Tim Connors
2009-May-01 01:25 UTC
[Secure-testing-team] Bug#526409: evolution: permissions on mailbox folders are set wrong
Package: evolution Version: 2.24.5-3 Severity: grave Tags: security Justification: user security hole tconnors at denman:~$ l /home/maree/.evolution/mail/local/Sent -rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent Hmmm. Would it be a good idea to set ~/.evolution to 700 perhaps? Or just adopt a restrictive umask for the whole of evolution (mail being a rather more sensitive application than most)? Many site policies are for home directories to be world or group readable, and trusting users not to be stupid with their permissions. Unfortunately this breaks down when the applications themselves are stupid. This affects upstream as well, as verified by several installations of deadrat and the like installed over many years at work. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (710, ''testing''), (700, ''stable''), (600, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages evolution depends on: ii dbus 1.2.12-1 simple interprocess messaging syst ii debconf [debconf 1.5.26 Debian configuration management sy ii evolution-common 2.24.5-3 architecture independent files for ii evolution-data-s 2.24.5-4+b1 evolution database backend server ii gconf2 2.24.0-7 GNOME configuration database syste ii gnome-icon-theme 2.24.0-4 GNOME Desktop icon theme ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi ii libatk1.0-0 1.24.0-2 The ATK accessibility toolkit ii libbluetooth2 3.36-1 Library to use the BlueZ Linux Blu ii libbonobo2-0 2.24.1-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.24.1-1 The Bonobo UI library ii libc6 2.9-6 GNU C Library: Shared libraries ii libcairo2 1.8.6-2+b1 The Cairo 2D vector graphics libra ii libcamel1.2-14 2.24.5-4+b1 The Evolution MIME message handlin ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.80-3 simple interprocess messaging syst ii libebackend1.2-0 2.24.5-4+b1 Utility library for evolution data ii libebook1.2-9 2.24.5-4+b1 Client library for evolution addre ii libecal1.2-7 2.24.5-4+b1 Client library for evolution calen ii libedataserver1. 2.24.5-4+b1 Utility library for evolution data ii libedataserverui 2.24.5-4+b1 GUI utility library for evolution ii libegroupwise1.2 2.24.5-4+b1 Client library for accessing group ii libenchant1c2a 1.4.2-3.3 a wrapper library for various spel ii libexchange-stor 2.24.5-4+b1 Client library for accessing Excha ii libfontconfig1 2.6.0-3 generic font configuration library ii libfreetype6 2.3.9-4 FreeType 2 font engine, shared lib ii libgconf2-4 2.24.0-7 GNOME configuration database syste ii libgdata-google1 2.24.5-4+b1 Client library for accessing Googl ii libgdata1.2-1 2.24.5-4+b1 Client library for accessing Googl ii libglade2-0 1:2.6.3-1 library to load .glade files at ru ii libglib2.0-0 2.20.0-2 The GLib library of C routines ii libgnome-pilot2 2.0.15-2.4 Support libraries for gnome-pilot ii libgnome2-0 2.24.1-2 The GNOME 2 library - runtime file ii libgnomecanvas2- 2.20.1.1-1 A powerful object-oriented display ii libgnomeui-0 2.24.1-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 1:2.24.1-1 GNOME Virtual File System (runtime ii libgtk2.0-0 2.14.7-5 The GTK+ graphical user interface ii libgtkhtml-edito 3.24.5-2 HTML rendering/editing library - e ii libgtkhtml3.14-1 3.24.5-2 HTML rendering/editing library - r ii libhal1 0.5.11-8 Hardware Abstraction Layer - share ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library ii libldap-2.4-2 2.4.15-1 OpenLDAP libraries ii libnm-glib0 0.7.0.100-1 network management framework (GLib ii libnotify1 [libn 0.4.5-1 sends desktop notifications to a n ii libnspr4-0d 4.7.1-4 NetScape Portable Runtime Library ii libnss3-1d 3.12.2.with.ckbi.1.73-1 Network Security Service libraries ii liborbit2 1:2.14.17-0.1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.24.0-3 Layout and rendering of internatio ii libpisock9 0.12.3-10 library for communicating with a P ii libpisync1 0.12.3-10 synchronization library for PalmOS ii libpopt0 1.14-4 lib for parsing cmdline parameters ii libsm6 2:1.1.0-2 X11 Session Management library ii libsoup2.4-1 2.24.3-2 an HTTP library implementation in ii libsqlite3-0 3.6.12-1 SQLite 3 shared library ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library ii libx11-6 2:1.2-1 X11 client-side library ii libxml2 2.7.3.dfsg-1 GNOME XML library ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime Versions of packages evolution recommends: ii evolution-plugins 2.24.5-3 standard plugins for Evolution ii evolution-webcal 2.21.92-1+b1 webcal: URL handler for GNOME and ii gnome-desktop-data 2.22.3-2 Common files for GNOME 2 desktop a pn gnome-pilot-conduits <none> (no description available) ii spamassassin 3.2.5-4 Perl-based spam filter using text ii yelp 2.24.0-2 Help browser for GNOME 2 Versions of packages evolution suggests: pn bug-buddy <none> (no description available) pn evolution-dbg <none> (no description available) ii evolution-exchange 2.24.5-1 Exchange plugin for the Evolution pn evolution-plugins-experimenta <none> (no description available) ii gnome-spell 1.0.7-1 GNOME/Bonobo component for spell c ii gnupg 1.4.9-4 GNU privacy guard - a free PGP rep pn network-manager <none> (no description available) -- debconf information: evolution/needs_shutdown: