404983 – (CVE-2012-0842) <www-client/surf-0.4.1-r1 : world-readable cookie file (CVE-2012-0842)

Bug 404983 (CVE-2012-0842) - <www-client/surf-0.4.1-r1 : world-readable cookie file (CVE-2012-0842)

Summary: <www-client/surf-0.4.1-r1 : world-readable cookie file (CVE-2012-0842)

Status:	RESOLVED FIXED

Alias:	CVE-2012-0842

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-02-20 09:26 UTC by Agostino Sarubbo
Modified:	2012-02-20 12:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-02-20 09:26:20 UTC

From debian bugzilla at $URL:


$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

This allows local users to steal cookies.


I consider it as upstream ebuild because anyone is able to change permission without upstream support

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2012-02-20 12:08:08 UTC

Fixed in -r1.

Comment 2 Agostino Sarubbo gentoo-dev

2012-02-20 12:45:26 UTC

Closed as noglsa. Thanks