[37890] in bugtraq
Permission problem in Skype BETA for linux
daemon@ATHENA.MIT.EDU (Peter Conrad)
Wed Dec 22 14:57:35 2004
Date: Wed, 22 Dec 2004 18:12:36 +0100
From: Peter Conrad <conrad@tivano.de>
To: bugtraq@securityfocus.com
Message-ID: <20041222171236.GG4647@tivano.de>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Date: December 2004
Product: Skype (http://skype.com/)
"Skype is free Internet telephony that just works.
Skype is for calling other people on their computers or phones.
Download Skype and start calling for free all over the world."
Affected versions:
Linux RPM's version 0.92.0.12, possibly others.
(Linux versions are marked as "BETA")
Problem Description:
During installation a world-writable directory "/usr/share/skype/lang" is
created.
Impact:
The directory (presumably) contains various language files used by the
skype application. An attacker could modify these files. It is unknown if
this could be used for attacking local users running the skype application.
Solution:
The problem seems to be fixed in version 0.93.0.3, which is currently
available for download from the skype website.
History:
- Vendor notified on 19-Nov-2004
- Vendor acknowledged problem within 40 minutes
- Fixed version available since 21-Dec-2004
--
Peter Conrad Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
Bahnhofstr. 18 http://www.tivano.de/
63263 Neu-Isenburg
Germany
