Package: libvirt-bin Version: 0.9.2-5 Severity: normal On the libvirt mailing list, I noticed this patch: http://www.redhat.com/archives/libvir-list/2011-May/msg01367.html Subject: [PATCH] libvirt.spec: /var/cache/libvirt should be 0711.
I was curious to see if this packaging change made its way to Debian, but it seems that we don't set _any_ of the permissions like the .spec file does. The particular bug they were trying to fix likely doesn't exist in Debian because our /var/cache/libvirt is already overly permissive, but this seems like an oversight and can be a potential security issue (information leakage due to default 0755 rather than the more restrictive permissions that the .spec file lists). -jim -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (300, 'testing'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libvirt-bin depends on: ii adduser 3.112+nmu2 add and remove users and groups ii gettext-base 0.18.1.1-3 GNU Internationalization utilities ii libavahi-client3 0.6.27-2 Avahi client library ii libavahi-common3 0.6.27-2 Avahi common library ii libblkid1 2.17.2-9 block device id library ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libcap-ng0 0.6.4-1 An alternate posix capabilities li ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use ii libgcrypt11 1.5.0~beta1-1 LGPL Crypto library - runtime libr ii libgnutls26 2.11.6-2 the GNU TLS library - runtime libr ii libnl1 1.1-6 library for dealing with netlink s ii libparted0debian1 2.3-5 The GNU Parted disk partitioning s ii libpciaccess0 0.12.0-1 Generic PCI access library for X ii libreadline6 6.1-3 GNU readline and history libraries ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra ii libudev0 164-3 libudev shared library ii libuuid1 2.17.2-9 Universally Unique ID library ii libvirt0 0.9.2-5 library for interfacing with diffe ii libxenstore3.0 4.0.1-2 Xenstore communications library fo ii libxml2 2.7.8.dfsg-2 GNOME XML library ii logrotate 3.7.8-6 Log rotation utility Versions of packages libvirt-bin recommends: ii bridge-utils 1.4-5 Utilities for configuring the Linu ii dmidecode 2.9-1.2 Dump Desktop Management Interface ii dnsmasq-base 2.55-2 A small caching DNS proxy and DHCP ii ebtables 2.0.9.2-2 Ethernet bridge frame table admini ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr ii iproute 20100519-3 networking and traffic control too ii iptables 1.4.11.1-2 administration tools for packet fi ii libxml2-utils 2.7.8.dfsg-2 XML utilities ii netcat-openbsd 1.89-4 TCP/IP swiss army knife ii qemu 0.14.0+dfsg-5.1 fast processor emulator ii qemu-kvm 0.14.0+dfsg-1~tls Full virtualization on x86 hardwar Versions of packages libvirt-bin suggests: ii policykit-1 0.101-4 framework for managing administrat -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org