| Summary: | dev-perl/Proc-Daemon: writes world-writable PID file | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Samuel Damashek (RETIRED) <sdamashek> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | minor | CC: | perl |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/732283 | ||
| Whiteboard: | A4 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
world readable isn't a security issue. world writable is. *** This bug has been marked as a duplicate of bug 494508 *** |
From ${URL} : Proc::Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with mode 666. This is a rather stupid idea and may well be a security issue. Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=91450 Debian patch: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch