Summary: | app-text/silvercity-0.9.5 contains world writable executables | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Jürgen Hötzel <gentoo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | web-apps | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Other | ||||||
Whiteboard: | B2? [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Jürgen Hötzel
2005-05-22 08:17:39 UTC
# ls -l /usr/bin/*.py -rwxrwxrwx 1 root root 4443 May 22 16:58 /usr/bin/cgi-styler-form.py -rwxrwxrwx 1 root root 2990 May 22 16:58 /usr/bin/cgi-styler.py -rwxrwxrwx 1 root root 3776 May 22 16:58 /usr/bin/source2html.py This is because the source tarball comes with these permissions. enclosed ebuild patch also contains fix for a CR/LF and python-path issue: # source2html.py : No such file or directory I think upstream creates packages under windows. Jürgen Created attachment 59544 [details, diff]
Patch for silvercity-0.9.5.ebuild
This is also a security issue: Users can modify silvercity executables. web-apps: please patch 0.9.5-r1 in cvs, x86 stable. ppc please stable, and if you'd be so kind remove that old ebuild. Stable on ppc. Ready for GLSA vote. This is somewhat between a "default config" and vulnerability so I'm not sure. I guess we should issue one... I think we should issue one. solar voted yes. Let's have a GLSA GLSA 200506-05 |