Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 28 Jan 2017 17:12:19 -0500
From: <cve-assign@...re.org>
To: <piotr.karbowski@...il.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [] On one system after installing set of packages, the
> /var/spool/cron ended up being cron:root 755
> ...
> https://bugs.gentoo.org/show_bug.cgi?id=607430
> https://bugs.gentoo.org/show_bug.cgi?id=607426
> 
> https://bugs.gentoo.org/show_bug.cgi?id=396153
> https://bugs.gentoo.org/show_bug.cgi?id=141619
> https://bugs.gentoo.org/show_bug.cgi?id=58611

Use CVE-2004-2778.


This CVE is for the general issue that permissions can end up weaker
than intended because of the state of the filesystem at the time an
ebuild is installed. (It is not exclusively a CVE about directories
for cron.) As mentioned in the 607430 description, "it's not clear to
me whether Portage should provide a solution to that, or the ebuilds
authors should make sure to always depends, in case of touching
cronbase directories, on the cronbase package, to ensure that it's
installed prior to installing them." In other words, it is conceivable
that this could be considered a documentation problem, if the final
decision is that each ebuild author needs to be responsible for
letting the "correct" entity determine the appropriate permissions.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYjRbyAAoJEHb/MwWLVhi2E34P+waV8WI6umzx8yqTW76C32ti
332tDNFVAtD2w1gsdwJeFhO6LiQ9tF71FplmF9OEhGyIcg5o0AGh+EdvL+dYDP6i
gX4d5p6XFIHtWe4WfIa5DJXtT0lB8pI2PRy9lXsVK9C8asOueBkNLnHy2zB/+dXL
VCX1z1wzpcDysIUivlnI4spwWxbS65Zm2DHpUxhs7vCz9nAFSPstu/FnKWLKFe1d
fhNayuRvb0f3zUAaJwDzDJ2yoIui550eiJ+6TmUlhY8jCkOuxNGdD7hwpURG/1Wi
TvrCzH1YYJgHnCz8QT6WB5SrbQfYsZmLnB+SbQwbJNDKbL8+kaHbwl/lRY8hphsC
PW+oP8QBOh902JtREOqMBtSlReozvJEGC0yNtS6V9Dysu5vmn5nK+YkW4KHbAHCv
6ZSRDBZKr53UKBoaOqEoKxoDNgMGpYB4l2p6Cjp9a3eEXVR7Py4u/A1flVVD/pAi
SXFhSi0IKAuk1BqFf6g1KlbVpXaec7cPRrnGOToXpYcGKw1A9H1sNmnxVDYhXRqH
zW1V9hhTxhn+7zTuGhRtd0AfCYKsmBWOppGvyhDyo2HW3Fepp9UzTS5EqcqjYwf2
+45CObb2v77ZTsNDRi8YWZ79ABa3DnvYWSRJR9kB/kxTDBX2WaaamrEVH6omr/uJ
ZW3voevSL9UA648rf/OQ
=mgyN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.