Date: Tue, 27 Oct 2015 10:44:49 +0100 From: Michael Scherer <misc@...b.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request - open-vm-tools using predictable filename in /tmp On Mon, Oct 26, 2015 at 07:51:17PM +0100, Florian Weimer wrote: > On 10/26/2015 07:23 PM, Michael Scherer wrote: > > > It seems that vm-support, from open-vm-tools use /tmp to > > store output of diagnostic software. > > > > See > > https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/scripts/common/vm-support#L200 > > > > Can a CVE be assigned ? > > I don't think this is a vulnerability anymore because runcmd prepends > $OUTPUT_DIR to the path. Damn, indeed, should have spent more time looking at the bash code :( -- Michael Scherer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ