Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+eU_aZ6jicr1rCberqc1kGefnepJV_U1gPSdG6cD21v6h48xg@mail.gmail.com>
Date: Sun, 6 Apr 2014 20:32:35 -0700
From: Tim Heckman <tim+sec@...erduty.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: Icecast world readable log/logdir

On Sun, Apr 6, 2014 at 10:32 AM, Agostino Sarubbo <ago@...too.org> wrote:

> I just noticed that (at least on gentoo), the following package produces a
> world readable log:
>
> Icecast (http://www.icecast.org):
> # ls -la /var/log/icecast
> total 18648
> drwxrw-r--  2 icecast nogroup     4096 Apr  6 12:23 .
> drwxr-xr-x 15 root    root        4096 Apr  5 04:20 ..
> -rw-r--r--  1 icecast nogroup  5646894 Apr  6 19:27 access.log
> -rw-r--r--  1 icecast nogroup  3181987 Apr  6 19:27 error.log
> --
> Agostino Sarubbo
> Gentoo Linux Developer
>

Hello Agostino,

I agree that world-readable log files is a problem and should be fixed.
However, should this be given a CVE?

Do those log files contain any information that would be considered a
security risk? It's been quite a few years, admittedly, since I've worked
with Icecast so I don't remember if those files contain any information
that could be considered a problem.

Cheers!
-Tim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.