oss-security - Re: CVE Request -- fabric -- Use of insecure temporary file by uploading templates and projects to remote hosts

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Mon, 6 Jun 2011 13:24:43 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Steve Kemp <steve@...ve.org.uk>, Silas Sewell <silas@...ell.ch>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- fabric -- Use of insecure
 temporary file by uploading templates and projects to remote hosts



----- Original Message -----
> Hello, Josh, Steve, vendors,
> 
> It was found that fabric, a simple Pythonic remote deployment tool,
> used insecure way for creation of temporary files, when uploading
> template text files and project files to a remote system. A local
> attacker could use this flaw to conduct symlink attacks to upload
> sensitive information to remote host or to overwrite certain local
> system files.
> 
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=710462
> 

Please use CVE-2011-2185.

Thanks.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.