pkg/27419: sysutils/rox contains a serious security-flaw

To: gnats-bugs%gnats.NetBSD.org@localhost
Subject: pkg/27419: sysutils/rox contains a serious security-flaw
From: ove%elektro-eel.org@localhost
Date: Sun, 24 Oct 2004 13:24:59 +0000 (UTC)

>Number:         27419
>Category:       pkg
>Synopsis:       sysutils/rox contains a serious security-flaw
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 24 13:25:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Ove Soerensen
>Release:        
>Organization:
>Environment:
>Description:
version 1.2.0 of the rox-suite (which is the version currently in
pkgsrc) contains a serious bug. the mime-handlers (MIME-types in the
user's choices dir) are created with mode 0777 allowing a malicious user
with an account on the machine to replace another user's mime handlers
with a script of his choice, which will be executed with the victim's uid
the next time he opens a file using rox-filer.
>How-To-Repeat:

>Fix:
rox should be updated - the version in pkgsrc-wip is not vulnerable to
this problem (in fact it will even fix the permissions of existing mime
handlers) and appears to be stable; i've been running it for about a
month now.

>Release-Note:
>Audit-Trail:
>Unformatted:

Prev by Date: pkg/27415: graphics/dcraw out of date, uses INSTALL_DATA for man page
Next by Date: pkg/27427: netperf does not compile on IRIX 5.3
Previous by Thread: pkg/27415: graphics/dcraw out of date, uses INSTALL_DATA for man page
Next by Thread: pkg/27427: netperf does not compile on IRIX 5.3
Indexes:

Home | Main Index | Thread Index | Old Index