[Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Michael Meskes meskes at debian.org
Sat Dec 12 19:13:09 UTC 2009

On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for acpid.
> CVE-2009-4235[0]:
> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
> | information by reading this file or cause a denial of service by
> | overwriting this file, a different vulnerability than CVE-2009-4033.

This functonality was removed when going to version 1.0.6 which happened on
September 18th, 2007.

> The vulnerability only seems to affect oldstable, but I noticed that none of 
> the versions remove the log file, so the permissions of the file need to be 
> fixed by all the other versions.

The file hasn't been used for more than 2 years and probably does not contain
sensible information at all. Anyway all information therein is probably
outdated. Shall we still release a new version deleting that file for
all versions?

Besides, I do not have an etch system anymore, so help is needed. 

Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes at jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL

More information about the Pkg-acpi-devel mailing list