Bug 828447 - CVE-2012-5605 Cloudforms grinder: /var/lib/pulp/cache/grinder directory is world-writeable.
CVE-2012-5605 Cloudforms grinder: /var/lib/pulp/cache/grinder directory is wo...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Configuration Management (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: --
Assigned To: Pradeep Kilambi
Garik Khachikyan
: SecurityTracking, Triaged
Depends On:
Blocks: CVE-2012-5605
  Show dependency treegraph
 
Reported: 2012-06-04 14:19 EDT by james labocki
Modified: 2015-01-04 16:59 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 14:46:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description james labocki 2012-06-04 14:19:23 EDT
Description of problem:
The /var/lib/pulp/cache/grinder directory is world-writeable
Comment 1 Justin Sherrill 2012-06-04 16:23:56 EDT
This might be a blocker of  https://bugzilla.redhat.com/show_bug.cgi?id=813571.  at a minimum it provides more information.
Comment 2 Justin Sherrill 2012-06-04 16:35:07 EDT
Errr, i meant dupe, not blocker.
Comment 3 Mike McCune 2012-06-13 11:31:49 EDT
gofer != grinder so I'd say this isn't a dupe.
Comment 5 Lukas Zapletal 2012-06-26 04:23:42 EDT
We are able to fix this in our installer, but I guess it's better to change this in the RPM itself.
Comment 6 Pradeep Kilambi 2012-07-05 09:12:21 EDT
fixed in grinder in commit 41ae9d47c4e3db84b5637cc6b6bdd001a7bdc47e

after fix:

# ls -ld /var/lib/pulp/cache/grinder/
drwxr-x---. 3 apache apache 4096 Jul  5 09:12 /var/lib/pulp/cache/grinder/
Comment 8 Garik Khachikyan 2012-09-19 07:48:56 EDT
# REOPEN

I have got the grinder version of: grinder-0.0.149-1.el6cf.noarch and it is _not_ fixed.

One can see: 
drwxrwxrwx. 3 apache apache 4096 Sep 19 07:46 /var/lib/pulp/cache/grinder/
Comment 13 Garik Khachikyan 2012-10-03 11:15:50 EDT
# VERIFIED

... and grinder-0.0.150-1.el6cf.noarch has the fix!

now one can see:
---
drwxr-x---. 3 apache apache 4096 Oct  3 11:02 /var/lib/pulp/cache/grinder/
---

checked on:
katello-1.1.12-12.el6cf.noarch
katello-cli-1.1.8-6.el6cf.noarch
grinder-0.0.150-1.el6cf.noarch
Comment 20 errata-xmlrpc 2012-12-04 14:46:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html

Note You need to log in before you can comment on or make changes to this bug.