Re: CVE request: mumble local information disclosure

[Ludwig Nussel <ludwig.nussel () suse de>]

Vincent Danen wrote:
> It was discovered that mumble created its database file
> (~/.local/share/data/Mumble/.mumble.sqlite) with insecure world-readable
> permissions.  If the user had (non-default) permissions on their home
> directory, another local user could obtain password and configuration
> settings from the database file.

It certainly makes sense for cautios applications to make sure sensitive
settings have restricted access permissions. Question is whether it is
actually a vulnerability if they don't. Quoting the XDG spec¹

| If, when attempting to write a file, the destination directory is
| non-existant an attempt should be made to create it with permission
| 0700. If the destination directory exists already the permissions should
| not be changed.

So it could be argued that mumble just relied on the specification that
already mandates restrictive permissions on ~/.config.

The program that is supposed to create ~/.config on login had a bug that
made the dir 755 in violation of the spec². Fixing the permissions is
not allowed according to the spec though ...

cu
Ludwig

[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
[2] https://bugs.freedesktop.org/show_bug.cgi?id=36773

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)