Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Sep 2014 11:55:56 +0200
From: Helmut Grohne <>
Subject: Re: CVE request: /tmp file vulnerability in ace

On Thu, Sep 11, 2014 at 03:33:17AM -0400, wrote:
> Use CVE-2014-6311.


> > An interesting find is bin/g++-dep line 63:
> > > TMP=/tmp/g++dep$$
> > This path is also used for writing.
> As far as we can tell, there is no bin/g++-dep in the
> upstream distribution. The bin/g++-dep
> issue, if confirmed, would not be within the scope of CVE-2014-6311.

I point out that said bin/g++-dep file can be found within

Nevertheless, this is not a CVE request, because it is not clear to me
in what ways this file is intended for user consumption (if at all). The
issue covered by CVE-2014-6311, on the other hand, can be reproduced by
executing Debian's dpkg-buildpackage or following upstream's


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.