CVE-2007-5751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5751): Liferea before 1.4.6 uses weak permissions (0644) for the feedlist.opml backup file, which allows local users to obtain credentials.
Daniel, please advise.
I've checked this, and the backup file only has bad perms in the 1.4.x series (which is not stable anywhere), and is in a subdirectory with 700 perms. so it's probably not an issue. I'll bump 1.4.5b to 1.4.6 anyway, which should take care of this problem.
No, I take it back. The 1.2 series also has 0644 perms (again in a 0700 directory). I'll find and backport the fix, as 1.4.x is nowhere near ready to go stable.
Okay, 1.4.6 is in the tree (and 1.4.5b removed). In addition, I backported the patch fixing the perms to 1.2.23-r1. I don't recommend that 1.4.x go stable at this point, so if early stabilization is necessary, 1.2.23-r1 is the correct version. I did check, and the patch the fix the perms on the backup file on the next run.
Thanks. Arches, please test and mark stable net-news/liferea-1.2.23-r1. Target keywords : "amd64 ppc ppc64 sparc x86"
FFS: DEPEND.bad 1 net-news/liferea/liferea-1.2.23.ebuild: ppc64(default-linux/ppc/ppc64/2006.1/64bit-userland) ['net-misc/networkmanager']
x86 stable
sparc stable
masked networkmanager use flag and marked stable on ppc64
ppc stable
amd64 stable
Vote now open.
voting NO wrt comment #2
robert@joel ~ $ cat /home/rbu/.liferea_1.2/feedlist.opml.backup cat: /home/rbu/.liferea_1.2/feedlist.opml.backup: Permission denied Voting NO and closing.
