Package: openvswitch-pki
Version: 1.4.2+git20120612-7
Severity: grave
Tags: security
User: [email protected]
Usertags: piuparts
Hi,
openvswitch-pki creates the following world writable directories during
installation:
drwx-wx-wx 2 root root 40 Aug 1 05:32
/var/lib/openvswitch/pki/controllerca/incoming
drwx-wx-wx 2 root root 40 Aug 1 05:32
/var/lib/openvswitch/pki/switchca/incoming
Even if an ordinary local user cannot list the contents of the
directory, he may correctly derive/guess filenames (unless they are
exclusively $(mktemp)) and delete and replace files in there.
I don't know how openvswitch-pki works, how it uses this directory,
what probelms could possibly arise out of this.
Andreas
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
