Bug#756432: CVE request: Gummi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > release is 0.6.5. > > The program uses predictable filenames for files in /tmp, which produces a > race > condition > > I'm Debian maintainer for this software. > > https://bugs.debian.org/756432 Use CVE-2015-7758. Note that the discussion referenced by the bug report suggests that Linux exploitability depends on the /proc/sys/fs/protected_symlinks file. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWFr7qAAoJEL54rhJi8gl5yNgQAIL2pKeo+zvzciqCpj0iSFYK WITk6rVfX72Tp6FSQBLcXxGpBlOHbtz7gT8bqE/Xk8iCkcBayXyTWEs2LQvMwhws rzyDeGFrj8iL/Z35PjAwDG5eGgsqcoDdlgCcu8SdKQX03qE6wI7jpKH2MZ2KF0JH gQ3FuzvEiGvPDpSS31Y1PtoOZ2+5tO5duO6DS3mcilwwr19Dw8YnMg/Xa0snQAU1 /FjH1vt0WafAKxJwobjFUeZYfhYHGSA8hF6vofWOLT4hm5pIDpi22JgUEJdkzFq0 a18fKa6AW26LRWi6Qh41xCz8jbOnXJMoNTv+KwbyXOK0ZayXx/UD//SEhrx0DXgZ C45Zu8bYnsXTckK35nELVHfPkswb1+BPwUkItehVcmCVxdT985p8M2pclRTAPTOu KR2PUb9OAlGeZ5fk9ex1y/uUMg18ZBhssCqN8uC11YuzfdeVHsBfVUeO6jUCleIn /KHqBTeXu6TZONKYIerExDuqKYW44ueHmgk+BzrjBeTlE7TmJuqwrYg0p+enRU6P XwKvE1bKuZ+mMM2OW+zgl0iErFhZtsfXF1YNYUXudLKUCyNJtqGZl9WwJDvZA7eb vetVlXgIkuz15KPumfilIZd+D3x5cba/kPtqN2upnoluFvFElJKS6s/g3ANZoVXz XNKwz/M8+eIpxi1KsXjV =9wUr -END PGP SIGNATURE-
Bug#782561: Buffer overruns in Linux kernel RFC4106 implementation using AESNI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linux kernel commit ccfe8c3f7e52 (crypto: aesni - fix memory usage in GCM decryption) fixes two bugs in pointer arithmetic that lead to buffer overruns (even with valid parameters!): https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a https://bugs.debian.org/782561 These are described as resulting in DoS (local or remote), but are presumably also exploitable for privilege escalation. As the destination buffer for decryption only needs to hold the plaintext memory but cryptlen references the input buffer holding (ciphertext || authentication tag), the assumption of the destination buffer length in RFC4106 GCM operation leads to a too large size. ... In addition, ... cryptlen already includes the size of the tag. Thus, the tag does not need to be added. Use CVE-2015-3331. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdeRAAoJEKllVAevmvmsidIH/i/kj781LmDCrwkAoGRREwKE Bw8eKCM7Rb5u5om8T+wfX93UBvXQEm9sms3B4LAhpvhQ+hE64M8ETsQq8/Y2J5b3 gz5UQDd57TxIiBUkKuSA6CTQxUw5m+SRd2tlZckgpBjRRWYfKZvaPj/KqI/Uztq+ /WwFU0hXDzAq650mMFGluduwpKpeDIXxtYaNajbFHJdDDhVL0eUiJv2SxUsc3cse Okx2fFoAKXmyf7YfXN6bgZKE4A4w2LWq175/TvcDTsVzUdct3ramDPVRNBE2LCYx JXkLV4vuoFxkCScPH6zUPOgaqC+obqCWN0XBjkXx064on9BAM/34aZgZfX5TCf0= =KYnV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#782515: TCP Fast Open local DoS in some Linux stable branches - Linux kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is a local DoS triggered by use of the TCP Fast Open option, specific to Linux stable branches, as a result of an incompletely backported bug fix: https://bugs.debian.org/782515 http://thread.gmane.org/gmane.linux.network/359588 The BUG() at the top of tcp_transmit_skb() fires as tcp_skb_pcount(skb) == 0. tcp_send_syn_data() does: memcpy(syn_data-cb, syn-cb, sizeof(syn-cb)); Since commit cd7d8498c9a5 (tcp: change tcp_skb_pcount() location) this is sufficient to set the GSO segment count correctly. But in older branches ( 3.18) the GSO segment count in skb_shared_info is used and is no longer copied by tcp_send_syn_data(). Use CVE-2015-3332. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdepAAoJEKllVAevmvmsVrkH/iNnxP700a67dCy7XLx2Lbab BUwWqUMJlupC0QSNW3cHsr4HVi2uHvzGI9vP/B/f6d+XRA8oh5tAanK+51JoPXr8 6YitBjxjC7FR1/yUDMkoDPYvPxIv9WayieY4iAPZsjDsLf3MouIK9Zf0uW2z7+cs JPRuTVDaQeT58WIin2/ZX/bpQGZgshbGn9jx/8H7AEU/dvkQxb9DyxhCTqXze08I 7vXjd8ZglspFbp6I3el5Z3wdqC1Q+Rrv6VQaZ4xtrSDhOB6o3A/y6aLpZif7HUui iAsRfnSWkegmutRDR0qgDrFPnA45CJoSWD+J+c2Ium6sR+DDDEq9hQ0YMgoxbAo= =tWXA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr
On Tue, 30 Dec 2014, Moritz Muehlenhoff wrote: On Mon, Dec 08, 2014 at 01:45:12PM +0100, Vasyl Kaigorodov wrote: Hello, A buffer overflow was reported [1] in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running make check in a 32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the --with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by the strtofr patch [3]. Corresponding changeset in the 3.1 branch: 9110 [4]. [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74 [3]: http://www.mpfr.org/mpfr-3.1.2/patch11 [4]: https://gforge.inria.fr/scm/viewvc.php?view=revroot=mpfrrevision=9110 References: - https://bugzilla.redhat.com/show_bug.cgi?id=1171701 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008 Can a CVE be assigned to this please? Use CVE-2014-9474. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768369: Stack smashing in libjpeg-turbo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369#114 I created a minimal test case in around 200 lines. It uses a file with the intercepted scanlines of the calls to jpeg_write_scanlines. Also the Exif marker is read from such a file. (And without this Exif marker the stack smash does not happen...) Use CVE-2014-9092. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdYGqAAoJEKllVAevmvmsA7QH/ijNNlUkWF2Vst56xw9AZNUN dYdTRNXISkzOotHcglCpOomIzjbTWy4ablsLxryr0kUc4ZjIc5RlZuCTKAaVJ+EC RgphhkmFHkKNqPSVMLtIOpP4ZX/0uPSKAMlzoXsRzRgmEBG6pnYnokJTa47sit26 iSpvAqXUNwJ/ZA14eUFMDdP6FbpOB4wmHS9h5nnUO7lzhmM/93XasD6WluBB0EBo F9xZ/a0pCfEV+9RwKMiGsr2w+nPYDzUWlnrNbVnw8ou9msI/tolGadUbbwCM1NY9 FiemAFw4ZRExQIjDKaubApDlNuYzckmDNvBWJkwdVIJvBvQqNPVmUMP4MefDGhw= =F4GF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#771125: CVE request: mutt: heap-based buffer overflow in mutt_substrdup()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125 mutt segfaults when trying to show the attached message. (You might need to disable header weeding to trigger the crash.) Use CVE-2014-9116. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdqNtAAoJEKllVAevmvmscpAH/jk/zrAJ6CLbMJFLajS5yni6 f71G0MEEcxN8cz0uf/POKU/h/Qc9C9icE72y6yJigqdsPiCuR2+FLb3Y1xnXXVRX 2OwWidx1wU7ZKXOr0pB3qVipJHKd2iWVAfFtFu0Bh045GMqikGXUOEaAYeMVrxTk hPOXUnPhHcWmERU+5t+hMhvrBCJFj22vKFX4pTGJhhAvRVFy89hVsG18Nq8EckzC at5yxo5s0o/iGZtEv5kIdXGq6aOIdfxBfgV4lFjIYrSgJmiBUxlQdQ7usTJrgV7x KzYGepBbJ6VuUuninBlhBbllryFlccXyytAtN20r3XKOjm7H7H2BsS8FfPY+c2Q= =u27J -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770222: CVE request: icecast: possible leak of on-connect scripts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It was reported that Icecast could possibly leak the contents of on-connect scripts to clients, which may contain sensitive information. This issue has been fixed in the 2.4.1 release: Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption due to shared file descriptors. Information contained can include passwords http://icecast.org/news/icecast-release-2_4_1/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222 https://trac.xiph.org/ticket/2089 https://trac.xiph.org/ticket/2087 https://trac.xiph.org/changeset/19308 Use CVE-2014-9018. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUbf+QAAoJEKllVAevmvmsB/QH/iv2tkycZVO3mWFqsEkkNWSj v9B9xhVZzCGKnL3WU/89w6jszoCZfoJXA/kUPwnOzIyl2OpJNvHAKyRcONTo8gu8 rBpYYl2id90Xf4DEJucKjJFeMzo6q1BIxQAtOPro5VMBYZ+EC7Ups9AO0iMxzwr+ g9lusgsVy6jOEb+aeng3SX2GCgnwAv+SZ78wipPuBnxyO6Ec8W++lHOdB+7SDY/J 6A38oMJstLVy4PUSiHfNjK71Ej7m1Hx++mk3cMPXEINJh1dV9LcJEeAoANAePMma gRwboepBmq5FDDsV099VPfqMB4XQli3svZEjdkUCbPhjl1D4dj8s74i0uF9GGyI= =EjxT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#767227: CVE request: lsyncd command injection
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
There is a command injection flaw in lsyncd, a file change monitoring
and synchronization daemon:
https://github.com/axkibe/lsyncd/issues/220
https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Use CVE-2014-8990. The scope of this CVE ID includes both:
1. code execution with ` characters or other characters that are
special to a shell
2. denial of service scenarios in which a user with write access
to a local directory uses special characters to make
synchronization fail (might have security relevance in some
scenarios)
The MITRE CVE team does not have a Lua expert. The code change adds:
local path1 = event.path:gsub ('', '\\'):gsub ('`', '\\`'):gsub
('%$','\\%$')
local path2 = event2.path:gsub ('', '\\'):gsub ('`', '\\`'):gsub
('%$','\\%$')
This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJUbY53AAoJEKllVAevmvmsovEH/RdJAnkv4IR3AiSZ9RUVjmn7
5U52az+5OPJLx3P3Z7MrEytMirvjrr3/tWYu06FDfOFRgwSc0lbt5DHjr2+dBemw
kSsuw7BUc7NBAploOFyX/HEqafSYNs4ykRCKxtYhrnqq9R/pa+E86Ol74lxqqXX+
0gwKt3j49qrs+t7Ll7QWn3BdnGgtLNjMn0Zh2kgczUnevZ4wY4ssohM5JQXC9ImS
IlbXuy0INovx9j1DBplNrGQ07p3ETjH0gcYcucb/MvS6r1RaJXXrrg3bd5CUVEpj
kwyDtPrs/LuSj+Gi+wq4xRBpzmXxLoJ2yc4Czg+ch5qFToXx0cu9Zo/LOJB9m9g=
=q6u/
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725847: Requesting a CVE for pip - Local DoS with predictable temp directory names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 because the build directory is predictable a local DoS is possible simply by creating a /tmp/pip-build-username/ directory owned by someone other than the defined user https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847 https://github.com/pypa/pip/pull/2122 Use CVE-2014-8991. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUbY7BAAoJEKllVAevmvms8tIH/i8+HMV/TYDQcbr1CZfhfUne 3IPnX17hHUKObil3ryDSzm0aFAWNWz0hxHslJecSKNi0iBmLLR/1ItCbIDCZQ18Y n8Q9ygJiXYTO5AIA3/UU40G8jQ4PE/lS/jXBlGYEvrUFz1gBhylVe5sX5EdxU5su 97Tk6p/f4FhlOE5abrXLG1Ec9jZdkARlW9EnbmInrjXpIppgZFZQp0EVo+BUP9Ea h5slMIppNkXIAXhqoT+lIOM/A9l5rBP+GQ5YlxaQY8UsGuOfi5coXvbp/iL8ZB7X nZD1Xy2aTFFNt1YTmBBMJEr2H06Lrd1+F/xSCTiIgMuCG3Fpy9Wg80TxoOuxQ+0= =rTeG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#759282: CVE request: php-pear, pear's insecure /tmp/ use for cache data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282 Use CVE-2014-5459. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT/WsUAAoJEKllVAevmvmsaXEH/3bwwhDnyGdxilowL2kx/S+j gRmak0Uegsz5ZfDgl3PIzxKBc2EkwZrRhPlgeBVx6+OtGlp6MHjrMXYHp06LJBXj RegI3t+gyBXEjUrOHmOHdY1N7RnprMu5YZnB5LErKicqp0SivDEDcSiecSbDTk9o LXlvE1mPHfZzwhiqWUtFfyNVUb7CmnQWT5WLgWDaRVAXIqWNIiv/fwwIJgD3MTSp k6WmlhCwXAWBLq3t8zgV8jSSsZW2KCgFpzUJEZuzPlTpSaZys6zCl2s8tgfwpGCj zWVZmyRmn6IAC6t/huK/Zs3nhuNX2SKksLGtxVnGvklNd1gkUimvqVDSX2YZ1Wk= =S9dC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756566: CVE Request: XML-DT: Insecure use of temporary files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mkdtskel and mkxmltype using insecurely temporary files using the pid of the process in the temporary file name. /tmp/_xml_$$ https://bugs.debian.org/756566 Use CVE-2014-5260. fixed in XML-DT 0.65 upstream, see https://metacpan.org/diff/file?target=AMBS/XML-DT-0.65/source=AMBS/XML-DT-0.63/ This actually doesn't seem to be fixed. However, we don't immediately see a security problem in version 0.65 (only a usability problem), so a second CVE ID isn't assigned at this point. Specifically, the latest version has: https://metacpan.org/source/AMBS/XML-DT-0.65/mkxmltype system(head -$lines $fname | xmllint --recover - $fname); which looks unintended (maybe $fname will always end up as a zero-length file?). This apparently also affects libxml-dt-perl (0.65-1) from the https://packages.debian.org/sid/libxml-dt-perl page. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT7mhqAAoJEKllVAevmvmsd6wH/1kq/+SPIZPj73hx7gHdF6Bs apbtdF7zITzl+o9sNkiq/PR8a8Hln6ZvqCuyZMinQu9xv1mfanpheSsCw810q5ou dP1Bhv+4zN91ukEMKnugYH3xnLn3GXnm0XXDL+mN90I4ev/CKJbKzLoeqHWxy0Ah k1YDC1dG5eS9EIT6OhOWAZKX1zYB5SJ8SiyIhomp94Jymtnqd6IKs7kTkinaeoJ6 AgSEFugTT6pr46rRKf+dkZ+KhsrhTLYVUGVajwYVOSQRPKLaMdIfdAwcM99fhfrX k81O1GIO2CPRXslzzdqTTgoqaPjx9TqXQZdCA2CCKrDH1RHIpyPQCNrGAbTOeMk= =dNlw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754899: CVE request: rawstudio: Insecure use of temporary file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 rs_filter_graph in librawstudio/rs-filter.c /tmp/rs-filter-graph /tmp/rs-filter-graph.png This allows the truncation of arbitrary files Use CVE-2014-4978. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTxrkkAAoJEKllVAevmvms1ZQH/1CXZsXAyu4nHm/i3NhxkYFy XGaEFEWDLOzv1u6FhR1l74NjnPJYus7LyAlFFsicxclDVBUklZMsDfgAjPv0HBOO akcZOMrTZIhUfZJSHSaB5ps0ocdSy/dHtK0jn3b1p4hOgCqcR9SFvYSykSyLbz7z tVn4KJq7RWb99rBrOVhqEahzI+uZCeCvSM+PGSMS4bCo7dnJ++nL8WmWCQzmOYs5 jN/4BrUGd+w1m74jJAzm0Fu8M8NKcctcmE+64GuOoXrib+kph0PLkH5ouhcjW1I0 8/UpGBl5xkM14yqCfG3ZegeKJGBdNLAzb+3wEl0ftcPPsz7qCSrvhJ4A562u6GI= =Er9a -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#752395: CVE request: python: _json module is vulnerable to arbitrary process memory read
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The bug is caused by allowing the user to supply a negative index value. http://bugs.python.org/issue21529 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395 https://bugzilla.redhat.com/show_bug.cgi?id=1112285 https://hackerone.com/reports/12297 Use CVE-2014-4616. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#5 Package: python2.7 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395#19 It affects Python 3.x in a similar way The same CVE ID applies to affected Python 2.x and 3.x versions. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTqRPQAAoJEKllVAevmvmsjAkH+wSAH88T3s7cwEKRgKJRiOIY Gpuk14cxNukkHmA4RuaCqa8Tn/itTQIej+m4bYD6lKw8VZke3OfIK8mh8gele47w brEXQCO7Ie0+2ohGsAmjT5tUsOC9ZaTmj3Yg1ZqJkCcAIfGHk68m8dBlL2uqooPy RQ38a2dPvMw14vL9mK/OY1StiQiZRK56GpbsL5JE85n1mHft6jWLpIm8d5Pf4Toy +mwwpiG2FLHMb4EgzllDRw/wDMfxtsMT4UFd6gVdb7Oau2/CR10+uLZzIDbN3o4q Bi1ScXCizjpKUl7+Sy8ZsZj1t7VMRaDyzeGlULUAO4/E6wuDVrw0G4jaJXMEkhY= =i8ZP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#751417: (Linux kernel) Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to the manual page, after calling it with 1 as a second argument, any consecutive system calls other than read(), write(), _exit() and sigreturn() should result in the delivery of SIGKILL. However, under MIPS any consecutive system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was never called. I see no check for seccomp on the MIPS syscall 'fast path'. The seccomp check appears to be done on the 'slow path' which is used only if tracing or audit is also enabled for the task. If I run the above program under strace, it is killed as expected. Use CVE-2014-4157. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJToL2jAAoJEKllVAevmvmswgUIAJbfESCClCJ35JPb7mukT3nC VFCIPzdiVqXNB/3OvC3hRUqY2J5TffMwYNnTiUJ3MtRcbbJXHf24lK3IM3H8/b7A 7ZpxBh7cZSeEX+d2+uOZqVW1DDJQ0BmmYHV0tlRI0jry2GAPvGdrBpVAKmxe+fvg 6qnceILeat1/1M4fbIabw683gjwZktF0S11LvSvn0OCSPM/sPK0cKMO5m0NEQzwI 2NZWljHvNpQ851Lpe7ICvDVr1v9PmgnsA+oHvqzZ46gXocrBcwMvlyP1xIFm/Ajk UZoE5jpP/dpXMS4/aTO+ucivLNKNjav741lKRg8MIBK274iKaWcUPv15aDdoYBw= =ycHE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#736066: A number of EncFS issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://defuse.ca/audits/encfs.htm the last one sounds CVE worthy Use CVE-2014-3462 for that issue, i.e., 'The purpose of MAC headers is to prevent an attacker with read/write access to the ciphertext from being able to make changes without being detected. Unfortunately, this feature provides little security, since it is controlled by an option in the .encfs6.xml configuration file (part of the ciphertext), so the attacker can just disable it by setting blockMACBytes to 0 and adding 8 to blockMACRandBytes (so that the MAC is not interpreted as data).' - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTcwbzAAoJEKllVAevmvms59MIALliH0nQBEhTa971v2fghjQS XW43V8j42cD4i2yR91GfhJMCilyrRlxY1IQS7isleOQNBufmUavOs4gZmq1A+EGv YD7F7MrQjLOKGLyl1aGbr5YpNmbYJONgqDnnpDdramjKo1MZKr/qexOLn51lLJQJ J1RUaZIm+tccToBmkyhHS6rmHF/kutlvXt1goHKPkWaBWIdCz8zkPZWASj1D4KYX Ynxtc+ikC60AdhQp1ggTmWff0NDnfjI7DUDWM88DbfLfGJ48/uAatgcEhKns326l Z4eomykAB4IA62fgm0XisPrXNpibQs2aEOfr3fDwyCRBi7IA5y7C2SCFZ9V37bM= =Rfv2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746322: CVE request: Python Bottle JSON content-type not restrictive enough
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and https://github.com/defnull/bottle/issues/616 report an issue where Bottle treated text/plain;application/json as JSON, allowing security mechanisms to be bypassed. Use CVE-2014-3137. The scope of this CVE does not include any behavior of Chrome that could be interpreted as a Chrome vulnerability, e.g., can make a request with the content-type of text/plain;application/json (IMO this is a bug in Chrome) in 616. A later comment in 616 says The original reporter mentioned filing Chrome bugs. As suggested by the http://www.google.com/about/appsecurity/ page, Chrome bugs are the mechanism for getting CVE assignments from the Google CNA. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTYpkXAAoJEKllVAevmvmsfl8IAI6ITpAf9TshVu0Y9+fC73zr jCEwMs3qy53bs7ongjU0qQluH68sX4ckkobldhZL/2OM0oLPhz8ZSXNxNsHx9pX5 V7rhUgpHsM0BLyJSr2Zpr/aN/SbPKlqZWJjmLRlfslc0+BJdpqp0v7vvqjZS6iXa BWsDcxLCQ3yMk4cYqXssfodjBKcForeOzCPlRnUrEEwE5zYMib+qkXD2vSNxDfdO on0gFbun5+ldTm+DiN5nnkH7s6pYuPZRcmL2/BqHWfun1s9kPzCI9Vsfvf9kHJD8 LCN1e7N6S3h3Zulg+jmJSqTWJsu3aaNu+Bc4FgTBmzuYIsc0FXaPxRDE3bkmp08= =iVci -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#744817: CVE request: insecure temporary file handling in clang's scan-build utility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jakub Wilk discovered that clang's scan-build utility insecurely handled temporary files. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 The GetHTMLRunDir subroutine ... 3) The function doesn't fail if the directory already exists, even if it's owned by another user. Use CVE-2014-2893. [ other notes: 1) The directory name is easily predictable This doesn't seem to be independently exploitable. 2) The directory is created with default permissions (instead of 0700). Using default permissions is not necessarily wrong, from a CVE perspective, in all development environments. See the http://openwall.com/lists/oss-security/2014/03/09/1 post. In any case, we're not currently making a separate CVE assignment for the permissions issue. ] - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTUezyAAoJEKllVAevmvms3VoH/AiIbJnqY+jfvDtCpQN7YRiw I/2aoWY5uBPgD7V2F7JVnejX64QIN5jG8PB78JJRRRLNo9W71kJGpWpdZYVsVIFI 3rymLYd32AnAWdwx4b3NeRCncMWon5tN6WYhUvClzNl1v1A1XzP167PSPAczYhSf pOUcJ8KiibI/UN3MuHVs35PKOTyQv9CXV9ITy6yE/TloCWXmd6zBJT4Ozd0hr39Z XEAUcz9XhcKETC2SZuIbEKf5yk6oEhOacN3VN3JcT1lXe5Fq7YaYeMY95PRxBRPT XHb0pEzJIO2eEpfrJkm/gdLUaXzgDyw4CSKJ35zhmveOxz6zLnstHKg9+OXPoC0= =l1R7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#741659: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Debian report is about single quotes. On Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were needed. The recent upstream patch: https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp addressed the ' issue using the '\\'' approach. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm has: expanded.replace( QRegExp( %p ), \ + QString::fromLocal8Bit( item-url() ) + \ ); expanded.replace( QRegExp( %n ), \ + QString::fromLocal8Bit( item-name() ) + \ ); As mentioned in the http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted use of for this type of quoting is a conceptually different problem than attempted use of ' for this type of quoting, even if both attempts are ultimately incorrect. (We did not try to check whether the upstream version made a change from incorrect use of to incorrect use of ' at some point. This could be considered an incomplete fix.) Use CVE-2014-2527 for the vulnerability involving use of (as shown in the above calls to expanded.replace). This CVE assignment applies to any upstream code or any Fedora-specific code that has this specific issue. Use CVE-2014-2528 for the vulnerability involving use of ' (as shown in the above https://bitbucket.org commit). If anyone happens to identify a version of the code that does not attempt any type of quoting, a third CVE assignment may be possible. (And maybe it should be escaping ';' too if not already?) This would typically not be addressed as a separate fix. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTKFLiAAoJEKllVAevmvmsiPkH/30d7kfSQPL2v7AZ0NppcPKx 6TRaR8bren7sEI0t38XJ5CmVwyW9KwqSBf+psnM6ubA9VDafl+izOefRw7GoJNIX w8sz67mBWDkBxyYazfLZJhgItGzjUwj8q222lhQ8maLKLS/iGpqnY5rPBnwVTIq6 5T9I0NWH5LrXRHFatS4JLargtU/jiMAIW+/dim7ymj0MFWk9XSnLI4XboIWROdZq gGQU/NXyRhz1ZGenzpHwNHc9ddVC86TKR/xF1DTg8N1RmuAe6HNXEJSWuYooG9BK 2k99nuBpDsL6TD2L4dSN20prKkIGgCTumRJWO/IvCG3jdZYBrscrjWpFMAIqEGk= =lGmu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#740670: possible CVE requests: perltidy insecure temporary file usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Use CVE-2014-2277 for the issue in which, on all platforms, the filename string returned by make_temporary_filename might be used for an attacker's symlink before that filename is used by the perltidy code to write lines into a file. $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' Would this be a separate issue on those platforms We typically don't assign separate CVE IDs in cases where, for the same version of the software, the vulnerability details are similar but non-identical on different operating systems. Regarding the use of tmpnam, is it safe/not an issue if you open the resulting filename with O_CREAT and O_EXCL (as perltidy does)? Possibly it depends on the version of Perl or the operating system's libraries. Maybe someone else knows the precise details. The http://archives.neohapsis.com/archives/bugtraq/2000-02/0018.html post claims 'because a symlink can point to nowhere, the O_EXCL|O_CREAT test does not suffice: you might still end up making a new file, even one that you own, that's somewhere else than you think it is.' On at least some recent Linux platforms, that behavior apparently does not occur. Specifically, if the first argument to IO::File-new is a symlink, and the target of the symlink is a nonexistent file like /home/victim/.forward, and O_EXCL|O_CREAT is used, then /home/victim/.forward is not created. This question might be relatively unimportant because O_EXCL|O_CREAT was only used in the IO::File-new call for choosing a filename. O_EXCL|O_CREAT wasn't used in IO::File-new call that came immediately after the make_temporary_filename call. This, for example, doesn't cover the case of a mode 0777 current working directory. 1) perltidy creating a temporary file with default permissions instead of 0600 We're not sure that this should be a vulnerability with a CVE assignment, even though it is a violation of development standards in some parts of the community. For example: http://cwe.mitre.org/data/definitions/378.html says Potential Mitigations ... Temporary files should be writable and readable only by the process which own the file. (Obviously, own is a typo of owns there. MITRE will probably fix that later.) It looks like the most common use case is for perltidy to read a .pl file in the current working directory, and then create a corresponding .pl.tdy output file in the current working directory, with the default permissions. In this specific scenario, using default permissions for the temporary file in the current working directory might not be considered a security problem. Apparently there are other use cases in which an attacker might have read access to the temporary file but lack read access to the .tdy file. It's not clear whether addressing that had been a perltidy design goal. (The general counterargument to the always mode 600 principle is that it had been historically common to have a multi-person development effort with a strict policy that all files must always be group-readable. If something goes wrong when one developer is working, and it's the responsibility of a second developer to clean up at a time when the first developer isn't available, then one might really want all relevant information -- including any possible left-over temporary files -- to be accessible to the second developer.) Is the POSIX module a core part of Perl, as in, the return $name part will never be called? It's conceivable that that depends on the version of Perl, but in any case the answer doesn't affect how many CVE IDs are needed. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTG9yVAAoJEKllVAevmvms884IALYMJ4O0dcep0uIKRR84BIRZ 153u8FdoqUOSYQqQyowraXdpHYgSqkXjv2Rr/ATCIx//EehZU4nTRyBJ9Y5VtwCF pncZZBz4cOzoKv2Q+7BjsIuU8PDz8wRR+1kXr1/lnyvtMRqUO49y2pzGbdSDGZs6 +TZ5/KjBiDMHGFUOV+wd9sWE1S4dV9h3CiipyL8WxAaaeAl95zZbEfSSDcXoWqI8 2CkXB03o4lUSvjvDkt07+zZn4R9a0BuFIM626spRlMO9H132KhCpF2Hc73px4sWl xGjYfN1IE53JnhrMgKrzwcSzQXBXiCEPk+gMdTjqR+frcF4+RC29fwnjp1g7Afo= =EM42 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#739536: xfe: directory masks ignored when creating new files on Samba and NFS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536 From brief testing on Fedora with Samba and the create mask smb.conf option, this issue only presented when running xfe as the root user. The intended mask was used when running xfe as an unprivileged user. This seems to be an implementation error. It seems extremely unlikely that this type of product would want to provide weaker than normal file restrictions only in the special case of files created by root. Use CVE-2014-2079. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTC0/qAAoJEKllVAevmvms3wUIAMcSqFbqmazX+KGiKmLFovm6 sRzXXyn49eBJ59fabqQx6eE1As5GeUolx35N+oe7O+U+XwRHdxGLcp5KoL4cxigq TVvsLqtJGMyVEXKPLlqWlXyCAMhdGL4VzYTvdqbR+e8aRyZGNPn0Mt5sQ3hf+xck mMK0AGFdRp89pVraZALMXfY4r5z331TOOfWThPnMKbWa1NzNrfoBaqbamO8BiRNF oy94rzrPNUfgu5mYvvZtQCKyFRQKr0eB3jkb0Bq8p+spSZvWKSV1sxZbxTU55izh 0FtWgEH3yYJGq2DBrSJl/O5Q2uqbO9vrU3TwNdWTTkChYvUAYMHVXtUbjP1cw5A= =LIWq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#736969: (possible) CVE request: suPHP 0.7.2 release fixed a possible arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 suPHP 0.7.2 has been released. This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as. Use CVE-2014-1867. A commit reference isn't strictly necessary, but without one we sometimes wait a short time for further information before sending a CVE assignment, in case the issue (for example) actually had multiple vulnerability types. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS+BvwAAoJEKllVAevmvmsl7QH/jw1FQDZ72Y6+iFXRxoNH/zF vFWiTpi7G6TG9vM9H25iPn8tqwhWZLvHRrxmdjQ3E95PaRE7kNgNTs0ju9HuCein 1+JZ+PGZvCuTcKQgesW2/0XgEIX1OK0eTXsvS4joZ1FS2m4ODzZ7eoEX02fn5rqB VWiV+X80MAv0HO/SAcf4mhuAz6iofEjVbEL+1+/QCMpO12CGFCIZRF0nXoFvjdRh gWNIhVn88IifPP4Vvo3sfIinAMEcN/7CeMiRZ2nf4hkuTQlIaKD6SEfKFQK+T20c 9mBKxA0Mj0P4fDkqm7EZk612OP9pi2cox0V3+GaIzbQQpaP3RAEpkmyJZNY9zSU= =IuVz -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737778: CVE request: f2py insecure temporary file use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jakub Wilk reported insecure temporary file use in f2py. numpy/f2py/__init__.py contains this code: fname = os.path.join(tempfile.mktemp()+'.f') f = open(fname,'w') Can a CVE please be assigned if one hasn't been already? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://bugzilla.redhat.com/show_bug.cgi?id=1062009 Use CVE-2014-1858 only for the issue in the __init__.py file. Use CVE-2014-1859 for the other temporary-file issues fixed by the vendor in the https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 commit. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS9Y9iAAoJEKllVAevmvmsmUgH/jW37Wa7Wp52niRfZ+5B3IR+ emZwCRGRhJKZVZKB3yWDPOLv7WPGsXMQUgRzNLI81U2ukGX5+ZDQCAvm2o5fed25 z90k82ER5lwmbosp87p/kKNtCTuLegijDczduBIV73fO3PwC1d+/JM5I4/DnTSM6 OWLRquY7giwDPiF5NvBrmDR6JocWOPVlbAHoIvLuxRFcYdFbqDaJe8Bt8hf2saQB Phw/nIaladkNJOKR5sZM9+E3tVdP1MPCjmiMdASWktTP0fNrGMoBS24zTAQY5hgT ApAW+6Y88igBbZ/aci5kvIo7ocdmw+ld7YNK46PMX8Cr4MsTJZX0X6V85HCzAJM= =XwId -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737835: CVE Request: Capture::Tiny: insecure use of /tmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 open(/tmp/5KKGPDNyy0, O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, Use CVE-2014-1875. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS9GHnAAoJEKllVAevmvms3t0IAKqhldJQYiAv3EwHVYI5hL7b CaIDJ4wIQXfSoqs9ewV1phqNVSnKsgYS6WOp5AjqZZ3+CqSDLS2Jz7kThx7g7mo4 fOFcftX4tjrVrZ4dyoiKuCCGL8R/4Mo3ObmomZ1SbaVb4jtFVqxCOc4Kh52Ca/88 C9peyeQqpWV3kzM9+1sEgQatNTVNIonJiTg23XGSAY3wzLMiGP+teVfygZOO6Xxj 4S4IAx1PNg8GFR/qOEywPE3baWNttTL2RejwoqxUZn908+GXfWZdlCJn+Ku5xOeO Wwawwv4lRRgrPGCPil5rhSdlIeSs08HCoEbcrOLMb5RFsI9FceOpCv7QUt5/gog= =5gFh -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737385: CVE request: a2ps insecure temporary file use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5 * Mon Feb 12 2001 Tim Waugh twa...@redhat.com - Fix tmpfile security patch so that it actually _works_ (bug #27155). And notes http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch is the patch. I spent a little time looking but could not determine if a release was made to fix only part of the problem. So one ID is fine by us. Use CVE-2001-1593. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS8jCQAAoJEKllVAevmvmsYOsH/ip2JAUT4e/oQ9/TjFuOtR7E QbmXDrv18am2/MCQ8phfXIelF8CAByXdvbdj1KNwyTSxqTcs+6HZDNNsTt66wIsI H6Yajsc3HPdAITKOvL6oiS1kl0d/Ndbk36+KBrCmwCqp09tHKIU3UoN5jiZXMQIr A3RaQ6/MdWyd9QQ9MsgwclLwvkzBzlbgc76N/TCaIv/hEf+gKkeOF6S+el1pJdQ4 XTZ9FDlaRv6kRUO+fePLCU0CANmZj5vJNDA1JicElUly/lFTpTxB8ZB/1JAyeEC9 eD8KQ7RjUrUiwXKDTbm33ekGLPY6wpNfSEtM9e7N26omhnCeENwxMU2ePoVA7ws= =LDwH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737385: CVE request: a2ps insecure temporary file use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5 * Fri Jan 05 2001 Preston Brown pbr...@redhat.com - security patch for tmpfile creation from Olaf Kirch o...@lst.de followed the next month by a fix to that patch: * Mon Feb 12 2001 Tim Waugh twa...@redhat.com - Fix tmpfile security patch so that it actually _works_ (bug #27155). Does anyone have information indicating that two CVE-2001- IDs are needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years ago? This would be the case if, for example, there was a January 2001 a2ps package that fixed part of the problem with temporary files. Admittedly, the practical value of two CVE-2001- IDs at present may be extremely small. The information does not seem to be in a2ps.git because data before 2004 is unavailable, e.g., http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100 Also: https://bugzilla.redhat.com/show_bug.cgi?id=27155 You are not authorized to access bug #27155. If (as we would expect) nobody is interested in checking that, we will assign one CVE-2001- ID. Finally, the earlier abstraction question is no longer relevant because Jakub Wilk is apparently not the original discoverer of any part of the problem. Specifically, this question: The original report notes there are calls to tempname_ensure(). If any of those are found to be vulnerable, would they use the same CVE number, or require a different one? would only apply to a situation in which the spyname problem was a new discovery in 2014. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS8PuRAAoJEKllVAevmvmsavAH/35erOpFeVh3fjUXXGdlJBVN XzXwdKV6e+joCBJ2hYQ8+os5c19zFNdYcoAz8ay4DKdD9wEHUUiDjZDAhG1rWmDW ji3I8Bbi3aMmZwaKqJwv3GYWVAOr6QzTuvKJoPVl835jF7Od1FUWeEaMPPqZmI9s mwPp4eC4CjlVz8ldCgZdU+tiUZojJjl5wFBn/lnYsdfLisJ5mCi1YScMt3p5zZVE FkXNu5MhFLEtfeQF2BUe3HLsk/UtNEq8T0cMsaNdIbckkFGKxiNiRfK8QGBHGRIp KuFEoEufFAT0BNRMvHix4MFbYT+a2SKuC5lbrRa7jbyMWh9meRxze/s9UePtEno= =cx5F -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#736958: CVE request: temporary file issue in Passenger rubygem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If a local attacker can predict this filename, and precreates a symlink with the same filename that points to an arbitrary directory with mode 755, owner root and group root, then the attacker will succeed in making Phusion Passenger write files and create subdirectories inside that target directory. It is fixed in upstream version 4.0.33. https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744 One thing to notice, however, is that there's a race condition between the stat check introduced in 34b1087870c2. The following sequence still triggers the bogus behaviour: user mkdir $dir phusion lstat() (getFileTypeNoFollowSymlinks) user rmdir $dir user ln -s /target $dir phusion stat() (from verifyDirectoryPermissions) Upstream has now fixed this with the following commit (basically using the structure from lstat() for the two checks): https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0 Use CVE-2014-1831 for the vulnerability with the before 4.0.33 affected versions. Use CVE-2014-1832 for the vulnerability with the 4.0.33 and earlier affected versions. This is an unusual situation because it depends on a decision about whether the fix in version 4.0.33 solves part of the problem or addresses one of the threat models. It also depends on whether two CVEs should be used to cover a set of reports that are only relevant to symlink attacks, but arguably have different flaw types. CVE-2014-1831 requires the ability to create a symlink but apparently does not require the ability to conduct the described race-condition attack. The attacker could lack direct shell access, but have some type of slow or limited access to the system. This could potentially involve the ability to upload and run scripts that can create symlinks but can't execute arbitrary commands or code. Alternatively, the attacker could have access to a file manager with the same constraints. Also, in some cases, multiple CVEs are used in the case of a single original report of a symlink-handling problem, e.g., CVE-2008-1569 and CVE-2008-1570. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS6l9uAAoJEKllVAevmvmsj9oH/RlmH2kO7M1WIIvuD3FlH1SD Fe0bqmWlVQRR77Q61IS7trfCd88sSTiyWZAm7g8EJn6Prct6AGAIH1tE0EaPbzm1 VrCcxPXJh22LPDNv0p+4ug9CjjWLVhj8cHP/T50M5bgRbbj/EKF4CbkHsDxdLtf8 crpDsvQVTZLS2d2460tCe3gjVk0Ew2bP99PgW0p7NHz4IbbwL2mX/1L0shUqMnkB UAJW1YSU1n5sAX37iz49Neyw5ptqrXsFcZNvqyuW5ch+LBnMKg8fcgg6t78ATqBE 1bw1HMSPyXhmmajk1ED/+8qc4+wMe0/iqItiVQQTO/JqL3qMGr+1rmGbLkPH43U= =5HHG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#736247: Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a TOCTOU failure in python's xdg module 1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a directory owned by the victim Use CVE-2014-1624. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS3rYbAAoJEKllVAevmvmsstgH/0w3D687UMenhRZvTHdoPWwi nk1vTE9SGraAUIe24g0VbdqI3vVUuMN1XqQnljFr2fkCWvhw2c2KCXg99TIcCmLo wlqRIAf37dCgHXLyHjzlboNKZm+Mlrh57vis4VJIyrq8byW0jmgR9Dv+tACMeWkj 9Wkt1slsPiIMvFOjIZKjN8r8a85XbhpCQIrV4/uFMyOOarQHB9IT25YKNaldegFY CylvlLM7mi4Ux1JU+ZIUMdwxQoSOtvq3OKYwbHNZoYMH5mGcwwgRN4/tTbuqxmOn u8TYG3xqqVS4j2QuUG//LACrftlcJ0e/XtQTmSvJlVju/9bE2KD1U3ewrvUYHE0= =9769 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683338: CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.openwall.com/lists/oss-security/2014/01/07/10 gdm3 needs one also Basically, when gdm3 is configured to not show a list of users (but instead shows a blank box for the login prompt), if the user clicks cancel or hits the escape key, then the greeter gets put into a mode without any way to log in (no prompts available). Use CVE-2013-7273. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzIACAAoJEKllVAevmvmshH0IAI7wY+ot8z57Mo8hEIHoWfK7 +7BqyjzAV10B9hZ/9B5cWhHkt7wWfbi3n/e9TSHGrjjQCkhF8jMwHqEP3ZZVQWMI jKmr1itzzBwJ5NCNFTfGyIM2aw4OYDiEBhybQSyOitldRztoR2doY7Kj+X/62QVy iTrx0oUmCkyqsxode7CNpH44KEZJ+SkwLjQxtUVSyB4vTRY3+VqxsG+jvhaTU3kC teKWvSwr3Un9mLOKVNyGXIPH1+b6l8sko04i+J6Vu9bUHG7HMjc+Zhqmgfn8UID8 BwPe/otGan2pfi9e8b40pu9u5N1d7+qDUSoJypCLjG0rwQEVM64KYHxCfJsexCg= =pNJS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732283: CVE Request: Proc::Daemon writes pidfile with mode 666
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 christian mock c...@coretec.at has reported[1] that Proc::Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with world-writable permissions. Upstream bugreport is at [2]. [1] http://bugs.debian.org/732283 [2] https://rt.cpan.org/Ticket/Display.html?id=91450 Axel Beckert has commited a patch to the Debian packaging[3] and forwarded it to upstream. [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch Could a CVE be assigend for this issue? Use CVE-2013-7135. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSsPPCAAoJEKllVAevmvmsDjkH/0ArQqMr437ZRT3i8pvsAP+6 Wc39qGXxcEZCPxSHGv9HdoeGrYBWBwLLWKjtPV+iSKE67BtBV1YS+j1ISI9ST6cz 93dhjxnN2n9VyvXStRTo3nj20wRkbWEyBWN1hUaR3niDb7bd+QqRd7m79MGY6VkG uAkXP5pJacezleLBM1900W3rvppbdU/tCe4Oc5pMSRUZU9V2XWB8Y9yrCOztYVH4 2sojMuUv9kMdeHRM9iskOw1oGPX4GK5eKj0c/unJ1w82zF/56hM5Rw+yqYIY0mcH er0Cl1N7TFPfQEVPhYg2s2kZUVOjA4UuHEWuArY3hv4m8XFC+GlBtkm36/7wfv0= =jG8p -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#731848: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This verison of ack prevents the --pager, --regex and --output options from being used from project-level ackrc files. It is possible to execute malicious code with these options Use CVE-2013-7069. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSqT/wAAoJEKllVAevmvms2mUH+gMG97hD1ieJnU8eDSBz2jTP ZOy+PH/QzLcaSEtFrPG7ge9SfY8sowGGpTQPPyMI08zAdWZNlPCKzi/Y0Od0tohv dxkXwUoluY/KGvpoUD1doVGf49mGNTfP7x/KxIdYQn/0aMTOQ9uf95QA640AV3k9 kKTdUiCBs3pvQ0yT//euC0nQMEUC+cWzs6DvDtckAyGc2Dn53MLTSlL2jx3fkrvj JM/kDaWB3yebdF0anDbrnq6lDSo+XfoTie4XQgHU+AMCopVYYXryipK2xt95DKtW SwXZnBMjeWtcQMV1i0E5awL5GFEkA20sUMBcc/aDadQMGuBTcL9dn/lzhPvEy8E= =7136 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
