Date: Fri, 12 Sep 2014 11:55:56 +0200 From: Helmut Grohne <helmut@...divi.de> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: /tmp file vulnerability in ace On Thu, Sep 11, 2014 at 03:33:17AM -0400, cve-assign@...re.org wrote: > Use CVE-2014-6311. Thanks. > > An interesting find is bin/g++-dep line 63: > > > TMP=/tmp/g++dep$$ > > This path is also used for writing. > > As far as we can tell, there is no bin/g++-dep in the > download.dre.vanderbilt.edu upstream distribution. The bin/g++-dep > issue, if confirmed, would not be within the scope of CVE-2014-6311. I point out that said bin/g++-dep file can be found within http://download.dre.vanderbilt.edu/previous_versions/ACE-6.2.7.tar.bz2. Nevertheless, this is not a CVE request, because it is not clear to me in what ways this file is intended for user consumption (if at all). The issue covered by CVE-2014-6311, on the other hand, can be reproduced by executing Debian's dpkg-buildpackage or following upstream's documentation. Helmut
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.