FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

newsgrab -- insecure file and directory creation

Affected packages
newsgrab <= 0.4.0

Details

VuXML ID cd7e260a-6bff-11d9-a5df-00065be4b5b6
Discovery 2005-01-18
Entry 2005-02-01

The newsgrab script uses insecure permissions during the creation of the local output directory and downloaded files.

After a file is created, permissions on it are set using the mode value of the newsgroup posting. This can potentially be a problem when the mode is not restrictive enough. In addition, the output directory is created with world writable permissions allowing other users to drop symlinks or other files at that location.

References

CVE Name CVE-2005-0154
URL http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt
URL http://sourceforge.net/project/shownotes.php?release_id=300562