Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 63551

Summary: media-sound/shoutcast-server-bin: conf files with passwords are world readable
Product: Gentoo Security Reporter: Mugurel Tudor <mugurel.tudor>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [ebuild+] lewk
Package list:
Runtime testing required: ---

Description Mugurel Tudor 2004-09-10 07:25:16 UTC 
This is applying for:

media-sound/shoutcast-server-bin
media-sound/shoutcast-trans-bin

Their configuration files (sc_serv.conf  and sc_trans.conf) by default are installed world readable. If I, as root, se the password for the server, any user with an account on my computer can see the password for the Shoutcast server. This is not OK.

By default, the configuration files, which may contain plain text passwords should be installed with read permissions only for root. This should not break anything, for the default setup.


Reproducible: Always
Steps to Reproduce:
1. Emerge either media-sound/shoutcast-server-bin, or media-sound/shoutcast-trans-bin
2. Check the permissions on /etc/shoutcast/sc_serv.conf and /etc/shoutcast/sc_trans.conf
3.

Actual Results:  
The permissions on those files are world readable, and those configuration files
will contain plain text passwords for the administration of the shoutcast server.

Expected Results:  
The configuration files should be installed with "read" attribute only for root.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-11 02:53:21 UTC 
Chris, plz fix
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:53:51 UTC 
Anyone in sound herd ?
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-16 09:00:38 UTC 
Chris is away.  I'll take care of it...
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-16 09:19:07 UTC 
Safe versions:
media-sound/shoutcast-server-bin-1.9.4-r1
media-sound/shoutcast-trans-bin-0.4.0-r1
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-09-17 05:28:01 UTC 
Thanks eradicator for resolving this issue.

Closing without GLSA.