Bug 476529 (CVE-2008-6755) - CVE-2008-6755 zoneminder: default permissions of zm.conf
Summary: CVE-2008-6755 zoneminder: default permissions of zm.conf
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2008-6755
Product: Fedora
Classification: Fedora
Component: zoneminder
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Martin Ebourne
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-15 13:22 UTC by Tomas Hoger
Modified: 2009-04-27 22:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-07 09:26:37 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-12-15 13:22:38 UTC
While checking Gentoo bug:

  http://bugs.gentoo.org/show_bug.cgi?id=250715

I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf.  Therefore, Fedora defaults does now allow reading the config file directly using cat or vim.  chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges.

However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity).

In similar cases, where some daemon user needs read access to certain config file, root:<daemon_group> 640 is more common.  Please check if changing:

%config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf

to

%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf

makes sense for ZM.

Comment 1 Fedora Update System 2008-12-15 21:47:40 UTC
zoneminder-1.23.3-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/zoneminder-1.23.3-2.fc10

Comment 2 Fedora Update System 2008-12-21 08:46:57 UTC
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zoneminder'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11484

Comment 3 Fedora Update System 2009-01-07 09:26:35 UTC
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Vincent Danen 2009-04-27 22:08:33 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6755 to
the following vulnerability:

Name: CVE-2008-6755
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755
Assigned: 20090427
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=476529
Reference: FEDORA:FEDORA-2008-11484
Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00204.html

ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
the apache user account, and sets the permissions to 0600, which makes
it easier for remote attackers to modify this file by accessing it
through a (1) PHP or (2) CGI script.


Note You need to log in before you can comment on or make changes to this bug.