[Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid
ted at tedfelix.com
Sun Dec 13 01:57:56 UTC 2009
Looks like the problem is in this line from open_logs():
logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
It should be this:
logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
And (theoretically, as I've not tested it) the problem is solved.
As mentioned, this doesn't fix any existing log files that are hanging
around, so maybe we need more code to destroy any old log file that has
questionable permissions? Is etch still even supported? I'm not
running etch, but if someone else is, perhaps they can test my releases?
What would you like me to do?
Raphael Geissert wrote:
> 2009/12/12 Michael Meskes <meskes at debian.org>:
>> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>>> the following CVE (Common Vulnerabilities & Exposures) id was
>>> published for acpid.
>>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>>> | information by reading this file or cause a denial of service by
>>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>> This functonality was removed when going to version 1.0.6 which happened on
>> September 18th, 2007.
>>> The vulnerability only seems to affect oldstable, but I noticed that none of
>>> the versions remove the log file, so the permissions of the file need to be
>>> fixed by all the other versions.
>> The file hasn't been used for more than 2 years and probably does not contain
>> sensible information at all. Anyway all information therein is probably
>> outdated. Shall we still release a new version deleting that file for
>> all versions?
> The problem is not just the information it may (or not) contain, but
> the file permissions.
> If the file isn't removed, or the permissions corrected, it is
> possible for a local user to fill the file until the partition runs
> out of space. This could lead to missing log entries from other
> daemons as there's no space left.
More information about the Pkg-acpi-devel