Bug 664324 (CVE-2018-14348)

Summary:	<dev-libs/libcgroup-0.41-r5: cgrulesengd creates log files with insecure permissions (CVE-2018-14348)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	blueness
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-08-22 23:03:59 UTC

CVE-2018-14348 (https://nvd.nist.gov/vuln/detail/CVE-2018-14348):
  libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
  regardless of the configured umask, leading to disclosure of information.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-22 23:05:03 UTC

Upstream patch: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/

Comment 2 Anthony Basile gentoo-dev

2018-08-23 00:22:44 UTC

(In reply to Thomas Deutschmann from comment #1)
> Upstream patch:
> https://sourceforge.net/p/libcg/libcg/ci/
> 0d88b73d189ea3440ccaab00418d6469f76fa590/

Thanks for the report!  I've added the patch in libcgroup-0.41-r5.ebuild and will rapid stabilize it soon.

Comment 3 Anthony Basile gentoo-dev

2018-08-23 00:53:22 UTC

I just marked libcgroup-0.41-r5.ebuild stable on amd64 and x86 and removed the vulnerable version.

Comment 4 Sam James archtester

2020-03-19 03:51:29 UTC

Tree is clean.

Comment 5 Yury German Gentoo Infrastructure

2020-04-16 07:01:40 UTC

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2020-06-20 00:40:11 UTC

tree is clean