Debian Bug report logs -
#659296
surf: world-readable cookie jar
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Thu, 9 Feb 2012 23:09:02 UTC
Severity: grave
Tags: security
Found in version surf/0.4.1-4.1
Fixed in version surf/0.4.1-6
Done: Vasudev Kamath <kamathvasudev@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf.
(Thu, 09 Feb 2012 23:09:05 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: surf
Version: 0.4.1-4.1
Severity: grave
Tags: security
Justification: user security hole
$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb 9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users 406 Feb 9 22:59 /home/user/.surf/cookies.txt
This allows local users to steal cookies.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages surf depends on:
ii libatk1.0-0 2.2.0-2
ii libc6 2.13-26
ii libcairo2 1.10.2-6.2
ii libfontconfig1 2.8.0-3.1
ii libfreetype6 2.4.8-1
ii libgdk-pixbuf2.0-0 2.24.0-2
ii libglib2.0-0 2.30.2-6
ii libgtk2.0-0 2.24.8-3
ii libpango1.0-0 1.29.4-2
ii libsoup2.4-1 2.34.3-1
ii libwebkitgtk-1.0-0 1.6.1-5+b1
ii libx11-6 2:1.4.4-4
ii suckless-tools 38-1
ii wget 1.13.4-2
ii x11-utils 7.6+4
ii xterm 276-2
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf.
(Fri, 10 Feb 2012 15:51:03 GMT) (full text, mbox, link).
Message #6 received at 659296@bugs.debian.org (full text, mbox, reply):
* Jakub Wilk <jwilk@debian.org>, 2012-02-10, 00:05:
>$ ls -ld ~/.surf/{,cookies.txt}
>drwxr-xr-x 2 user users 4096 Feb 9 22:59 /home/user/.surf/
>-rw-r--r-- 1 user users 406 Feb 9 22:59 /home/user/.surf/cookies.txt
CVE-2012-0842 was assigned to this bug.
--
Jakub Wilk
Added tag(s) pending.
Request was from Jakub Wilk <jwilk@debian.org>
to control@bugs.debian.org.
(Fri, 10 Feb 2012 17:57:05 GMT) (full text, mbox, link).
Reply sent
to Vasudev Kamath <kamathvasudev@gmail.com>:
You have taken responsibility.
(Fri, 10 Feb 2012 19:57:03 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Fri, 10 Feb 2012 19:57:03 GMT) (full text, mbox, link).
Message #13 received at 659296-close@bugs.debian.org (full text, mbox, reply):
Source: surf
Source-Version: 0.4.1-6
We believe that the bug you reported is fixed in the latest version of
surf, which is due to be installed in the Debian FTP archive:
surf_0.4.1-6.debian.tar.gz
to main/s/surf/surf_0.4.1-6.debian.tar.gz
surf_0.4.1-6.dsc
to main/s/surf/surf_0.4.1-6.dsc
surf_0.4.1-6_i386.deb
to main/s/surf/surf_0.4.1-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 659296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vasudev Kamath <kamathvasudev@gmail.com> (supplier of updated surf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Feb 2012 00:01:08 +0530
Source: surf
Binary: surf
Architecture: source i386
Version: 0.4.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vasudev Kamath <kamathvasudev@gmail.com>
Description:
surf - simple web browser
Closes: 659296
Changes:
surf (0.4.1-6) unstable; urgency=high
.
* QA upload.
* debian/patches:
+ Added fix-insecure-permissions.patch to fix world readable cookie jar
vulnerability CVE-2012-0842. (Closes: #659296)
Checksums-Sha1:
c372b6ba750a605cb6bc9e7fb02a6a73e5dbfdea 1865 surf_0.4.1-6.dsc
29ae3decd5c4a1e949f2debed376e99019c1eb31 5493 surf_0.4.1-6.debian.tar.gz
08120b72914928288419d6e1069af7e688a33cf0 17142 surf_0.4.1-6_i386.deb
Checksums-Sha256:
71eea67330450b0fa6b0d333eff7f422917acd9df4dd43cd54bc20ade7406361 1865 surf_0.4.1-6.dsc
7aea612298a88d794f96e3cd05f93a59b41c8a35a7d894926d898a5650e3aca0 5493 surf_0.4.1-6.debian.tar.gz
a1b3ace2176919524e0680d7dd9f00177b54e913c292760bd598f8aa5eb85175 17142 surf_0.4.1-6_i386.deb
Files:
279e6d93c41d429588a60b8b923a294b 1865 web optional surf_0.4.1-6.dsc
7020fd99ef37a42142e986e88f68fb6c 5493 web optional surf_0.4.1-6.debian.tar.gz
ea364b04ade303a9c451e4a7b2906932 17142 web optional surf_0.4.1-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPNXIuAAoJEC1Os6YBVHX1zmoP/1OSyHELw6cCYOA8CNOXQleV
zFTf7ozd7vv0KtMLgYvbWAqmzvgvCW58aMyw/YlWPrOTSUh4IR7ad9yE5lZfwh6k
oA85WEAErgPqjTthvz3tCwFfwWYhQH9nlYRUeVXuCa+a2KUHpzqvbEikAHkqx/G5
K6kUUI3ZBRdNqFNENSq6tuvV3S8nb5uVkx4NEXN5RAEEo43ADOEqTGI+p14IllIR
lUUBqnIGBYZL//AcilnveLih/jWJkabbGdTRvitLpN3xHnMWsqueaVpGgZPdhSsj
/SBLbJJy7xJPHd5a6Km8a540oDyt0pksr0uQjrrw+6o1unHzp6CPs63h+rtboRXV
uUwavisKoXyLRiZUoTyXTly38LqHrqbpYTaw/aeInw4Q4p3PCkxCVqnCZA+QCwpK
Fe50CFIwuFJANPuHLdy9LDB+nA0DWTK15UiWZ8kAepdthsjtzQzrScd7lqKVdOh8
Mj4pJeWslF8EiSJKifUl/Xwo5XTWY/2+vdMznmqpu/+Ih7ZFXnDfcp3J9XEs7YaE
yAyFLcbFJ4ZV/qhCZl4SgVTZMQu/mEmEBLhw+vVPYaPv0QtVof3vsW1bOvOwXU8R
Ko00xpk6AdLdBGpVcmYub0ba0HKFDtBXf4LS9+s/YN8m/6ZPqmEjiE0t9Nlsw3+g
hmHFrO6q86LGXRrIwdAj
=rkF/
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf.
(Mon, 13 Feb 2012 15:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Mon, 13 Feb 2012 15:36:08 GMT) (full text, mbox, link).
Message #18 received at 659296@bugs.debian.org (full text, mbox, reply):
Vasudev Kamath asked me to include this information in the bug report.
From: Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Accepted surf 0.4.1-6 (source i386)
To: Vasudev Kamath <kamathvasudev@gmail.com>
Date: Fri, 10 Feb 2012 23:18:36 +0100
Message-ID: <87vcnemiwz.fsf@mid.deneb.enyo.de>
* Vasudev Kamath:
> surf (0.4.1-6) unstable; urgency=high
> .
> * QA upload.
> * debian/patches:
> + Added fix-insecure-permissions.patch to fix world readable cookie jar
> vulnerability CVE-2012-0842. (Closes: #659296)
- g_mkdir_with_parents(apath, 0755);
+ g_mkdir_with_parents(apath, 0700);
I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I doubt).
[Addendum: It is sufficient to do this with just one component of the
path.]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf.
(Mon, 13 Feb 2012 16:45:07 GMT) (full text, mbox, link).
Message #21 received at 659296@bugs.debian.org (full text, mbox, reply):
* Florian Weimer <fw@deneb.enyo.de>, 2012-02-13, 16:32:
>> surf (0.4.1-6) unstable; urgency=high
>> .
>> * QA upload.
>> * debian/patches:
>> + Added fix-insecure-permissions.patch to fix world readable cookie jar
>> vulnerability CVE-2012-0842. (Closes: #659296)
>
>- g_mkdir_with_parents(apath, 0755);
>+ g_mkdir_with_parents(apath, 0700);
>
>I think you should also downgrade the permissions from 0755 if the
>directory exists (in case we want to keep the package alive, which I
>doubt).
I'm not a fan of software changing permissions of existing files (after
all it might be user who decided to make them more liberal that usual).
As the sponsor of this upload I didn't insist on chmod'ing
automatically; instead we limited ourselves to add a NEWS note asking to
change permissions manually.
That said, following the upstream changes, the next version _will_
fix existing permissions.
>[Addendum: It is sufficient to do this with just one component of the
>path.]
If we decided to revoke existing permissions, then we should not confine
ourselves to the directory, but also chmod the files. This is because an
attacker could have made hardlinks to the files when they were still
accessible.
However, even chmod'ing files won't help if the attacker is keeping (one
of) them open. You'd have to truncate the files and unlink them.
Implementing this would be probably overkill, though.
--
Jakub Wilk
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 13 Mar 2012 07:36:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:55:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon