This repository has been archived by the owner on Jun 26, 2020. It is now read-only.
Set more restrictive permission on .nylas-mail #181
Comments
|
I guess I'm not sure what the impact of filing a CVE is? Just to alert people of security issues? If so then, I think it would be applicable here |
|
For devs looking into this, Mailspring has the same issue: Foundry376/Mailspring#375. The dev probably could kill two birds with one stone by apply the fix to both repos |
nirmit
added a commit
to nirmit/nylas-mail
that referenced
this issue
Dec 13, 2017
Fixes the directory permissions for the user directory to a more restricitive 700. Fixes nylas-mail-lives#181 Source Foundry376/Mailspring/pull/418
mikeseese
pushed a commit
that referenced
this issue
Dec 14, 2017
Fixes the directory permissions for the user directory to a more restricitive 700. Fixes #181 Source Foundry376/Mailspring/pull/418
|
This issue was assigned CVE-2017-1000485. |
|
@l2dy - This is part of the alpha release 2.2.2-4alpha. Can you please help test it? |
Thanks, the fix works on macOS. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
On macOS, by default the
$HOME/.nylas-maildirectory has 755 permission, so other users can usesqlite3 ~victim/.nylas-mail/shared.sqliteandselect * from accounts;to retrieve my credentials.A CVE was assigned for a similar vulnerability in Telegram Desktop, should I request a CVE for this issue?
The text was updated successfully, but these errors were encountered: