Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Nov 2015 12:57:11 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: IPTables-Parse: Use of predictable names for temporary
 files

Hi

IPTables-Parse up to 1.6 used temporary files in insecure way, since
it used predictable filenames. This issue was fixed in 1.6 with the
following commit:

https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87

Upstream Changelog:
https://metacpan.org/source/MRASH/IPTables-Parse-1.6/Changes
> (Miloslav Trma─Ź) Fixed a vulnerability to not use predictable names
> for temporary files. This vulnerability would allow an attacker on a
> multi- user system to set up symlinks to overwrite any file the
> current user has write access to. If a user manually overrides the
> temporary file locations with the 'iptout' and 'ipterr' hash keys,
> it is recommended to not use predictable names either.

Can a CVE be assigned for this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.