On Thu, Nov 01, 2007 at 01:30:45PM +0100, Nico Golde wrote: > CVE-2007-5751[0]: > | Liferea before 1.4.6 uses weak permissions (0644) for the > | feedlist.opml backup file, which allows local users to > | obtain credentials.
It appears that the problem is not present in 1.0.*, as those versions do not create a backup for that file. At least, my local install has propper permissions on the file: $ ls -l ~/.liferea/fedlist.opml -rw------- 1 rodrigo users 5954 2007-06-03 21:31 /home/rodrigo/.liferea/feedlist.opml Lars, could you please confirm this? In any case, I backported the change and prepared a package for it, attached here. If the problem is found to be present please review it for upload.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.0 Source: liferea Binary: liferea-gtkhtml, liferea-mozilla, liferea, liferea-xulrunner Architecture: any Version: 1.0.27-2etch1 Maintainer: Franz Pletz <[EMAIL PROTECTED]> Uploaders: Luis Rodrigo Gallardo Cruz <[EMAIL PROTECTED]> Standards-Version: 3.7.2.0 Build-Depends: dpatch, autotools-dev, debhelper (>> 4.0.0), libgtkhtml2-dev, libxul-dev, libgconf2-dev, libdbus-glib-1-dev, libsm-dev Files: af0a43286d4a3362b526c89826e7f851 1572604 liferea_1.0.27.orig.tar.gz 93bf4626a7263ee745d07e57029587a4 9483 liferea_1.0.27-2etch1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHKe7/AZmDGK3JvCgRAjl8AJ0VSWB4yjIzLDDI67c+684mUyK75wCcDF1E Ne54xqWAMhyjdpFGvNnufGY= =y5BO -----END PGP SIGNATURE-----
liferea_1.0.27-2etch1.diff.gz
Description: Binary data
signature.asc
Description: Digital signature
