Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Apr 2014 20:32:35 -0700
From: Tim Heckman <tim+sec@...erduty.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: Icecast world readable log/logdir

On Sun, Apr 6, 2014 at 10:32 AM, Agostino Sarubbo <ago@...too.org> wrote:

> I just noticed that (at least on gentoo), the following package produces a
> world readable log:
>
> Icecast (http://www.icecast.org):
> # ls -la /var/log/icecast
> total 18648
> drwxrw-r--  2 icecast nogroup     4096 Apr  6 12:23 .
> drwxr-xr-x 15 root    root        4096 Apr  5 04:20 ..
> -rw-r--r--  1 icecast nogroup  5646894 Apr  6 19:27 access.log
> -rw-r--r--  1 icecast nogroup  3181987 Apr  6 19:27 error.log
> --
> Agostino Sarubbo
> Gentoo Linux Developer
>

Hello Agostino,

I agree that world-readable log files is a problem and should be fixed.
However, should this be given a CVE?

Do those log files contain any information that would be considered a
security risk? It's been quite a few years, admittedly, since I've worked
with Icecast so I don't remember if those files contain any information
that could be considered a problem.

Cheers!
-Tim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ