo 2013-03-23 09:15:24 UTC
Comment 8 Agostino Sarubbo 2013-03-23 12:39:00 UTC
Comment 9 Agostino Sarubbo 2013-04-02 10:55:58 UTC
Comment 10 Sean Amoss (RETIRED) 2013-04-10 23:48:09 UTC
(In reply to comment #0) > As reported by me on oss-security at $URL This is NOT how Gentoo developers should be reporting vulnerabilities they find. Please see our methodology on the Audit subproject page . GLSA vote: NO.  http://www.gentoo.org/proj/en/security/audit.xml
Comment 11 Anthony Basile 2013-04-11 01:05:51 UTC
(In reply to comment #10) > (In reply to comment #0) > > As reported by me on oss-security at $URL > > This is NOT how Gentoo developers should be reporting vulnerabilities they > find. Please see our methodology on the Audit subproject page . > > GLSA vote: NO. > > >  http://www.gentoo.org/proj/en/security/audit.xml Thanks for that reference. It didn't seem right to me to request a CVE for something this trivial. I totally agree with solar's emphasis on peer-review. We need more of it everywhere in gentoo.
Comment 12 Tobias Heinlein (RETIRED) 2013-07-11 20:47:56 UTC
NO too, closing.