Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Fri, 1 May 2009 09:17:24 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: coley@...us.mitre.org
Cc: oss-security@...ts.openwall.com
Subject: CVE Request: clamav-milter on Ubuntu

Due to a typo, the clamav-milter initscript would change the owner of
the current directory to clamav (or whatever User is set to in
clamd.conf). This typically affects the '/' directory, but could affect
any directory on the system. This is all documented in the Ubuntu bug[1].

This was introduced in this commit:
http://git.debian.org/?p=pkg-clamav/clamav.git;a=commitdiff;h=c4e1bf5d98637c0219852eaac768170bf8aef2fc;hp=5a2b5013440c4b81d0eb3233072c88564a15fc5d

0.95.1+dfsg-1ubuntu1 and 0.95.1+dfsg-1ubuntu1.1 on Ubuntu 9.04 are
affected, but earlier versions are not. It looks like Debian never
released with this code, and version 0.95.1+dfsg-2 (in Debian/unstable)
is not affected. Derivatives of Ubuntu 9.04 are presumably affected.

Can we get a CVE for this?

Jamie

[1] https://bugs.launchpad.net/bugs/365823

-- 
Jamie Strandboge             | http://www.canonical.com

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux