oss-security - CVE Request: Proc::Daemon writes pidfile with mode 666

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Mon, 16 Dec 2013 22:34:59 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: 732283@...s.debian.org, cm@...etec.at
Subject: CVE Request: Proc::Daemon writes pidfile with mode 666

Hi Kurt,

christian mock <cm@...etec.at> has reported[1] that Proc::Daemon, when
instructed to write a pid file, does that with a umask set to 0, so
the pid file ends up with world-writable permissions.

Upstream bugreport is at [2].

 [1] http://bugs.debian.org/732283
 [2] https://rt.cpan.org/Ticket/Display.html?id=91450

Axel Beckert has commited a patch to the Debian packaging[3] and
forwarded it to upstream.

 [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch

Could a CVE be assigend for this issue?

Regards and thanks in advance,
Salvatore

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.