lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041222171236.GG4647@tivano.de>
Date: Wed, 22 Dec 2004 18:12:36 +0100
From: Peter Conrad <conrad@...ano.de>
To: bugtraq@...urityfocus.com
Subject: Permission problem in Skype BETA for linux


Date: December 2004

Product: Skype (http://skype.com/)

"Skype is free Internet telephony that just works.
 Skype is for calling other people on their computers or phones.
 Download Skype and start calling for free all over the world."

Affected versions:

Linux RPM's version 0.92.0.12, possibly others.
(Linux versions are marked as "BETA")

Problem Description:

During installation a world-writable directory "/usr/share/skype/lang" is
created.

Impact:

The directory (presumably) contains various language files used by the
skype application. An attacker could modify these files. It is unknown if
this could be used for attacking local users running the skype application.

Solution:

The problem seems to be fixed in version 0.93.0.3, which is currently
available for download from the skype website.

History:

 - Vendor notified on 19-Nov-2004
 - Vendor acknowledged problem within 40 minutes
 - Fixed version available since 21-Dec-2004

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ