Your message dated Tue, 07 Aug 2012 18:52:24 +0200
with message-id <502147c8.40...@abeckmann.de>
and subject line Re: Bug#682824: hylafax-server: creates world writable
directory without sticky bit set
has caused the Debian Bug report #682824,
regarding hylafax-server: creates world writable directory without sticky bit
set
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
682824: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682824
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hylafax-server
Version: 2:6.0.5-4.1
Severity: grave
Tags: security
Justification: user security hole
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
hylafax-server (all versions in squeeze, wheezy, sid) creates the
following directory:
drwsrwxrwx 2 uucp uucp 40 Dec 12 2010 /var/spool/hylafax/tmp
that is world writable and does not have the sticky bit set.
This allows arbitrary users to delete (and replace) files there that
were not created by them.
I do not know how this directory is used by hylafax-server and what the
impact of this problem is, but it does not seem right to have such a
possible hole.
I do not use hylafax-server, I just noticed this while analyzing a
piuparts log for a different problem.
Andreas
--- End Message ---
--- Begin Message ---
Version: 3:6.0.6-4
On 2012-08-01 01:18, Giuseppe Sacco wrote:
> Would you please check 3:6.0.6-4 and eventually close this bug report?
Seems to work, piuparts no longer complains on upgrades to the sid
version :-)
Andreas
--- End Message ---
