thr3ads.net - Secure testing team - [Secure-testing-team] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts [Jul 2012]

If this information is useful, please help other people find it:
Share via:

Yves-Alexis Perez

2012-Jul-30 18:56 UTC

[Secure-testing-team] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts

Source: icinga
Severity: grave
Tags: security
Justification: user security hole

Hi,

DB creation scripts shipped in icinga-idoutils are insecure (they grant
privileges for all users). See
https://bugzilla.novell.com/show_bug.cgi?id=767319 and:

https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab
https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63

As far as I can tell the bug in stable is only in documentation, but in
Wheezy it affects the scripts too. Please backport the changes and only
upload a targeted fix.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing''), (500, ''stable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Secure testing team - Jul 2012 - Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts

[Secure-testing-team] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts