Bug 924857 (CVE-2013-0348)

Summary:	CVE-2013-0348 thttpd: World-readable log file
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	matthias
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-10 11:00:23 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	924858, 924859
Bug Blocks:

Description Jan Lieskovsky 2013-03-22 16:17:36 UTC

Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, thttpd log file is world-readable. This could allow an unprivileged user to read the log file.

References:
[1] http://www.openwall.com/lists/oss-security/2013/02/22/18
[2] https://bugs.gentoo.org/show_bug.cgi?id=458896
[3] http://www.openwall.com/lists/oss-security/2013/02/23/7

Relevant (sthttpd) upstream patch:
[4] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=commit;h=d2e186dbd58d274a0dea9b59357edc8498b5388d

Comment 1 Jan Lieskovsky 2013-03-22 16:19:48 UTC

This issue affects the versions of the thttpd package, as shipped with Fedora release of 17, 18, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-03-22 16:20:56 UTC

Created thttpd tracking bugs for this issue

Affects: fedora-all [bug 924858]
Affects: epel-all [bug 924859]

Comment 3 Product Security DevOps Team 2019-06-10 11:00:23 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.