|
Message-ID: <20398bb624f64da8b11f520c02b57cc7@imshyb01.MITRE.ORG> Date: Sat, 28 Jan 2017 17:12:19 -0500 From: <cve-assign@...re.org> To: <piotr.karbowski@...il.com> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > [] On one system after installing set of packages, the > /var/spool/cron ended up being cron:root 755 > ... > https://bugs.gentoo.org/show_bug.cgi?id=607430 > https://bugs.gentoo.org/show_bug.cgi?id=607426 > > https://bugs.gentoo.org/show_bug.cgi?id=396153 > https://bugs.gentoo.org/show_bug.cgi?id=141619 > https://bugs.gentoo.org/show_bug.cgi?id=58611 Use CVE-2004-2778. This CVE is for the general issue that permissions can end up weaker than intended because of the state of the filesystem at the time an ebuild is installed. (It is not exclusively a CVE about directories for cron.) As mentioned in the 607430 description, "it's not clear to me whether Portage should provide a solution to that, or the ebuilds authors should make sure to always depends, in case of touching cronbase directories, on the cronbase package, to ensure that it's installed prior to installing them." In other words, it is conceivable that this could be considered a documentation problem, if the final decision is that each ebuild author needs to be responsible for letting the "correct" entity determine the appropriate permissions. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYjRbyAAoJEHb/MwWLVhi2E34P+waV8WI6umzx8yqTW76C32ti 332tDNFVAtD2w1gsdwJeFhO6LiQ9tF71FplmF9OEhGyIcg5o0AGh+EdvL+dYDP6i gX4d5p6XFIHtWe4WfIa5DJXtT0lB8pI2PRy9lXsVK9C8asOueBkNLnHy2zB/+dXL VCX1z1wzpcDysIUivlnI4spwWxbS65Zm2DHpUxhs7vCz9nAFSPstu/FnKWLKFe1d fhNayuRvb0f3zUAaJwDzDJ2yoIui550eiJ+6TmUlhY8jCkOuxNGdD7hwpURG/1Wi TvrCzH1YYJgHnCz8QT6WB5SrbQfYsZmLnB+SbQwbJNDKbL8+kaHbwl/lRY8hphsC PW+oP8QBOh902JtREOqMBtSlReozvJEGC0yNtS6V9Dysu5vmn5nK+YkW4KHbAHCv 6ZSRDBZKr53UKBoaOqEoKxoDNgMGpYB4l2p6Cjp9a3eEXVR7Py4u/A1flVVD/pAi SXFhSi0IKAuk1BqFf6g1KlbVpXaec7cPRrnGOToXpYcGKw1A9H1sNmnxVDYhXRqH zW1V9hhTxhn+7zTuGhRtd0AfCYKsmBWOppGvyhDyo2HW3Fepp9UzTS5EqcqjYwf2 +45CObb2v77ZTsNDRi8YWZ79ABa3DnvYWSRJR9kB/kxTDBX2WaaamrEVH6omr/uJ ZW3voevSL9UA648rf/OQ =mgyN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.