Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Tue, 17 Dec 2013 20:04:31 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...fee.int, cve-assign@...fee.int, oss-security@...fee.int, 
	cm@...fee.int, 732283@...fee.int
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, cm@...etec.at,
        732283@...s.debian.org
Subject: Bug#732283: CVE Request: Proc::Daemon writes pidfile with mode 666

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> christian mock <cm@...etec.at> has reported[1] that Proc::Daemon, when
> instructed to write a pid file, does that with a umask set to 0, so
> the pid file ends up with world-writable permissions.
> 
> Upstream bugreport is at [2].
> 
>  [1] http://bugs.debian.org/732283
>  [2] https://rt.cpan.org/Ticket/Display.html?id=91450
>  
> Axel Beckert has commited a patch to the Debian packaging[3] and
> forwarded it to upstream.
> 
>  [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch
> 
> Could a CVE be assigend for this issue?

Use CVE-2013-7135.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSsPPCAAoJEKllVAevmvmsDjkH/0ArQqMr437ZRT3i8pvsAP+6
Wc39qGXxcEZCPxSHGv9HdoeGrYBWBwLLWKjtPV+iSKE67BtBV1YS+j1ISI9ST6cz
93dhjxnN2n9VyvXStRTo3nj20wRkbWEyBWN1hUaR3niDb7bd+QqRd7m79MGY6VkG
uAkXP5pJacezleLBM1900W3rvppbdU/tCe4Oc5pMSRUZU9V2XWB8Y9yrCOztYVH4
2sojMuUv9kMdeHRM9iskOw1oGPX4GK5eKj0c/unJ1w82zF/56hM5Rw+yqYIY0mcH
er0Cl1N7TFPfQEVPhYg2s2kZUVOjA4UuHEWuArY3hv4m8XFC+GlBtkm36/7wfv0=
=jG8p
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...ts.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@...ts.debian.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ