Bug#659296: Comments on the 0.4.1-6 upload
Vasudev Kamath asked me to include this information in the bug report.
From: Florian Weimer <firstname.lastname@example.org>
Subject: Re: Accepted surf 0.4.1-6 (source i386)
To: Vasudev Kamath <email@example.com>
Date: Fri, 10 Feb 2012 23:18:36 +0100
* Vasudev Kamath:
> surf (0.4.1-6) unstable; urgency=high
> * QA upload.
> * debian/patches:
> + Added fix-insecure-permissions.patch to fix world readable cookie jar
> vulnerability CVE-2012-0842. (Closes: #659296)
- g_mkdir_with_parents(apath, 0755);
+ g_mkdir_with_parents(apath, 0700);
I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I doubt).
[Addendum: It is sufficient to do this with just one component of the