[Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid
Raphael Geissert
geissert at debian.org
Sat Dec 12 03:23:58 UTC 2009
Package: acpid
Version: 1.0.4-5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for acpid.
CVE-2009-4235[0]:
| acpid 1.0.4 sets an unrestrictive umask, which might allow local users
| to leverage weak permissions on /var/log/acpid, and obtain sensitive
| information by reading this file or cause a denial of service by
| overwriting this file, a different vulnerability than CVE-2009-4033.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
The vulnerability only seems to affect oldstable, but I noticed that none of
the versions remove the log file, so the permissions of the file need to be
fixed by all the other versions.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4235
http://security-tracker.debian.org/tracker/CVE-2009-4235
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-acpi-devel
mailing list