[Secure-testing-team] Bug#523476: pptp-linux: pptpsetup permissions
Ola Lundqvist
opal at debian.org
Sun Apr 12 16:56:34 UTC 2009
Hi Michael
Thanks a lot for your report!
On Fri, Apr 10, 2009 at 10:34:17AM -0400, Michael S. Gilbert wrote:
> package: pptp-linux
> severity: important
> tags: security
>
> Hello,
>
> Fedora issued the following update for pptp-linux, which they have
> tagged as security-related:
>
> This update corrects the behaviour of pptpsetup when its --delete
> option is used, retaining the permissions of /etc/ppp/chap-secrets
> rather than creating a new file that is likely to be world-readable.
> If you have previously used the --delete option of pptpsetup, you
> should reset the permissions of /etc/ppp/chap- secrets to their
> default value of 0600 unless you have good reasons to use another
> value: # chmod 600 /etc/ppp/chap-secrets
>
> Is this problem present in debian, and should it be of concern to the
> security team? From my perspective, the problem seems rather
> insignificant, but I will defer to your opinion as the maintainer.
It is a problem on Debian. I have successfully reproduced the problem.
The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
I have uploaded a fixed package to unstable now.
I agree that it it not a critical bug but I think it is worth a DSA for this,
so I'm cc:ing the security team about this.
The corrected package is pptp-linux_1.7.2-2 and this is the only fix in
that package compared to stable.
Best regards,
// Ola
> See the Fedora security announcement for more details [1].
>
> Thanks for your assistance on this issue.
>
> [1] http://lwn.net/Articles/328042/
>
>
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal at debian.org Annebergsslingan 37 \
| ola at inguza.com 654 65 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the Secure-testing-team
mailing list