[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#659296: surf: world-readable cookie jar

Package: surf
Version: 0.4.1-4.1
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

This allows local users to steal cookies.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages surf depends on:
ii  libatk1.0-0         2.2.0-2
ii  libc6               2.13-26
ii  libcairo2           1.10.2-6.2
ii  libfontconfig1      2.8.0-3.1
ii  libfreetype6        2.4.8-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-6
ii  libgtk2.0-0         2.24.8-3
ii  libpango1.0-0       1.29.4-2
ii  libsoup2.4-1        2.34.3-1
ii  libwebkitgtk-1.0-0  1.6.1-5+b1
ii  libx11-6            2:1.4.4-4
ii  suckless-tools      38-1
ii  wget                1.13.4-2
ii  x11-utils           7.6+4
ii  xterm               276-2

Jakub Wilk

Reply to: