[Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid
geissert at debian.org
Mon Dec 14 03:42:58 UTC 2009
2009/12/12 Ted Felix <ted at tedfelix.com>:
> Looks like the problem is in this line from open_logs():
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
> It should be this:
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
> And (theoretically, as I've not tested it) the problem is solved.
Yes, the third argument is needed when using O_CREAT.
> As mentioned, this doesn't fix any existing log files that are hanging
> around, so maybe we need more code to destroy any old log file that has
> questionable permissions?
I don't think removing it is appropriate. Logs are never removed by packages.
> Is etch still even supported?
Yes, security support ends in February next year.
> I'm not running
> etch, but if someone else is, perhaps they can test my releases?
I don't have a machine with etch at hand, but I guess I still have a
vm with acpid installed on another machine.
> What would you like me to do?
I think the best approach is to prepare uploads for unstable and
stable (via stable-proposed-updates) fixing the permissions of the
file, and an upload for oldstable (via oldstable-security) that fixes
both the permissions and the open(2) call.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-acpi-devel