Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 05 Feb 2014 18:55:13 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org, 737385@...s.debian.org
Subject: Re: Re: CVE request: a2ps insecure temporary file
 use

On 02/05/2014 01:40 AM, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5
>>
>> * Fri Jan 05 2001 Preston Brown <pbrown@...hat.com>
>> - security patch for tmpfile creation from Olaf Kirch <okir@....de>
>>
>> followed the next month by a fix to that patch:
>>
>> * Mon Feb 12 2001 Tim Waugh <twaugh@...hat.com>
>> - Fix tmpfile security patch so that it actually _works_ (bug #27155).
>
> Does anyone have information indicating that two CVE-2001-#### IDs are
> needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years
> ago? This would be the case if, for example, there was a January 2001
> a2ps package that fixed part of the problem with temporary files.
> Admittedly, the practical value of two CVE-2001-#### IDs at present
> may be extremely small.
>
> The information does not seem to be in a2ps.git because data before
> 2004 is unavailable, e.g.,
>
>    http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100
>
> Also:
>
>    https://bugzilla.redhat.com/show_bug.cgi?id=27155
>    You are not authorized to access bug #27155.
>
> If (as we would expect) nobody is interested in checking that, we will
> assign one CVE-2001-#### ID.

Hello,

I spent a little time looking but could not determine if a release was 
made to fix only part of the problem. So one ID is fine by us.

bug #27155 just contains some gdb output. Therefore I assumed it was 
public and didn't check before sending it here.

Thanks for looking at this.

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ