[Bug 1304657] [NEW] world writable files in /var/lib/apt/lists

Tue, 08 Apr 2014 13:41:44 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

When performing installation audits, I noticed on the image from
2014-04-07 the following after a livecd install:

$ ls -l /var/lib/apt/lists|grep 'rw\-rw\-rw'
-rw-rw-rw- 1 root root    29759 Apr  8 09:10 
Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 09:10 
Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-i386_Packages
-rw-rw-rw- 1 root root     1199 Apr  8 09:10 
Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 09:10 
Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-i386_Packages

This also happens on the server install from the same date:
$ ls -l /var/lib/apt/lists|grep 'rw\-rw\-rw'
-rw-rw-rw- 1 root root  1702199 Apr  8 09:09 
Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 09:09 
Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-i386_Packages
-rw-rw-rw- 1 root root        0 Apr  8 09:09 
Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 09:09 
Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-i386_Packages

I installed the image from 2014-04-07, installed today and noticed the
above.

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: rls-t-incoming

** Tags added: rls-t-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1304657

Title:
  world writable files in /var/lib/apt/lists

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1304657/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to