Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Nov 2008 16:29:10 +0100
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>
Subject: Re: CVE Request - cups, dovecot-managesieve, perl,


> perl -- perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this)
>      -- from below posted proposed fix: "This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
>                                          It's also present in File::Path 2.xx, up to and including 2.07 which
>                                          has only a partial fix."
>      -- affects all upstream 5.8.8-1 based perl releases (have checked perl-5.8.8-1+ is reaffected, perl-5.8.10 already contains the fix)
>      -- needs a new CVE id
>      -- references:
>           ;filename=etch_03_fix_file_path;att=1;bug=286905
>           ;filename=sid_fix_file_path;att=2;bug=286905
> ------------------------------------------------------------

One point yet -- this is perl-5.8.8-1+ specific issue (different than
CVE-2004-0452, CVE-2005-0448 and even different than recently fixed
CVE-2008-2827). Seems that upstream forgot to apply the fix for
CVE-2005-0448 to 5.8 perl after rebase. This newly reported issue
already fixed in perl-5.10.

CVE-2008-2827 affects only perl-5.10 (and it already applies additional
fix to CVE-2005-0448, which has been properly applied in perl-5.10).

Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ