Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 07 Dec 2014 16:49:47 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: postgresql: pg_dump creates world-readable dump

Hello,

I just discovered that pg_dump creates the database dump with world readable 
permission (644 to be exactly).

I provided to inform upstream about, and this was the response:

On Sunday 07 December 2014 10:34:19 Noah Misch wrote:
> You presumably have umask 0022.  Like most programs, pg_dump does not
> constrain modes of files it creates; adjust your umask for that.  A few
> programs do otherwise; for example, ssh-keygen specifically constrains the
> mode of new private key files.  A database dump is not in such a special
> category, so pg_dump should continue to do the standard thing.

A local user is able to copy it and discover sensitive data.

In my opinion it deserves a cve.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.