Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458896 (CVE-2013-0348) - <www-servers/thttpd-2.26.4-r2: world-readable logdir (CVE-2013-0348)
Summary: <www-servers/thttpd-2.26.4-r2: world-readable logdir (CVE-2013-0348)
Status: RESOLVED FIXED
Alias: CVE-2013-0348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-23 19:03 UTC by Agostino Sarubbo
Modified: 2013-07-11 20:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-23 19:03:26 UTC
As reported by me on oss-security at $URL, thttpd, at least on gentoo, has a world-redable log/logdir:

# ls -la /var/log/thttpd.log 
-rw-r--r-- 1 thttpd thttpd 0 Feb 22 14:05 /var/log/thttpd.log
Comment 1 Anthony Basile gentoo-dev 2013-02-26 19:40:26 UTC
I committed the fix upstream:

http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=commit;h=d2e186dbd58d274a0dea9b59357edc8498b5388d

This is not a gentoo only bug.  You need to chmod() the log file after its fopen().

I'll push this out to the tree as thttpd-2.26.4-r2 after dealing with other bugs.  I don't think this is that big of a deal, and I'm not sure why you think you needed a CVE for it.
Comment 2 Agostino Sarubbo gentoo-dev 2013-02-26 19:42:35 UTC
(In reply to comment #1)
> I'm not sure why you think you needed a CVE for it.

An unauthorized user can disclose sensitive information.
Comment 3 Anthony Basile gentoo-dev 2013-02-26 20:05:22 UTC
Okay I've pushed thttpd-2.26.4-r2.
Comment 4 Anthony Basile gentoo-dev 2013-03-23 03:55:01 UTC
Okay time to stabilize:  TARGETS="amd64 arm ppc ppc64 sparc x86"
Comment 5 Anthony Basile gentoo-dev 2013-03-23 04:48:12 UTC
(In reply to comment #4)
> Okay time to stabilize:  TARGETS="amd64 arm ppc ppc64 sparc x86"

Okay I took care of ppc and ppc64
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-23 09:14:56 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-23 09:15:24 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-23 12:39:00 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-04-02 10:55:58 UTC
sparc stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-10 23:48:09 UTC
(In reply to comment #0)
> As reported by me on oss-security at $URL

This is NOT how Gentoo developers should be reporting vulnerabilities they find. Please see our methodology on the Audit subproject page [1].

GLSA vote: NO.


[1] http://www.gentoo.org/proj/en/security/audit.xml
Comment 11 Anthony Basile gentoo-dev 2013-04-11 01:05:51 UTC
(In reply to comment #10)
> (In reply to comment #0)
> > As reported by me on oss-security at $URL
> 
> This is NOT how Gentoo developers should be reporting vulnerabilities they
> find. Please see our methodology on the Audit subproject page [1].
> 
> GLSA vote: NO.
> 
> 
> [1] http://www.gentoo.org/proj/en/security/audit.xml

Thanks for that reference.  It didn't seem right to me to request a CVE for something this trivial.  I totally agree with solar's emphasis on peer-review.  We need more of it everywhere in gentoo.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2013-07-11 20:47:56 UTC
NO too, closing.