Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198209 (CVE-2007-5827) - sys-block/iscsitarget < 0.4.15-r1 insecure file permission (CVE-2007-5827)
Summary: sys-block/iscsitarget < 0.4.15-r1 insecure file permission (CVE-2007-5827)
Status: RESOLVED FIXED
Alias: CVE-2007-5827
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27483/
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-05 20:51 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-11-06 04:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-05 20:51:50 UTC 
Description:
A weakness has been discovered in iSCSI Enterprise Target, which can be exploited by malicious, local users to disclose sensitive information.

The weakness is caused due to the install script applying world readable permissions to the "/etc/ietd.conf" file, which can be exploited to e.g. disclose user names and passwords.

The weakness is confirmed in version 0.4.15. Other versions may also be affected.

Solution:
Apply correct file permissions to "/etc/ietd.conf".

Provided and/or discovered by:
Reported in a Debian bug by Martin Zobel-Helas.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448873
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-05 20:54:38 UTC 
robbat2, please provide a fixed ebuild.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-06 00:42:41 UTC 
in cvs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 01:14:19 UTC 
Thanks for the fast fix.