Bug 360641 (CVE-2007-5751)

Summary: CVE-2007-5751 liferea weak permissions for the feedlist.opml backup file
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: lifereaAssignee: Brian Pepple <bdpepple>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8Keywords: Reopened, Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=cve,reported=20071031,public=20071021,impact=low
Fixed In Version: 1.2.23-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-06 16:28:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2007-10-31 17:29:25 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5751 to the
following vulnerability:

Liferea before 1.4.6 uses weak permissions (0644) for the
feedlist.opml backup file, which allows local users to obtain
credentials.

References:
http://sourceforge.net/project/shownotes.php?release_id=550468
http://secunia.com/advisories/27438


Issue is reported to be fixed in version 1.4.6.  Current version in Fedora is
from 1.2.x branch, however affected code also seems to exist there.

This seems to be a relevant upstream SVN commit:

http://liferea.svn.sourceforge.net/viewvc/liferea?view=rev&revision=3512

Comment 1 Fedora Update System 2007-11-01 21:21:01 UTC
liferea-1.2.23-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 2 Lubomir Kundrak 2007-11-01 23:26:21 UTC
Reopening this for F8, so we don't forget an update once Werewolf is Gold.

Comment 3 Brian Pepple 2007-11-01 23:44:58 UTC
It's already been built & pushed to stable for F8 (which are being held until F8
is out the door).

https://admin.fedoraproject.org/updates/F8/pending/liferea-1.2.23-5.fc8

Comment 4 Fedora Update System 2007-11-06 16:10:55 UTC
liferea-1.2.23-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.