Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426498 (CVE-2012-2389) - <net-wireless/hostapd-1.0-r2 : world-readable /etc/hostapd/hostapd.conf (CVE-2012-2389)
Summary: <net-wireless/hostapd-1.0-r2 : world-readable /etc/hostapd/hostapd.conf (CVE-...
Alias: CVE-2012-2389
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2012-07-13 23:43 UTC by GLSAMaker/CVETool Bot
Modified: 2012-12-16 22:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 23:43:19 UTC
CVE-2012-2389 (
  hostapd 0.7.3, and possibly other versions before 1.0, uses 0644 permissions
  for /etc/hostapd/hostapd.conf, which might allow local users to obtain
  sensitive information such as credentials.

@mobile, Bjarke: may we stabilize =net-wireless/hostapd-1.0-r1 ?
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2012-07-14 10:44:45 UTC
Please go ahead and stabilize it :)
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-14 21:43:12 UTC
(In reply to comment #1)
> Please go ahead and stabilize it :)

Arches, please test and mark stable:
Target KEYWORDS: "amd64 ppc x86"
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-15 01:34:13 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-07-15 12:46:13 UTC
amd64 stable
Comment 5 Anton Bolshakov 2012-07-17 10:56:14 UTC
Guys, correct me if I'm wrong, but this vulnerability should be fixed in the Gentoo's ebuild. It's our script installs it with 0644 permissions.

ps. I've installed version 1.0 but the config file still has that permission:

ls -al /etc/hostapd/hostapd.conf
-rw-r--r-- 1 root root 46191 Jul 17 18:48 /etc/hostapd/hostapd.conf
Comment 6 Michael Weber (RETIRED) gentoo-dev 2012-08-24 08:00:03 UTC
ppc stable.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-24 14:06:22 UTC
Thanks, folks. GLSA Vote: yes.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-19 10:35:16 UTC
GLSA vote: no.
Comment 9 Rick Farina (Zero_Chaos) gentoo-dev 2012-09-24 15:14:30 UTC
Did you all really stabilize this without fixing the issue????

Seriously guys:

ozzie ~ # emerge hostapd::gentoo -va1 --nodeps

These are the packages that would be merged, in order:

[ebuild   R    ] net-wireless/hostapd-1.0-r1  USE="crda ipv6 ssl wps -debug -logwatch -madwifi" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

Would you like to merge these packages? [Yes/No] no


ozzie ~ # ls -al /etc/hostapd/hostapd.conf     
-rw-r--r-- 1 root root 45989 Sep 24 11:10 /etc/hostapd/hostapd.conf
ozzie ~ # qfile /etc/hostapd/hostapd.conf      
net-wireless/hostapd (/etc/hostapd/hostapd.conf)

Someone really needs to throw this line into src_install

chmod -R 600 "${ED}"/etc/hostapd

I can do it, but should I bump the rev again for this unresolved security issue?
Comment 10 Rick Farina (Zero_Chaos) gentoo-dev 2012-09-24 15:46:34 UTC
Per Ago I have fixed this issue in -r2 without removing the keywords for this issue.

Please don't misunderstand what has happened here though. You should all be embarrassed.  Not because you messed up, that happens, but to not even respond to Anton after he pointed out (much more politely than I) how you failed.

Today I fix a bug just so I can be less embarrassed to be a gentoo developer. Please, don't ignore the users, without them this is all a bit pointless.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:57:35 UTC
Vote: NO.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:14:43 UTC
Oh, didn't see Sean's vote first. Closing noglsa now.