[Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Raphael Geissert geissert at debian.org
Mon Dec 14 03:42:58 UTC 2009


2009/12/12 Ted Felix <ted at tedfelix.com>:
>  Looks like the problem is in this line from open_logs():
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
>  It should be this:
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
>  And (theoretically, as I've not tested it) the problem is solved.

Yes, the third argument is needed when using O_CREAT.

>  As mentioned, this doesn't fix any existing log files that are hanging
> around, so maybe we need more code to destroy any old log file that has
> questionable permissions?

I don't think removing it is appropriate. Logs are never removed by packages.

> Is etch still even supported?

Yes, security support ends in February next year.

> I'm not running
> etch, but if someone else is, perhaps they can test my releases?

I don't have a machine with etch at hand, but I guess I still have a
vm with acpid installed on another machine.

>  What would you like me to do?

I think the best approach is to prepare uploads for unstable and
stable (via stable-proposed-updates) fixing the permissions of the
file, and an upload for oldstable (via oldstable-security) that fixes
both the permissions and the open(2) call.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the Pkg-acpi-devel mailing list