Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 93558

Summary: app-text/silvercity-0.9.5 contains world writable executables
Product: Gentoo Security Reporter: Jürgen Hötzel <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: B2? [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch for silvercity-0.9.5.ebuild none

Description Jürgen Hötzel 2005-05-22 08:17:39 UTC
# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

J
Comment 1 Jürgen Hötzel 2005-05-22 08:17:39 UTC
# ls -l /usr/bin/*.py
-rwxrwxrwx  1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py
-rwxrwxrwx  1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py
-rwxrwxrwx  1 root root 3776 May 22 16:58 /usr/bin/source2html.py

This is because the source tarball comes with these permissions.

enclosed ebuild patch also contains fix for a CR/LF and python-path issue:

# source2html.py 
: No such file or directory

I think upstream creates packages under windows.

Jürgen
Comment 2 Jürgen Hötzel 2005-05-22 08:18:48 UTC
Created attachment 59544 [details, diff]
Patch for silvercity-0.9.5.ebuild
Comment 3 Jürgen Hötzel 2005-05-31 14:39:32 UTC
This is also a security issue: Users can modify silvercity executables.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-01 00:54:01 UTC
web-apps: please patch
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-06-01 08:57:30 UTC
0.9.5-r1 in cvs, x86 stable. ppc please stable, and if you'd be so kind remove
that old ebuild.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-02 14:17:53 UTC
Stable on ppc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-03 00:42:06 UTC
Ready for GLSA vote.
This is somewhat between a "default config" and vulnerability so I'm not sure. I
guess we should issue one...
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-06 04:59:06 UTC
I think we should issue one.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-06 11:24:03 UTC
solar voted yes. Let's have a GLSA
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-08 08:49:37 UTC
GLSA 200506-05