quassel-core creates world-readable directories

Bug #846922 reported by Felix Geyer on 2011-09-11
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Lucid Backports
Undecided
Unassigned
maverick-backports
Fix Released
Undecided
Unassigned
quassel (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Tyler Hicks
Maverick
Undecided
Tyler Hicks
Natty
Undecided
Tyler Hicks
Oneiric
Undecided
Unassigned

Bug Description

quassel-core creates /var/lib/quassel (/var/cache/quassel in older versions) and /var/log/quassel as world-readable directories.
The auto-generated SSL certificate+key file /var/lib/quasselCert.pem is also world-readable. This is especially dangerous when the administrator replaces it with a real certificate and doesn't change the permissions.

Felix Geyer (debfx) on 2011-09-11
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.7.3-0ubuntu2

---------------
quassel (0.7.3-0ubuntu2) oneiric; urgency=low

  * Set permissions of /var/lib/quassel and /var/log/quassel to 750.
    (LP: #846922)
  * Set permissions of /var/lib/quassel/quasselCert.pem to 640.
  * Update home dir of quasselcore user and stop the daemon before doing so.
  * Drop quasselcore-makecert script since it's completely broken since at
    least lucid and there is no need to update the self-signed certificate.
  * Drop README.source since the package has been converted to the 3.0 (quilt)
    format.
  * Update watch file so it only matches real version numbers.
  * Bump Standards-Version to 3.9.2, no changes needed.
  * Use kde debhelper buildsystem instead of calling the kubuntu l10n scripts
    manually.
  * Fix typo in quasselcore init script so it waits 5 seconds before checking
    if quasselcore started successfully. (LP: #777191)
 -- Felix Geyer <email address hidden> Mon, 12 Sep 2011 00:06:01 +0200

Changed in quassel (Ubuntu Oneiric):
status: New → Fix Released
Felix Geyer (debfx) wrote :

Attaching a fix for natty. I can generate debdiffs for lucid and maverick if this one is okay.

quassel (0.7.2-0ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: data and log dir are world-readable (LP: #846922)
    - Set permissions of /var/lib/quassel and /var/log/quassel to 750.
    - Set permissions of /var/lib/quassel/quasselCert.pem to 640.

 -- Felix Geyer <email address hidden> Mon, 26 Sep 2011 18:41:25 +0200

Tyler Hicks (tyhicks) wrote :

Thanks for the debdiff, Felix! It has my ack.

Once you get a chance to generate the lucid and maverick debdiffs, I'll upload them all for building.

Felix Geyer (debfx) wrote :

maverick debdiff

Felix Geyer (debfx) wrote :

lucid debdiff

Felix Geyer (debfx) wrote :

Thanks for reviewing it.
I've attached the remaining debdiffs.

Tyler Hicks (tyhicks) on 2011-10-13
Changed in quassel (Ubuntu Natty):
assignee: nobody → Tyler Hicks (tyhicks)
status: New → In Progress
Changed in quassel (Ubuntu Maverick):
assignee: nobody → Tyler Hicks (tyhicks)
status: New → In Progress
Changed in quassel (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.7.2-0ubuntu2.3

---------------
quassel (0.7.2-0ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: data and log dir are world-readable (LP: #846922)
    - Set permissions of /var/lib/quassel and /var/log/quassel to 750.
    - Set permissions of /var/lib/quassel/quasselCert.pem to 640.
 -- Felix Geyer <email address hidden> Mon, 26 Sep 2011 18:41:25 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.7.1-0ubuntu1.2

---------------
quassel (0.7.1-0ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: data and log dir are world-readable (LP: #846922)
    - Set permissions of /var/lib/quassel and /var/log/quassel to 750.
    - Set permissions of /var/lib/quassel/quasselCert.pem to 640.
 -- Felix Geyer <email address hidden> Wed, 12 Oct 2011 23:48:38 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.6.1-0ubuntu1.3

---------------
quassel (0.6.1-0ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: data and log dir are world-readable (LP: #846922)
    - Set permissions of /var/lib/quassel and /var/log/quassel to 750.
    - Set permissions of /var/lib/quassel/quasselCert.pem to 640.
 -- Felix Geyer <email address hidden> Wed, 12 Oct 2011 23:50:47 +0200

Changed in quassel (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in quassel (Ubuntu Maverick):
status: In Progress → Fix Released
Changed in quassel (Ubuntu Natty):
status: In Progress → Fix Released
Felix Geyer (debfx) wrote :

Please backport quassel 0.7.2-0ubuntu2.3 (natty-security) to maverick and lucid.
This fixes the security issue in the existing backports.

Iain Lane (laney) wrote :

Have you check it works (builds, installs and runs)?

Felix Geyer (debfx) wrote :

Yes, I have tested it on both releases.

Iain Lane (laney) wrote :

ok, cheers, ack from ubuntu-backporters

please backport quassel from natty-security to maverick, lucid

Changed in maverick-backports:
status: New → In Progress
Changed in lucid-backports:
status: New → In Progress
Tyler Hicks (tyhicks) wrote :

Unsubscribing ubuntu-security-sponsors since all packages going into the security pocket have been released.

Colin Watson (cjwatson) wrote :

I: Extracting quassel_0.7.2-0ubuntu2.3.dsc ... done.
I: Building backport of quassel as 0.7.2-0ubuntu2.3~maverick1 ... done.

Changed in maverick-backports:
status: In Progress → Fix Released
Colin Watson (cjwatson) wrote :

I: Extracting quassel_0.7.2-0ubuntu2.3.dsc ... done.
I: Building backport of quassel as 0.7.2-0ubuntu2.3~lucid1 ... done.

Changed in lucid-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers