A Debian bug report [1] indicated that surf would create the cookies storage file with world readable permissions. This could allow other local users to steal cookies if the user had non-default permissions on their home directory (by default, home directories are mode 0700 but may be 0755 in some cases, like for Apache user directories). $ ls -al ~/.surf/ total 12 drwxr-xr-x. 2 parallels parallels 4096 Feb 9 21:14 . drwx------. 22 parallels parallels 4096 Feb 9 21:14 .. -rw-rw-r--. 1 parallels parallels 312 Feb 9 21:14 cookies.txt [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296
Created surf tracking bugs for this issue Affects: fedora-all [bug 789197]
This was assigned the name CVE-2012-0842: http://seclists.org/oss-sec/2012/q1/407
fixed in surf 0.5 http://git.suckless.org/surf/commit/?id=a0e269b6bd9d7a70148f4ccbc733df35f071ba74 -- surf is now 0.5-1 in fedora Updated by François Cami Available in rawhide and fedora-18-updates https://admin.fedoraproject.org/updates/FEDORA-2013-0674/surf-0.5-1.fc18 -- !!!Thank you for this bug report!!!
Thank you for the heads-up, Simon.