On Wed, January 11, 2012 19:46, Jonathan Wiltshire wrote: > On Wed, Jan 11, 2012 at 12:37:05PM -0500, Jim Paris wrote: >> Package: as31 >> Version: 2.3.1-4 >> Severity: important >> Tags: security >> >> as31 creates a temporary file during assembly. It uses the UID and >> random() in the filename, but the random number generator is never >> seeded, and so the filename is predictably the same every time, >> introducing a security hole: > > Thank you for the report. Does this issue have a CVE identifier yet? > Security team, if not can we allocate from the Debian pool (I forget > the rules)?
Afraid not, because our pool can only be used for not-yet-public issues. This is to prevent duplication. An ID should be requested on oss-security or from Mitre. > Maintainer: I doubt this will get a DSA (security team will advise) so > in that event please fix this in unstable and then follow > http://deb.li/prsc Indeed I don't think this merits a DSA. The assembler will usually be run as a normal user which severely limits the impect of a temp file race; this combined with the limited scope of the program I consider this an issue best fixed through spu. Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

