Date: Fri, 12 Sep 2014 11:55:56 +0200 From: Helmut Grohne <helmut@...divi.de> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: /tmp file vulnerability in ace On Thu, Sep 11, 2014 at 03:33:17AM -0400, cve-assign@...re.org wrote: > Use CVE-2014-6311. Thanks. > > An interesting find is bin/g++-dep line 63: > > > TMP=/tmp/g++dep$$ > > This path is also used for writing. > > As far as we can tell, there is no bin/g++-dep in the > download.dre.vanderbilt.edu upstream distribution. The bin/g++-dep > issue, if confirmed, would not be within the scope of CVE-2014-6311. I point out that said bin/g++-dep file can be found within http://download.dre.vanderbilt.edu/previous_versions/ACE-6.2.7.tar.bz2. Nevertheless, this is not a CVE request, because it is not clear to me in what ways this file is intended for user consumption (if at all). The issue covered by CVE-2014-6311, on the other hand, can be reproduced by executing Debian's dpkg-buildpackage or following upstream's documentation. Helmut
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ