[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#659296: Comments on the 0.4.1-6 upload

* Florian Weimer <fw@deneb.enyo.de>, 2012-02-13, 16:32:
 surf (0.4.1-6) unstable; urgency=high
   * QA upload.
   * debian/patches:
     + Added fix-insecure-permissions.patch to fix world readable cookie jar
       vulnerability CVE-2012-0842. (Closes: #659296)

-               g_mkdir_with_parents(apath, 0755);
+               g_mkdir_with_parents(apath, 0700);

I think you should also downgrade the permissions from 0755 if the directory exists (in case we want to keep the package alive, which I doubt).

I'm not a fan of software changing permissions of existing files (after all it might be user who decided to make them more liberal that usual). As the sponsor of this upload I didn't insist on chmod'ing automatically; instead we limited ourselves to add a NEWS note asking to change permissions manually.

That said, following the upstream changes, the next version _will_ fix existing permissions.

[Addendum: It is sufficient to do this with just one component of the path.]

If we decided to revoke existing permissions, then we should not confine ourselves to the directory, but also chmod the files. This is because an attacker could have made hardlinks to the files when they were still accessible.

However, even chmod'ing files won't help if the attacker is keeping (one of) them open. You'd have to truncate the files and unlink them. Implementing this would be probably overkill, though.

Jakub Wilk

Reply to: