Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: nullmailer world readable /etc/nullmailer/remotes
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Aug 2013 13:39:06 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2013 12:42 PM, William Pitcock wrote:
Hello,

/etc/nullmailer/remotes may contain SMTP authentication information
as arguments provided to the requested nullmailer sending module,
e.g.:

smtp.gmail.com smtp --username=foo --password=bar --starttls
--port=587

William

Please use CVE-2013-4223 for this issue.

On Fri, Aug 9, 2013 at 12:16 PM, Christey, Steven M.
<coley () mitre org> wrote:
Agostino,

Out of curiosity, what types of sensitive information are
contained in this file that cause world-readable permissions to
pose a vulnerability?

- Steve


-----Original Message----- From: Agostino Sarubbo
[mailto:ago () gentoo org] Sent: Friday, August 09, 2013 1:15 PM 
To: oss-security () lists openwall com Subject: [oss-security] CVE
request: nullmailer world readable /etc/nullmailer/remotes

Hello,

On Gentoo, the file /etc/nullmailer/remotes is installed with
wrong permissions:

~ # ls -la /etc/nullmailer/remotes -rw-r--r-- 1 root root 971
Aug  9 18:58 /etc/nullmailer/remotes

Nullmailer-1.11-r2 contains the fix, all prior versions are
affected.

Please assign a CVE. -- Agostino Sarubbo Gentoo Linux
Developer


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSBUVaAAoJEBYNRVNeJnmTnwEP/A5+fNAe5nZqLFSlGcmWHB0Q
u2ia91QQn0F7wh7+ibriXHCeCXWV6G+JyAlJuZzitFaq4e6nCevoZYmTpvlE8cmc
qL5LigFUf16el8+t1r7YRZByed8yrO+HKMMOtIUpB4GwFcaK8EMzUeOMXMqyCtRI
FThjMI7jeRwUmNDLLow+omKjVlK4+DhYQu/B3GJBWxhAXPfy2fx24jm4pbs2yESj
BvlElev2mYD9AFTbNsz4E8zv1wngsTPi7ymAwzlfHniMqNlKjKzxr736xIeDk435
Tm9k8OjHb+exbInK+vrSfedAi2BwSHU+wQH6j2fAPP26PQpXqO8eST0JIxf7lnvX
UnWbNAEK5kvo9/SgAEzCI95LXSxScojph6RkbSSc5s0jJHECoXA0YeZE/jUHIiju
Ko4eaC3Wt2nDrWd8cjV7eMuR6RQ11LM0yIHI7M/5PN3vxnsSNwR1AhLbLlV25beF
8qA1Edhkxvg7u5JvuxGhUVonq7cZ0SCxX1F6jd5sOEnZ3UoPP7UCT2L+I7U/6nQg
Lhl4TogFPGMr1PGwU/MG7Cj5t6SKqB2yPe5YiZwv7bYdtziGrRhe100qYmQxNAut
2cSqvoxFQ5lVqExv/OKfbYNQ1CQcVqqXFJMz87zD3pPgHk+rLr3Q0hKL8a+q9GzY
6mHNVpTzLMvLUM75SH8L
=A9Lm
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]