mailing list archives
Re: Permission problem in Skype BETA for linux
From: Peter Conrad <conrad () tivano de>
Date: Wed, 16 Feb 2005 09:53:16 +0100
Update (February 2005):
The issue described below has re-appeared in the official (non-BETA)
version released on Feb 1, 2005. Skype were notified on Feb 10, and a
fixed version was released on Feb 14.
Vulnerable: skype-184.108.40.206-suse.i586.rpm (but see below)
NB: it seems that a fixed version skype-220.127.116.11-suse.i586.rpm was
made available on Feb 11, but without modifying the version number.
The difference can only be seen with "rpm -qi ..." - :
conrad () adams:~> rpm -qip skype-18.104.22.168-suse.i586.rpm | grep Release
Release : suse Build Date: Mon Jan 31 19:00:45 2005
conrad () adams:~> rpm -qip skype-22.214.171.124b-suse.i586.rpm | grep Release
Release : suse.hotfix1 Build Date: Fri Feb 11 14:18:39 2005
Am Mittwoch, 22. Dezember 2004 18:12 schrieb Peter Conrad:
Date: December 2004
Product: Skype (http://skype.com/)
"Skype is free Internet telephony that just works.
Skype is for calling other people on their computers or phones.
Download Skype and start calling for free all over the world."
Linux RPM's version 0.92.0.12, possibly others.
(Linux versions are marked as "BETA")
During installation a world-writable directory "/usr/share/skype/lang" is
The directory (presumably) contains various language files used by the
skype application. An attacker could modify these files. It is unknown if
this could be used for attacking local users running the skype application.
The problem seems to be fixed in version 0.93.0.3, which is currently
available for download from the skype website.
- Vendor notified on 19-Nov-2004
- Vendor acknowledged problem within 40 minutes
- Fixed version available since 21-Dec-2004
Peter Conrad Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
Bahnhofstr. 18 http://www.tivano.de/
- Re: Permission problem in Skype BETA for linux Peter Conrad (Feb 18)