Bug#737385: CVE request: a2ps insecure temporary file use

2014-02-05 Thread cve-assign 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5

 * Mon Feb 12 2001 Tim Waugh twa...@redhat.com
 - Fix tmpfile security patch so that it actually _works_ (bug #27155).

 And notes 
 http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch 
 is the patch.

 I spent a little time looking but could not determine if a release was 
 made to fix only part of the problem. So one ID is fine by us.

Use CVE-2001-1593.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS8jCQAAoJEKllVAevmvmsYOsH/ip2JAUT4e/oQ9/TjFuOtR7E
QbmXDrv18am2/MCQ8phfXIelF8CAByXdvbdj1KNwyTSxqTcs+6HZDNNsTt66wIsI
H6Yajsc3HPdAITKOvL6oiS1kl0d/Ndbk36+KBrCmwCqp09tHKIU3UoN5jiZXMQIr
A3RaQ6/MdWyd9QQ9MsgwclLwvkzBzlbgc76N/TCaIv/hEf+gKkeOF6S+el1pJdQ4
XTZ9FDlaRv6kRUO+fePLCU0CANmZj5vJNDA1JicElUly/lFTpTxB8ZB/1JAyeEC9
eD8KQ7RjUrUiwXKDTbm33ekGLPY6wpNfSEtM9e7N26omhnCeENwxMU2ePoVA7ws=
=LDwH
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#737385: CVE request: a2ps insecure temporary file use

2014-02-04 Thread cve-assign 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5
 
 * Fri Jan 05 2001 Preston Brown pbr...@redhat.com
 - security patch for tmpfile creation from Olaf Kirch o...@lst.de
 
 followed the next month by a fix to that patch:
 
 * Mon Feb 12 2001 Tim Waugh twa...@redhat.com
 - Fix tmpfile security patch so that it actually _works_ (bug #27155).

Does anyone have information indicating that two CVE-2001- IDs are
needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years
ago? This would be the case if, for example, there was a January 2001
a2ps package that fixed part of the problem with temporary files.
Admittedly, the practical value of two CVE-2001- IDs at present
may be extremely small.

The information does not seem to be in a2ps.git because data before
2004 is unavailable, e.g.,

  http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100

Also:

  https://bugzilla.redhat.com/show_bug.cgi?id=27155
  You are not authorized to access bug #27155.

If (as we would expect) nobody is interested in checking that, we will
assign one CVE-2001- ID.

Finally, the earlier abstraction question is no longer relevant
because Jakub Wilk is apparently not the original discoverer of any
part of the problem. Specifically, this question:

  The original report notes there are calls to tempname_ensure(). If any
  of those are found to be vulnerable, would they use the same CVE number,
  or require a different one?

would only apply to a situation in which the spyname problem was a new
discovery in 2014.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS8PuRAAoJEKllVAevmvmsavAH/35erOpFeVh3fjUXXGdlJBVN
XzXwdKV6e+joCBJ2hYQ8+os5c19zFNdYcoAz8ay4DKdD9wEHUUiDjZDAhG1rWmDW
ji3I8Bbi3aMmZwaKqJwv3GYWVAOr6QzTuvKJoPVl835jF7Od1FUWeEaMPPqZmI9s
mwPp4eC4CjlVz8ldCgZdU+tiUZojJjl5wFBn/lnYsdfLisJ5mCi1YScMt3p5zZVE
FkXNu5MhFLEtfeQF2BUe3HLsk/UtNEq8T0cMsaNdIbckkFGKxiNiRfK8QGBHGRIp
KuFEoEufFAT0BNRMvHix4MFbYT+a2SKuC5lbrRa7jbyMWh9meRxze/s9UePtEno=
=cx5F
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#737385: CVE request: a2ps insecure temporary file use

2014-02-02 Thread Murray McAllister 
Hello,

Jakub Wilk found that a2ps, a tool to convert text and other types of
files to PostScript, insecurely used a temporary file in spy_user(). A
local attacker could use this flaw to perform a symbolic link attack to
modify an arbitrary file accessible to the user running a2ps:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385

The original report notes there are calls to tempname_ensure(). If any
of those are found to be vulnerable, would they use the same CVE number,
or require a different one?

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385
https://bugzilla.redhat.com/show_bug.cgi?id=1060630

Thanks,

--
Murray McAllister / Red Hat Security Response Team


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org