Bugtraq mailing list archives
Re: Permission problem in Skype BETA for linux
From: Peter Conrad <conrad () tivano de>
Date: Wed, 16 Feb 2005 09:53:16 +0100
Update (February 2005): The issue described below has re-appeared in the official (non-BETA) version released on Feb 1, 2005. Skype were notified on Feb 10, and a fixed version was released on Feb 14. Vulnerable: skype-1.0.0.1-suse.i586.rpm (but see below) Fixed: skype-1.0.0.7-suse.i586.rpm NB: it seems that a fixed version skype-1.0.0.1-suse.i586.rpm was made available on Feb 11, but without modifying the version number. The difference can only be seen with "rpm -qi ..." - : conrad@adams:~> rpm -qip skype-1.0.0.1-suse.i586.rpm | grep Release Release : suse Build Date: Mon Jan 31 19:00:45 2005 conrad@adams:~> rpm -qip skype-1.0.0.1b-suse.i586.rpm | grep Release Release : suse.hotfix1 Build Date: Fri Feb 11 14:18:39 2005 Am Mittwoch, 22. Dezember 2004 18:12 schrieb Peter Conrad:
Date: December 2004 Product: Skype (http://skype.com/) "Skype is free Internet telephony that just works. Skype is for calling other people on their computers or phones. Download Skype and start calling for free all over the world." Affected versions: Linux RPM's version 0.92.0.12, possibly others. (Linux versions are marked as "BETA") Problem Description: During installation a world-writable directory "/usr/share/skype/lang" is created. Impact: The directory (presumably) contains various language files used by the skype application. An attacker could modify these files. It is unknown if this could be used for attacking local users running the skype application. Solution: The problem seems to be fixed in version 0.93.0.3, which is currently available for download from the skype website. History: - Vendor notified on 19-Nov-2004 - Vendor acknowledged problem within 40 minutes - Fixed version available since 21-Dec-2004
-- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Re: Permission problem in Skype BETA for linux Peter Conrad (Feb 17)