Bug#659296: Comments on the 0.4.1-6 upload
* Florian Weimer <email@example.com>, 2012-02-13, 16:32:
surf (0.4.1-6) unstable; urgency=high
* QA upload.
+ Added fix-insecure-permissions.patch to fix world readable cookie jar
vulnerability CVE-2012-0842. (Closes: #659296)
- g_mkdir_with_parents(apath, 0755);
+ g_mkdir_with_parents(apath, 0700);
I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I
I'm not a fan of software changing permissions of existing files (after
all it might be user who decided to make them more liberal that usual).
As the sponsor of this upload I didn't insist on chmod'ing
automatically; instead we limited ourselves to add a NEWS note asking to
change permissions manually.
That said, following the upstream changes, the next version _will_
fix existing permissions.
[Addendum: It is sufficient to do this with just one component of the
If we decided to revoke existing permissions, then we should not confine
ourselves to the directory, but also chmod the files. This is because an
attacker could have made hardlinks to the files when they were still
However, even chmod'ing files won't help if the attacker is keeping (one
of) them open. You'd have to truncate the files and unlink them.
Implementing this would be probably overkill, though.