oss-sec mailing list archives
Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.
From: <cve-assign () mitre org>
Date: Sat, 28 Jan 2017 17:12:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
[] On one system after installing set of packages, the /var/spool/cron ended up being cron:root 755 ... https://bugs.gentoo.org/show_bug.cgi?id=607430 https://bugs.gentoo.org/show_bug.cgi?id=607426 https://bugs.gentoo.org/show_bug.cgi?id=396153 https://bugs.gentoo.org/show_bug.cgi?id=141619 https://bugs.gentoo.org/show_bug.cgi?id=58611
Use CVE-2004-2778. This CVE is for the general issue that permissions can end up weaker than intended because of the state of the filesystem at the time an ebuild is installed. (It is not exclusively a CVE about directories for cron.) As mentioned in the 607430 description, "it's not clear to me whether Portage should provide a solution to that, or the ebuilds authors should make sure to always depends, in case of touching cronbase directories, on the cronbase package, to ensure that it's installed prior to installing them." In other words, it is conceivable that this could be considered a documentation problem, if the final decision is that each ebuild author needs to be responsible for letting the "correct" entity determine the appropriate permissions. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYjRbyAAoJEHb/MwWLVhi2E34P+waV8WI6umzx8yqTW76C32ti 332tDNFVAtD2w1gsdwJeFhO6LiQ9tF71FplmF9OEhGyIcg5o0AGh+EdvL+dYDP6i gX4d5p6XFIHtWe4WfIa5DJXtT0lB8pI2PRy9lXsVK9C8asOueBkNLnHy2zB/+dXL VCX1z1wzpcDysIUivlnI4spwWxbS65Zm2DHpUxhs7vCz9nAFSPstu/FnKWLKFe1d fhNayuRvb0f3zUAaJwDzDJ2yoIui550eiJ+6TmUlhY8jCkOuxNGdD7hwpURG/1Wi TvrCzH1YYJgHnCz8QT6WB5SrbQfYsZmLnB+SbQwbJNDKbL8+kaHbwl/lRY8hphsC PW+oP8QBOh902JtREOqMBtSlReozvJEGC0yNtS6V9Dysu5vmn5nK+YkW4KHbAHCv 6ZSRDBZKr53UKBoaOqEoKxoDNgMGpYB4l2p6Cjp9a3eEXVR7Py4u/A1flVVD/pAi SXFhSi0IKAuk1BqFf6g1KlbVpXaec7cPRrnGOToXpYcGKw1A9H1sNmnxVDYhXRqH zW1V9hhTxhn+7zTuGhRtd0AfCYKsmBWOppGvyhDyo2HW3Fepp9UzTS5EqcqjYwf2 +45CObb2v77ZTsNDRi8YWZ79ABa3DnvYWSRJR9kB/kxTDBX2WaaamrEVH6omr/uJ ZW3voevSL9UA648rf/OQ =mgyN -----END PGP SIGNATURE-----
Current thread:
- Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. KARBOWSKI Piotr (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. Kristian Fiskerstrand (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. cve-assign (Jan 28)