Bug#659296: surf: world-readable cookie jar

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#659296: surf: world-readable cookie jar
From: Jakub Wilk <jwilk@debian.org>
Date: Fri, 10 Feb 2012 00:05:41 +0100
Message-id: <[🔎] 20120209230541.GA1725@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 659296@bugs.debian.org

Package: surf
Version: 0.4.1-4.1
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

This allows local users to steal cookies.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages surf depends on:
ii  libatk1.0-0         2.2.0-2
ii  libc6               2.13-26
ii  libcairo2           1.10.2-6.2
ii  libfontconfig1      2.8.0-3.1
ii  libfreetype6        2.4.8-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-6
ii  libgtk2.0-0         2.24.8-3
ii  libpango1.0-0       1.29.4-2
ii  libsoup2.4-1        2.34.3-1
ii  libwebkitgtk-1.0-0  1.6.1-5+b1
ii  libx11-6            2:1.4.4-4
ii  suckless-tools      38-1
ii  wget                1.13.4-2
ii  x11-utils           7.6+4
ii  xterm               276-2

--
Jakub Wilk

Reply to:

Follow-Ups:
- Bug#659296: surf: world-readable cookie jar
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#659296: marked as done (surf: world-readable cookie jar)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#466513: marked as done (wmakerconf: Program committed suicide)
Next by Date: Bug#659296: surf: world-readable cookie jar
Previous by thread: Bug#466513: marked as done (wmakerconf: Program committed suicide)
Next by thread: Bug#659296: surf: world-readable cookie jar
Index(es):
- Date
- Thread