Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Feb 2014 22:11:09 -0500 (EST)
From: cve-assign@...re.org
To: jwilk@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> * Pacemaker:
> https://bugs.debian.org/633964
> This needs a CVE-2011-#### id.

Use CVE-2011-5271.


> * Python Imaging Library:
> https://bugs.debian.org/737059

> Note that we have two slightly different kinds of problems here:
> 1) in IptcImagePlugin.py and Image.py there's tempfile.mktemp() followed 
> by open() in the same subprocess;

> 2) in JpegImagePlugin.py and EpsImagePlugin.py, temporary file name 
> generated by tempfile.mktemp()

Use CVE-2014-1932 for the issue of using mktemp in all of these .py
files.


> 2) ... temporary file name ... is passed to an external process.
> The latter kind is much easier to exploit, at least on some systems, 
> because commandlines are not secret.

Use CVE-2014-1933 for the issue of including sensitive filename
information on a command line that is visible by using ps or a similar
approach.


> * eyeD3:
> https://bugs.debian.org/737062

Use CVE-2014-1934.


> * Tom Duff's rc (part of 9base):
> https://bugs.debian.org/737206

Use CVE-2014-1935.


> * Byron Rakitzis's rc:
> https://bugs.debian.org/737125

Use CVE-2014-1936.


> * Gamera:
> https://bugs.debian.org/737324

Use CVE-2014-1937.


> * RPLY (follow-up for CVE-2014-1604):
> https://bugs.debian.org/737627

Use CVE-2014-1938.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+ZOnAAoJEKllVAevmvmsmGgH/2pKXzhtYjqTnz9/KvGeDqRH
af5obLEN/SB7p/aCpMQtIQ2sRSw7bKYGQ6R+niEfw2+5ZrRuYhbiQLikd1qH4kMX
OTfPYhDJUJwq5t7JdoNSc0CD1/aNg3FDvJ/cfNs80Tln97zRd7kgpp3xUPOdwsKn
/cU2WIelFMGIXCuXDRpKpqep7grP3bfAZRHzo03hg0NxY/6Ah/0eJHV02/8b3ta/
CX9I1a/+4yi6TeBXnez4VhBT5Cs+2Ft1QE5nMSnHEQzf0U6USfRKK7MSWgug5mVK
zEEzHwY24gEDWumv6eGhrgU+/AySN9M6d+m7QjhNV3txgZgJ6adgx4qumHSTbkg=
=umjH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ