Date: Sun, 6 Apr 2014 20:32:35 -0700 From: Tim Heckman <tim+sec@...erduty.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request: Icecast world readable log/logdir On Sun, Apr 6, 2014 at 10:32 AM, Agostino Sarubbo <ago@...too.org> wrote: > I just noticed that (at least on gentoo), the following package produces a > world readable log: > > Icecast (http://www.icecast.org): > # ls -la /var/log/icecast > total 18648 > drwxrw-r-- 2 icecast nogroup 4096 Apr 6 12:23 . > drwxr-xr-x 15 root root 4096 Apr 5 04:20 .. > -rw-r--r-- 1 icecast nogroup 5646894 Apr 6 19:27 access.log > -rw-r--r-- 1 icecast nogroup 3181987 Apr 6 19:27 error.log > -- > Agostino Sarubbo > Gentoo Linux Developer > Hello Agostino, I agree that world-readable log files is a problem and should be fixed. However, should this be given a CVE? Do those log files contain any information that would be considered a security risk? It's been quite a few years, admittedly, since I've worked with Icecast so I don't remember if those files contain any information that could be considered a problem. Cheers! -Tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.