oss-sec mailing list archives

CVE request: psi+ stores the cache file as world-readable

From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 26 Feb 2013 23:04:24 +0100

Psi+, a fork of psi, stores its files in ~/.cache/psi+ as world-readable.

~/.cache $ ls -la psi+/
total 52
drwxr-xr-x 5 ago ago  4096 feb 25 09:41 .
drwx------ 5 ago ago  4096 feb 24 23:58 ..
drwxr-xr-x 2 ago ago  4096 feb 25 09:41 avatars
drwxr-xr-x 2 ago ago  4096 feb 25 09:33 bob
-rw-r--r-- 1 ago ago 32610 feb 25 09:41 caps.xml
drwxr-xr-x 3 ago ago  4096 feb 24 23:58 profiles

An unauthorized user could read sensitive informations in such dir.

Probably psi is affected as well.
-- 
Agostino Sarubbo
Gentoo Linux Developer

Current thread:

CVE request: psi+ stores the cache file as world-readable Agostino Sarubbo (Feb 26)
- Re: CVE request: psi+ stores the cache file as world-readable Seth Arnold (Feb 26)
  - Re: CVE request: psi+ stores the cache file as world-readable Agostino Sarubbo (Feb 26)
  - Re: CVE request: psi+ stores the cache file as world-readable Kurt Seifried (Feb 26)
- Re: CVE request: psi+ stores the cache file as world-readable gremlin (Feb 26)
  - Re: CVE request: psi+ stores the cache file as world-readable Russ Allbery (Feb 26)
    - Re: CVE request: psi+ stores the cache file as world-readable gremlin (Feb 26)
  - Re: CVE request: psi+ stores the cache file as world-readable Agostino Sarubbo (Feb 27)