Date: Tue, 1 Jun 2010 14:55:56 -0400 From: Michael Gilbert <michael.s.gilbert@...il.com> To: oss-security@...ts.openwall.com Cc: Josh Bressers <bressers@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: ghostscript and gv On Tue, 1 Jun 2010 14:41:41 -0400 (EDT), Josh Bressers wrote: > Please use CVE-2010-2055 for this. > [...] > > In the Debian bug report Paul also mentiones that gv creates a > > temporary file in an insecure way: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10 should the insecure temp file get its own id since it is rather different than the original problem? | I slightly wonder about the writing of the tmp file | open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) | from within gs (no O_EXCL so would follow a symlink allowing clobber). mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.