Bug 192076 (CVE-2006-2427)
| Summary: | CVE-2006-2427 clamav freshclam information disclosure | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> |
| Component: | clamav | Assignee: | Enrico Scholz <rh-bugzilla> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | CC: | extras-qa |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.securityfocus.com/archive/1/archive/1/434008/100/0/threaded | ||
| Whiteboard: | impact=moderate,source=cve,reported=20060517,public=2006050515 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-18 09:45:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josh Bressers
2006-05-17 13:14:07 UTC
Not a bug;
1. 'freshclam' is not shipped with SUID, nor is a 'sudo' setup enabled in the FE
package
2. the whole issue is bogus:
a) when administrator enables a 'sudo' setup he has to make sure that
only trustworthy cmdline params are possible. A '--config' option is
definitively not such a trustworthy cmdline option; e.g. user could
configure
| DatabaseOwner root
| UpdateLogFile /etc/nologin
there.
b) the username which shall be used for the effective operations of
'freshclam' will be read from the configuration file. I do not see how
'freshclam' can setuid(2) to somebody before it reads the configuration
file which tells the uid.
|