[Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid
geissert at debian.org
Sat Dec 12 03:23:58 UTC 2009
the following CVE (Common Vulnerabilities & Exposures) id was
published for acpid.
| acpid 1.0.4 sets an unrestrictive umask, which might allow local users
| to leverage weak permissions on /var/log/acpid, and obtain sensitive
| information by reading this file or cause a denial of service by
| overwriting this file, a different vulnerability than CVE-2009-4033.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
The vulnerability only seems to affect oldstable, but I noticed that none of
the versions remove the log file, so the permissions of the file need to be
fixed by all the other versions.
For further information see:
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-acpi-devel