On Wed, January 11, 2012 19:46, Jonathan Wiltshire wrote:
> On Wed, Jan 11, 2012 at 12:37:05PM -0500, Jim Paris wrote:
>> Package: as31
>> Version: 2.3.1-4
>> Severity: important
>> Tags: security
>>
>> as31 creates a temporary file during assembly.  It uses the UID and
>> random() in the filename, but the random number generator is never
>> seeded, and so the filename is predictably the same every time,
>> introducing a security hole:
>
> Thank you for the report. Does this issue have a CVE identifier yet?
> Security team, if not can we allocate from the Debian pool (I forget
> the rules)?

Afraid not, because our pool can only be used for not-yet-public issues.
This is to prevent duplication. An ID should be requested on oss-security
or from Mitre.

> Maintainer: I doubt this will get a DSA (security team will advise) so
> in that event please fix this in unstable and then follow
> http://deb.li/prsc

Indeed I don't think this merits a DSA. The assembler will usually be run
as a normal user which severely limits the impect of a temp file race;
this combined with the limited scope of the program I consider this an
issue best fixed through spu.


Thijs



--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to