From debian bugzilla at $URL: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). I consider it as upstream/ebuild because anyone is able to change permission without upstream support
=www-client/uzbl-2011.11.18 should be stabilized, as it fixes this vulnerability (per http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379#38).
Apologies, =www-client/uzbl-2011.11.18 does not contain the patch, however =www-client/uzbl-2012.05.14 does. =www-client/uzbl-2012.05.14 should be stabled instead. Thank you!
Better. Package has been in tree over a year, so I see no issue going ahead with a stable. Arches, please test and stabilize: =www-client/uzbl-2012.05.14 Target arches: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks for your work GLSA vote: no
cleanup done
GLSA vote: no. Closing as [noglsa].