Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270056 (CVE-2010-2058) - <net-analyzer/prewikka-0.9.14-r2 password disclosure due to world-readable file (CVE-2010-2058)
Summary: <net-analyzer/prewikka-0.9.14-r2 password disclosure due to world-readable fi...
Status: RESOLVED FIXED
Alias: CVE-2010-2058
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://www.redhat.com/archives/fedor...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-16 13:38 UTC by Robert Buchholz (RETIRED)
Modified: 2012-10-20 11:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-16 13:38:39 UTC
From [SECURITY] Fedora 9 Update: prewikka-0.9.14-2.fc9:
...
The permissions on the prewikka.conf file are world readable and contain the sql
database password used by prewikka. This update makes it readable just by the
apache group.
...

We suffer from the same issue. Also, the link referenced in the postinst is gone.
Comment 1 Mark Loeser (RETIRED) gentoo-dev 2009-05-16 18:53:33 UTC
Our prewikka doesn't depend upon apache though, since we let you pick whatever http server you want, so I'm not sure what is the best way to go about this.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-16 19:42:28 UTC
I would suggest to install the file o-r and add pkg_postinst message suggesting a chgrp to the web server / scripting group.
Comment 3 Mark Loeser (RETIRED) gentoo-dev 2009-05-16 23:13:58 UTC
(In reply to comment #2)
> I would suggest to install the file o-r and add pkg_postinst message suggesting
> a chgrp to the web server / scripting group.
> 

I made this change and bumped 0.9.14's revision.  net-analyzer/prewikka-0.9.14-r1 should be the stable candidate.  Its been in the tree for a month  without a problem, and I've been using it on a few machines without incident.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-17 17:30:28 UTC
(In reply to comment #3)
> I made this change and bumped 0.9.14's revision. 

The ebuild installs both a default and a sample file. Is that intended? Also, only the -sample file is caught by the fperms call. Furthermore, I noticed this:
rm: cannot remove `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file or directory

Is my system at fault?
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2009-05-17 19:10:38 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > I made this change and bumped 0.9.14's revision. 
> 
> The ebuild installs both a default and a sample file. Is that intended? 

I didn't even notice that, thanks for catching that.  I guess it didn't always install one, so we kept our own sample around.  I just move their file into the sample's spot now, and then fperms it.

> Furthermore, I noticed this:
> rm: cannot remove
> `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file
> or directory
> 
> Is my system at fault?

Nope, I have no idea what this was supposed to accomplish, so its gone now.

net-analyzer/prewikka-0.9.14-r2 is now in the tree.  Thanks for catching my screw up :)
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-05-17 19:15:11 UTC
Thanks for fixing so fast!

Arches, please test and mark stable:
=net-analyzer/prewikka-0.9.14-r2
Target keywords : "ppc sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-18 15:59:26 UTC
x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-18 19:46:25 UTC
ppc done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-06-02 16:39:19 UTC
sparc stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-03 18:18:10 UTC
Ready for vote, I vote YES.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-23 20:26:17 UTC
Yes, too. Request filed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-01 22:53:18 UTC
CVE requested
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:37:24 UTC
CVE-2010-2058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2058):
  setup.py in Prewikka 0.9.14 installs prewikka.conf with
  world-readable permissions, which allows local users to obtain the
  SQL database password.

Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:34:10 UTC
CVE added to glsa request.
Comment 15 Sergey Popov gentoo-dev 2012-10-17 16:41:48 UTC
Prewikka was removed from tree(together with Prelude packages) some time ago, i think this bug should be closed
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-10-20 11:59:00 UTC
This issue was resolved and addressed in
 GLSA 201101-07 at http://security.gentoo.org/glsa/glsa-201101-07.xml
by GLSA coordinator Sean Amoss (ackle).