CVE-2009-4235

Name	CVE-2009-4235
Description	acpid 1.0.4 sets an unrestrictive umask, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file or cause a denial of service by overwriting this file, a different vulnerability than CVE-2009-4033.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DSA-1960-1
NVD severity	medium (attack range: local)
Debian Bugs	560771

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
acpid (PTS)	wheezy	1:2.0.16-1+deb7u1	fixed
	jessie	1:2.0.23-2	fixed
	buster, sid, stretch	1:2.0.28-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
acpid	source	(unstable)	1.0.6	low		560771
acpid	source	etch	1.0.4-5etch2	medium	DSA-1960-1
acpid	source	lenny	1.0.8-1lenny2	medium	DSA-1960-1

all versions set umask(0), might be worth double-checking what it opens