Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 May 2009 09:17:24 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: coley@...us.mitre.org
Cc: oss-security@...ts.openwall.com
Subject: CVE Request: clamav-milter on Ubuntu

Due to a typo, the clamav-milter initscript would change the owner of
the current directory to clamav (or whatever User is set to in
clamd.conf). This typically affects the '/' directory, but could affect
any directory on the system. This is all documented in the Ubuntu bug[1].

This was introduced in this commit:
http://git.debian.org/?p=pkg-clamav/clamav.git;a=commitdiff;h=c4e1bf5d98637c0219852eaac768170bf8aef2fc;hp=5a2b5013440c4b81d0eb3233072c88564a15fc5d

0.95.1+dfsg-1ubuntu1 and 0.95.1+dfsg-1ubuntu1.1 on Ubuntu 9.04 are
affected, but earlier versions are not. It looks like Debian never
released with this code, and version 0.95.1+dfsg-2 (in Debian/unstable)
is not affected. Derivatives of Ubuntu 9.04 are presumably affected.

Can we get a CVE for this?

Jamie

[1] https://bugs.launchpad.net/bugs/365823

-- 
Jamie Strandboge             | http://www.canonical.com

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ