Date: Mon, 24 Sep 2012 23:50:44 -0500 From: Raphael Geissert <geissert@...ian.org> To: Tomas Hoger <thoger@...hat.com>, oss-security@...ts.openwall.com Subject: Re: CVE request: opencryptoki insecure lock files handling On Thursday 20 September 2012 09:10:14 Tomas Hoger wrote: > Ok, so I think we need 1 CVE for the two insecure temporary file uses, > unless we want to split each temporary file issue under a separate > CVE. I don't believe there's a real need to assign CVE for 2.4.1 > (which did not improve things on systems with world writable /var/lock) > or 2.4.2 (which re-opens the attack for pkcs11 group members on systems > with restricted /var/lock, but improves things on systems with world > writable /var/lock). I think two ids is more appropriate given that the issue isn't fixed in 2.4.1 for systems with world writable /var/lock. 2.4.2, on the other hand, covers boths scenarios (given that pkcs11 group membership is already considered root-equivalent.) Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.