Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Sep 2014 11:55:56 +0200
From: Helmut Grohne <helmut@...divi.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: /tmp file vulnerability in ace

On Thu, Sep 11, 2014 at 03:33:17AM -0400, cve-assign@...re.org wrote:
> Use CVE-2014-6311.

Thanks.

> > An interesting find is bin/g++-dep line 63:
> > > TMP=/tmp/g++dep$$
> > This path is also used for writing.
> 
> As far as we can tell, there is no bin/g++-dep in the
> download.dre.vanderbilt.edu upstream distribution. The bin/g++-dep
> issue, if confirmed, would not be within the scope of CVE-2014-6311.

I point out that said bin/g++-dep file can be found within
http://download.dre.vanderbilt.edu/previous_versions/ACE-6.2.7.tar.bz2.

Nevertheless, this is not a CVE request, because it is not clear to me
in what ways this file is intended for user consumption (if at all). The
issue covered by CVE-2014-6311, on the other hand, can be reproduced by
executing Debian's dpkg-buildpackage or following upstream's
documentation.

Helmut

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ