Ubuntu
xsane package

xsane overwrites user's umask

Bug #611950 reported by Adrien Thebo
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
xsane
Fix Released
Unknown
xsane (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: xsane

xsane overwrites the user's umask to 0007, and creates ~/.sane and other files with the according 770 permissions on directories and 660 on files containing the printer description. This is dangerous in a multiuser environment.

The umask is set on line in xsane.h
 107 #define XSANE_DEFAULT_UMASK 0007

This is used throughout the codebase.
> grep XSANE_DEFAULT_UMASK *
xsane.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane.c: umask(XSANE_DEFAULT_UMASK); /* define permissions of new files */
xsane-device-preferences.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-email-project.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-fax-project.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-fax-project.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-fax-project.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-front-gtk.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane.h:#define XSANE_DEFAULT_UMASK 0007
xsane-multipage-project.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-save.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-viewer.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */
xsane-viewer.c: umask(XSANE_DEFAULT_UMASK); /* define new file permissions */

Steps to reproduce:
1. rm -r ~/.sane
2. xsane

Related branches

lp:~javier-lopez/ubuntu/maverick/xsane/xsane-fix-611950
Ubuntu branches: Pending requested
Diff: 64 lines (+24/-1)
5 files modified
.pc/applied-patches (+1/-0)
debian/changelog (+8/-0)
debian/patches/fix_umaks_permitions.patch (+13/-0)
debian/patches/series (+1/-0)
src/xsane.h (+1/-1)
lp:ubuntu/maverick/xsane
lp:ubuntu/natty/xsane
Revision history for this message
Adrien Thebo (adrien-thebo) wrote :
visibility: private → public
Revision history for this message
Adrien Thebo (adrien-thebo) wrote :

Patch that should set the default umask to something more secure.

Brian Murray (brian-murray)
tags: added: patch
Javier López (javier-lopez)
tags: added: patch-forwarded-debian
removed: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xsane - 0.997-2ubuntu3

---------------
xsane (0.997-2ubuntu3) maverick; urgency=low

  [Adrien Thebo]
  * Fix umask permitions (LP: #611950)
    - debian/patches/fix_umask_permitions.patch
 -- chilicuil <chilicuil@i.am> Sat, 14 Aug 2010 02:38:18 -0500

Changed in xsane (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xsane:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in xsane:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.