Date: Sat, 13 Sep 2008 19:55:52 +0200 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request (gpicview) On Tuesday 26 August 2008, Steven M. Christey wrote: > > http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&gr > >oup_id=180858&atid=894869 > > > > Possible symlink attack via the temporary created "/tmp/rot.jpg" > > file used for image rotation. > > Use CVE-2008-3791 This issue (and CVE-2008-3904) have been resolved by r845, and released as 0.1.10: http://lxde.svn.sourceforge.net/viewvc/lxde?view=rev&sortby=date&revision=845 Interestingly, upstream also fixed a bug in the open_url() function where invoking the browser would allow for code execution via shell metacharacters in the URL. However, from what I see the function is only called with URLs in the "about" box. Unfortunately, upstream calls this non-issue CVE-2008-3904. Patch here: http://lxde.svn.sourceforge.net/viewvc/lxde?view=rev&sortby=date&revision=847 Regards, Robert Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.