Otkriven nedostatak paketa uzbl

Otkriven je sigurnosni nedostatak u radu programskog paketa uzbl, za operacijske sustave Fedora 15 i 16. Lokalni ga napadači mogu iskoristiti za krađu kolačića (eng. cookies).

Paket:	uzbl 0.x
Operacijski sustavi:	Fedora 15, Fedora 16
Kritičnost:	1
Problem:	neodgovarajuće rukovanje datotekama
Iskorištavanje:	lokalno
Posljedica:	neovlašteni pristup sustavu
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-0843
Izvorni ID preporuke:	FEDORA-2012-2364
Izvor:	Fedora

Problem:
Nedostatak je posljedica toga što spomenuti paket stvara datoteke za pohranu kolačića s dopuštenjima da svima mogu biti čitljive.
Posljedica:
Zlonamjernim korisnicima omogućuje krađu kolačića.
Rješenje:
Korisnicima se preporuča instalacija nadogradnje.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-2364
2012-02-25 07:52:37
--------------------------------------------------------------------------------

Name        : uzbl
Product     : Fedora 15
Version     : 0
Release     : 0.26.20110402gite7578e27c.fc15
URL         : http://www.uzbl.org
Summary     : Lightweight WebKit browser following the UNIX philosophy
Description :
Uzbl is a lightweight web browser based on WebKit/Gtk+.  Uzbl follows
the UNIX philosophy - "Write programs that do one thing and do it
well. Write programs to work together. Write programs to handle text
streams, because that is a universal interface."

--------------------------------------------------------------------------------
Update Information:

Lock down cookie file permissions to not be world-readable.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 23 2012 Ben Boeckel <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.26.20110402gite7578e27c
- Lock down permissions on cookie files (CVE-2012-0843)
- Clean up vim subpackage
* Mon Apr  4 2011 Daiki Ueno <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.25.20110402gite7578e27c
- New upstream snapshot
- Don't install removed uzbl-cookie-manager and related files.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #789645 - CVE-2012-0843 uzbl: world-readable cookie file
        https://bugzilla.redhat.com/show_bug.cgi?id=789645
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update uzbl' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-2384
2012-02-25 07:53:41
--------------------------------------------------------------------------------

Name        : uzbl
Product     : Fedora 16
Version     : 0
Release     : 0.28.20111001git9576f59f05.fc16
URL         : http://www.uzbl.org
Summary     : Lightweight WebKit browser following the UNIX philosophy
Description :
Uzbl is a lightweight web browser based on WebKit/Gtk+.  Uzbl follows
the UNIX philosophy - "Write programs that do one thing and do it
well. Write programs to work together. Write programs to handle text
streams, because that is a universal interface."

--------------------------------------------------------------------------------
Update Information:

Lock down cookie file permissions to not be world-readable.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 23 2012 Ben Boeckel <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
0-0.28.20111001git9576f59f05
- Lock down permissions on cookie files (CVE-2012-0843)
- Clean up vim subpackage
* Sat Jan 14 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
0-0.27.20111001git9576f59f05
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Oct 25 2011 Ben Boeckel <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
0-0.26.20111001git9576f59f05
- New upstream snapshot
- Add conditional support for webkitgtk3
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #789645 - CVE-2012-0843 uzbl: world-readable cookie file
        https://bugzilla.redhat.com/show_bug.cgi?id=789645
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update uzbl' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Otkriven nedostatak paketa uzbl

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Otkriven nedostatak paketa uzbl

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti