From [SECURITY] Fedora 9 Update: prewikka-0.9.14-2.fc9: ... The permissions on the prewikka.conf file are world readable and contain the sql database password used by prewikka. This update makes it readable just by the apache group. ... We suffer from the same issue. Also, the link referenced in the postinst is gone.
Our prewikka doesn't depend upon apache though, since we let you pick whatever http server you want, so I'm not sure what is the best way to go about this.
I would suggest to install the file o-r and add pkg_postinst message suggesting a chgrp to the web server / scripting group.
(In reply to comment #2) > I would suggest to install the file o-r and add pkg_postinst message suggesting > a chgrp to the web server / scripting group. > I made this change and bumped 0.9.14's revision. net-analyzer/prewikka-0.9.14-r1 should be the stable candidate. Its been in the tree for a month without a problem, and I've been using it on a few machines without incident.
(In reply to comment #3) > I made this change and bumped 0.9.14's revision. The ebuild installs both a default and a sample file. Is that intended? Also, only the -sample file is caught by the fperms call. Furthermore, I noticed this: rm: cannot remove `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file or directory Is my system at fault?
(In reply to comment #4) > (In reply to comment #3) > > I made this change and bumped 0.9.14's revision. > > The ebuild installs both a default and a sample file. Is that intended? I didn't even notice that, thanks for catching that. I guess it didn't always install one, so we kept our own sample around. I just move their file into the sample's spot now, and then fperms it. > Furthermore, I noticed this: > rm: cannot remove > `/var/tmp/portage/net-analyzer/prewikka-0.9.14-r1/image//-dist': No such file > or directory > > Is my system at fault? Nope, I have no idea what this was supposed to accomplish, so its gone now. net-analyzer/prewikka-0.9.14-r2 is now in the tree. Thanks for catching my screw up :)
Thanks for fixing so fast! Arches, please test and mark stable: =net-analyzer/prewikka-0.9.14-r2 Target keywords : "ppc sparc x86"
x86 stable
ppc done
sparc stable
Ready for vote, I vote YES.
Yes, too. Request filed.
CVE requested
CVE-2010-2058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2058): setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable permissions, which allows local users to obtain the SQL database password.
CVE added to glsa request.
Prewikka was removed from tree(together with Prelude packages) some time ago, i think this bug should be closed
This issue was resolved and addressed in GLSA 201101-07 at http://security.gentoo.org/glsa/glsa-201101-07.xml by GLSA coordinator Sean Amoss (ackle).