Debian Bug report logs - #711172
phpbb3: creates world writable /var/cache/phpbb3/cache/phpbb3/data_hooks.php

version graph

Package: phpbb3; Maintainer for phpbb3 is phpBB packaging team <phpbb-l@lists.a-eskwadraat.nl>; Source for phpbb3 is src:phpbb3.

Reported by: Andreas Beckmann <anbe@debian.org>

Date: Wed, 5 Jun 2013 08:21:02 UTC

Severity: serious

Tags: security

Found in version phpbb3/3.0.11-3

Fixed in version phpbb3/3.0.11-4

Done: David Prévot <taffit@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#711172; Package phpbb3. (Wed, 05 Jun 2013 08:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. (Wed, 05 Jun 2013 08:21:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <anbe@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpbb3: creates world writable /var/cache/phpbb3/cache/phpbb3/data_hooks.php
Date: Wed, 05 Jun 2013 10:18:46 +0200
[Message part 1 (text/plain, inline)]
Package: phpbb3
Version: 3.0.11-3
Severity: serious
Tags: security
User: debian-qa@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package creates a world
writable file:
  
    -rw-rw-rw- 1 root www-data 34 May 29 14:47 /var/cache/phpbb3/cache/phpbb3/data_hooks.php

This was observed on upgrades from sid to experimental.
So far I didn't notice it in any other install or upgrade path.


Andreas
[phpbb3_3.0.11-3.log.gz (application/x-gzip, attachment)]

Added tag(s) pending. Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. (Thu, 13 Jun 2013 03:27:04 GMT) Full text and rfc822 format available.

Message sent on to Andreas Beckmann <anbe@debian.org>:
Bug#711172. (Thu, 13 Jun 2013 03:27:08 GMT) Full text and rfc822 format available.

Message #10 received at 711172-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 711172-submitter@bugs.debian.org
Subject: phpBB bugs fixed in revision r687
Date: Thu, 13 Jun 2013 05:18:54 +0200
# Fixed in r687 by taffit
tag 711172 + pending
thanks

These bugs are fixed in revision 687 by taffit
Log message:
Fix chown in cache, closes: #711172





Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Thu, 13 Jun 2013 21:24:05 GMT) Full text and rfc822 format available.

Notification sent to Andreas Beckmann <anbe@debian.org>:
Bug acknowledged by developer. (Thu, 13 Jun 2013 21:24:05 GMT) Full text and rfc822 format available.

Message #15 received at 711172-close@bugs.debian.org (full text, mbox):

From: David Prévot <taffit@debian.org>
To: 711172-close@bugs.debian.org
Subject: Bug#711172: fixed in phpbb3 3.0.11-4
Date: Thu, 13 Jun 2013 21:21:52 +0000
Source: phpbb3
Source-Version: 3.0.11-4

We believe that the bug you reported is fixed in the latest version of
phpbb3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 711172@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated phpbb3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Jun 2013 15:35:45 -0400
Source: phpbb3
Binary: phpbb3 phpbb3-l10n
Architecture: source all
Version: 3.0.11-4
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: David Prévot <taffit@debian.org>
Description: 
 phpbb3     - full-featured, skinnable non-threaded web forum
 phpbb3-l10n - additional language files for phpBB
Closes: 711172
Changes: 
 phpbb3 (3.0.11-4) unstable; urgency=high
 .
   * Fix chown in cache (closes: #711172)
   * Fix world-writable directories
Checksums-Sha1: 
 e0474d9313cc360918ad41ec99b05e5fbfe03279 14593 phpbb3_3.0.11-4.dsc
 3a3732ec901885789f3a07112f0db0a06c4702b6 120744 phpbb3_3.0.11-4.debian.tar.gz
 8245e03714277a0e9b17d55824b5eb17ea81de42 2288374 phpbb3_3.0.11-4_all.deb
 22f2d6fc73b328154c3a2e6634bee1aa6a4587a7 8654618 phpbb3-l10n_3.0.11-4_all.deb
Checksums-Sha256: 
 714b9eafef6c67295d2970f625e0e6f4d76a8a7f0f432a5b23983c1c12a6cde9 14593 phpbb3_3.0.11-4.dsc
 d6cc992d89382d081bc194f29e72a7813d92cf0221b34a0549f2540ef3823d02 120744 phpbb3_3.0.11-4.debian.tar.gz
 d725a6c0248755beec482e6ded512270a2789105395ca9775b87e56a8fb604c7 2288374 phpbb3_3.0.11-4_all.deb
 eb9ec67fa74c31f086a0a0b1900bf76cf6140bca149f342f6f6b96f14565ec27 8654618 phpbb3-l10n_3.0.11-4_all.deb
Files: 
 1f3a621f39fc3eb469391fecc011e4fe 14593 web optional phpbb3_3.0.11-4.dsc
 1c47f35b444ff740fd257d5db58567ae 120744 web optional phpbb3_3.0.11-4.debian.tar.gz
 b2ec4bef6ca9f105e980aa310ec95f02 2288374 web optional phpbb3_3.0.11-4_all.deb
 e2f893db1cb678a4f57411c7b5633d77 8654618 localization optional phpbb3-l10n_3.0.11-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJRuiIPAAoJEAWMHPlE9r08MDcH+gJIcuB/BCW65mn94IOVEMwN
jFzVDV5WQKtzr7eBOFUPlBvuc+IMaZCRo6lRfv1EbufbMJeDz/FrHmxGIywdHrf6
GI/dKkkK+JjZkz/yt+MCAADkTlwhCy9uOijuz52e7vsZwRIQsdSoJoJh/vE7+RBu
OWU0xJvbPoeVE3XsFVeplAccDYyNrvNVii96fZQ0puBgsYmk0/+od/v8I+aWF58/
q45doMBaX+7p1kRxc/xJWCrzALheNQnl9EME6+sSL7fWLdVfKCfRuXZH/yTJDXqp
Xu15/+lsASjUx2Rm4AcR67k3DWfEgDmkHX/FZAp8TxadA5n/XUu5mVAmMxTz+2g=
=Tt67
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 12 Jul 2013 07:31:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:15:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.