daemonize in src/momd calls os.umask(0) when creating the daemon process. As a result, the PID file is world-writable. This dates back to incorrect example code in APUE. It's probably best to just drop the umask call.
This is indeed a security concern. I'll be filing a CVE bug for this. Adam, am I correct in assuming that you are upstream for mom? I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it). I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How should we propagate the fix into Fedora? I can just release a new upstream version which I had been planning to do soon anyway. Is that okay?
Fix comitted: http://gerrit.ovirt.org/#/c/8366/
Thanks, Adam. Can you reference the CVE in any changelogs (maybe change the git commit)? The CVE assigned is CVE-2012-4480.
(In reply to comment #2) > Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How > should we propagate the fix into Fedora? I can just release a new upstream > version which I had been planning to do soon anyway. Is that okay? A new upstream version with the fix would be a fine way to resolve this.
I'm making this bug public and into a tracking bug now that the commit is already public. Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc17
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc18
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/mom-0.3.0-1.el6
Package mom-0.3.0-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15496/mom-0.3.0-1.fc17 then log in and leave karma (feedback).
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.