Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140912095556.GA1850@alf.mars>
Date: Fri, 12 Sep 2014 11:55:56 +0200
From: Helmut Grohne <helmut@...divi.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: /tmp file vulnerability in ace

On Thu, Sep 11, 2014 at 03:33:17AM -0400, cve-assign@...re.org wrote:
> Use CVE-2014-6311.

Thanks.

> > An interesting find is bin/g++-dep line 63:
> > > TMP=/tmp/g++dep$$
> > This path is also used for writing.
> 
> As far as we can tell, there is no bin/g++-dep in the
> download.dre.vanderbilt.edu upstream distribution. The bin/g++-dep
> issue, if confirmed, would not be within the scope of CVE-2014-6311.

I point out that said bin/g++-dep file can be found within
http://download.dre.vanderbilt.edu/previous_versions/ACE-6.2.7.tar.bz2.

Nevertheless, this is not a CVE request, because it is not clear to me
in what ways this file is intended for user consumption (if at all). The
issue covered by CVE-2014-6311, on the other hand, can be reproduced by
executing Debian's dpkg-buildpackage or following upstream's
documentation.

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.