[Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Raphael Geissert geissert at debian.org
Sat Dec 12 03:23:58 UTC 2009

Package: acpid
Version: 1.0.4-5
Severity: grave
Tags: security

the following CVE (Common Vulnerabilities & Exposures) id was
published for acpid.

| acpid 1.0.4 sets an unrestrictive umask, which might allow local users
| to leverage weak permissions on /var/log/acpid, and obtain sensitive
| information by reading this file or cause a denial of service by
| overwriting this file, a different vulnerability than CVE-2009-4033.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

The vulnerability only seems to affect oldstable, but I noticed that none of 
the versions remove the log file, so the permissions of the file need to be 
fixed by all the other versions.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4235

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the Pkg-acpi-devel mailing list