Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Nov 2008 16:29:10 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request - cups, dovecot-managesieve, perl,
	wireshark

Steve,

  ------------------------------------------------------------
> 
> perl -- perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this)
>      -- from below posted proposed fix: "This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
>                                          It's also present in File::Path 2.xx, up to and including 2.07 which
>                                          has only a partial fix."
>      -- affects all upstream 5.8.8-1 based perl releases (have checked perl-5.8.8-1+ is reaffected, perl-5.8.10 already contains the fix)
>      -- needs a new CVE id
>      -- references: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922
>                     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922
>                     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0448
>                     http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=etch_03_fix_file_path;att=1;bug=286905
>                     http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=sid_fix_file_path;att=2;bug=286905
> 
> ------------------------------------------------------------

One point yet -- this is perl-5.8.8-1+ specific issue (different than
CVE-2004-0452, CVE-2005-0448 and even different than recently fixed
CVE-2008-2827). Seems that upstream forgot to apply the fix for
CVE-2005-0448 to 5.8 perl after rebase. This newly reported issue
already fixed in perl-5.10.

CVE-2008-2827 affects only perl-5.10 (and it already applies additional
fix to CVE-2005-0448, which has been properly applied in perl-5.10).

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ