As reported by me on oss-security at $URL, webfs, at least on gentoo, has a world-redable log/logdir: # ls /var/log/webfsd.log -la -rw-r--r-- 1 root root 0 Feb 22 14:02 /var/log/webfsd.log
This is fixed in webfs-1.21-r3 with this patch: --- ./webfsd.c +++ ./webfsd.c @@ -918,8 +918,11 @@ } else { if (NULL == (logfh = fopen(logfile,"a"))) xperror(LOG_WARNING,"open access log",NULL); - else + else { close_on_exec(fileno(logfh)); + if (0 != chmod(logfile,S_IRUSR|S_IWUSR)) + xperror(LOG_WARNING,"chmod access log",NULL); + } } }
Arch teams, stabilize www-servers/webfs-1.21-r3 please.
amd64 stable
x86 stable
ppc stable
GLSA vote: no
GLSA vote: no Closing as noglsa