oss-sec mailing list archives

Re: CVE request: sthttpd world-redable logdir

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 22 Feb 2013 22:48:22 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2013 06:12 AM, Agostino Sarubbo wrote:

Hello,

sthttps[1], a fork of thttpd, a small, fast, multiplexing
webserver. creates its log as world-redable:

# ls -la /var/log/thttpd.log -rw-r--r-- 1 thttpd thttpd 0 Feb 22
14:05 /var/log/thttpd.log

It should be only gentoo-related because the log is created by our
own init- script. Please assign a CVE.


[1]: http://opensource.dyc.edu/sthttpd


Please use CVE-2013-0348 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKFgmAAoJEBYNRVNeJnmTqKkP/1GpZbbfiJY8ctOYtbbhBy5n
QWVJLobpvUOWrlBaUjCPK60yyVJDtHFWmewyw/Kb5avA+LkHMOwSiQVp14izI1p2
fJP5WRBgo1PjgbSkG4HHzy9MbfKkHdVylbptfALoVM6oIC0sS2/wPRYiB0/pNUK4
2gA8Vo9Wn5KiX2UljIdm5xU2hMQZ3+7ZyADi3d8jYMbUbSqktMfAX86rEjBU+CvR
ea1+80B318Oz6vEPUeRX9SWohixuCtxtbgMEV0c5X7X1Q55gxv+sVT3H8nEM9kea
bTYHiahZNd8PmIUmxvAyC0G626mQG/C8WcO/fMG2ReTwV9iAb2KGPXPqR+yJ58W4
5cXO7vMlFWx0oEUjSfZnY06DFUL+TF1rkd7xSMNWtXnw4PN5+5hoMJ21YH3Sbsn8
UXmJ8H/7+0DVmIJTM2/nyyKNovzGCVSdERYm0pvR27ayHL64nTScf0kQpsERt/FZ
6GU3wgoFjn+ybDO8wA8q21IT+v5/5mk3ZTH4pD7tkwOD0n2gawZWd735B2KL5kCA
5ZdVHsPvTiKwzryiquaXIOqc+3qosTLA7bDfGRFL4qcU54BNJrQk/+ZrX4hUKwSY
Ly4W862iQp9IsqTMv8HlJQ5HazM/FmSaRDleJ9Y7PWjf+9iqpBfMMxCaNvsSwVwg
RrPfJlyDnwaO3opFOZH5
=vsxV
-----END PGP SIGNATURE-----

Current thread:

CVE request: sthttpd world-redable logdir Agostino Sarubbo (Feb 22)
- Re: CVE request: sthttpd world-redable logdir Kurt Seifried (Feb 22)