Package: diffmon
Version: 20020222-2
Severity: critical
Justification: root security hole
diffmon explicitly sets umask to '000' thus creating all files in /tmp with
world readable attributes. This may allow local users to read files that they
normally don't have access to.
The attached patch makes diffmon use a more reasonable umask.
Lothar Wassmann
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable'), (50, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages diffmon depends on:
ii bash 2.05b-26 The GNU Bourne Again SHell
ii debconf 1.4.30.13 Debian configuration management sy
ii exim4-daemon-light [mail-tr 4.50-8sarge2 lightweight exim MTA (v4) daemon
-- debconf information:
* diffmon/configwarning:
--- usr/bin/diffmon.org 2002-02-26 15:06:49.000000000 +0100
+++ usr/bin/diffmon 2006-08-09 08:59:21.389223825 +0200
@@ -170,7 +170,7 @@
# Make sure PATH includes location of sendmail and gzip.
PATH="/usr/local/gnubin:/usr/local/bin:${PATH}:/usr/lib:/usr/sbin"
- umask 000
+ umask 077
TRAP_SIGNALS="EXIT SIGHUP SIGINT SIGQUIT SIGTERM"
trap 'cleanup_and_exit' ${TRAP_SIGNALS}
