[Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Raphael Geissert geissert at debian.org
Sat Dec 12 19:22:41 UTC 2009

2009/12/12 Michael Meskes <meskes at debian.org>:
> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for acpid.
>> CVE-2009-4235[0]:
>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>> | information by reading this file or cause a denial of service by
>> | overwriting this file, a different vulnerability than CVE-2009-4033.
> This functonality was removed when going to version 1.0.6 which happened on
> September 18th, 2007.
>> The vulnerability only seems to affect oldstable, but I noticed that none of
>> the versions remove the log file, so the permissions of the file need to be
>> fixed by all the other versions.
> The file hasn't been used for more than 2 years and probably does not contain
> sensible information at all. Anyway all information therein is probably
> outdated. Shall we still release a new version deleting that file for
> all versions?

The problem is not just the information it may (or not) contain, but
the file permissions.
If the file isn't removed, or the permissions corrected, it is
possible for a local user to fill the file until the partition runs
out of space. This could lead to missing log entries from other
daemons as there's no space left.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the Pkg-acpi-devel mailing list