[Secure-testing-team] Bug#526409: evolution: permissions on mailbox folders are set wrong
Tim Connors
tconnors at rather.puzzling.org
Fri May 1 01:25:24 UTC 2009
Package: evolution
Version: 2.24.5-3
Severity: grave
Tags: security
Justification: user security hole
tconnors at denman:~$ l /home/maree/.evolution/mail/local/Sent
-rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent
Hmmm. Would it be a good idea to set ~/.evolution to 700 perhaps? Or
just adopt a restrictive umask for the whole of evolution (mail being
a rather more sensitive application than most)?
Many site policies are for home directories to be world or group
readable, and trusting users not to be stupid with their permissions.
Unfortunately this breaks down when the applications themselves are
stupid.
This affects upstream as well, as verified by several installations of
deadrat and the like installed over many years at work.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (710, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages evolution depends on:
ii dbus 1.2.12-1 simple interprocess messaging syst
ii debconf [debconf 1.5.26 Debian configuration management sy
ii evolution-common 2.24.5-3 architecture independent files for
ii evolution-data-s 2.24.5-4+b1 evolution database backend server
ii gconf2 2.24.0-7 GNOME configuration database syste
ii gnome-icon-theme 2.24.0-4 GNOME Desktop icon theme
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.24.0-2 The ATK accessibility toolkit
ii libbluetooth2 3.36-1 Library to use the BlueZ Linux Blu
ii libbonobo2-0 2.24.1-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.24.1-1 The Bonobo UI library
ii libc6 2.9-6 GNU C Library: Shared libraries
ii libcairo2 1.8.6-2+b1 The Cairo 2D vector graphics libra
ii libcamel1.2-14 2.24.5-4+b1 The Evolution MIME message handlin
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.80-3 simple interprocess messaging syst
ii libebackend1.2-0 2.24.5-4+b1 Utility library for evolution data
ii libebook1.2-9 2.24.5-4+b1 Client library for evolution addre
ii libecal1.2-7 2.24.5-4+b1 Client library for evolution calen
ii libedataserver1. 2.24.5-4+b1 Utility library for evolution data
ii libedataserverui 2.24.5-4+b1 GUI utility library for evolution
ii libegroupwise1.2 2.24.5-4+b1 Client library for accessing group
ii libenchant1c2a 1.4.2-3.3 a wrapper library for various spel
ii libexchange-stor 2.24.5-4+b1 Client library for accessing Excha
ii libfontconfig1 2.6.0-3 generic font configuration library
ii libfreetype6 2.3.9-4 FreeType 2 font engine, shared lib
ii libgconf2-4 2.24.0-7 GNOME configuration database syste
ii libgdata-google1 2.24.5-4+b1 Client library for accessing Googl
ii libgdata1.2-1 2.24.5-4+b1 Client library for accessing Googl
ii libglade2-0 1:2.6.3-1 library to load .glade files at ru
ii libglib2.0-0 2.20.0-2 The GLib library of C routines
ii libgnome-pilot2 2.0.15-2.4 Support libraries for gnome-pilot
ii libgnome2-0 2.24.1-2 The GNOME 2 library - runtime file
ii libgnomecanvas2- 2.20.1.1-1 A powerful object-oriented display
ii libgnomeui-0 2.24.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.24.1-1 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.14.7-5 The GTK+ graphical user interface
ii libgtkhtml-edito 3.24.5-2 HTML rendering/editing library - e
ii libgtkhtml3.14-1 3.24.5-2 HTML rendering/editing library - r
ii libhal1 0.5.11-8 Hardware Abstraction Layer - share
ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library
ii libldap-2.4-2 2.4.15-1 OpenLDAP libraries
ii libnm-glib0 0.7.0.100-1 network management framework (GLib
ii libnotify1 [libn 0.4.5-1 sends desktop notifications to a n
ii libnspr4-0d 4.7.1-4 NetScape Portable Runtime Library
ii libnss3-1d 3.12.2.with.ckbi.1.73-1 Network Security Service libraries
ii liborbit2 1:2.14.17-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.24.0-3 Layout and rendering of internatio
ii libpisock9 0.12.3-10 library for communicating with a P
ii libpisync1 0.12.3-10 synchronization library for PalmOS
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libsm6 2:1.1.0-2 X11 Session Management library
ii libsoup2.4-1 2.24.3-2 an HTTP library implementation in
ii libsqlite3-0 3.6.12-1 SQLite 3 shared library
ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library
ii libx11-6 2:1.2-1 X11 client-side library
ii libxml2 2.7.3.dfsg-1 GNOME XML library
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages evolution recommends:
ii evolution-plugins 2.24.5-3 standard plugins for Evolution
ii evolution-webcal 2.21.92-1+b1 webcal: URL handler for GNOME and
ii gnome-desktop-data 2.22.3-2 Common files for GNOME 2 desktop a
pn gnome-pilot-conduits <none> (no description available)
ii spamassassin 3.2.5-4 Perl-based spam filter using text
ii yelp 2.24.0-2 Help browser for GNOME 2
Versions of packages evolution suggests:
pn bug-buddy <none> (no description available)
pn evolution-dbg <none> (no description available)
ii evolution-exchange 2.24.5-1 Exchange plugin for the Evolution
pn evolution-plugins-experimenta <none> (no description available)
ii gnome-spell 1.0.7-1 GNOME/Bonobo component for spell c
ii gnupg 1.4.9-4 GNU privacy guard - a free PGP rep
pn network-manager <none> (no description available)
-- debconf information:
evolution/needs_shutdown:
More information about the Secure-testing-team
mailing list