[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 19 Mar 2009 20:01:51 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: jhead
On Fri, 6 Feb 2009, Tomas Hoger wrote:
> Looks like -latest tarball was updated again and now mentions 2.86
> inside. In that, usage of mkstemp was replaced with mktemp (previous
> version failed to close file descriptors opened by mkstemp, probably
> causing issues when trying to use command on large pile of images at
> once). Those the temp file seem to be created user-specified
> destination directory, probably not too likely to be /tmp (and hence
> prone to races).
>
> Anyway, can anyone help me understand what was CVE-2008-4639 assigned
> to? I tried looking at the diff between 2.7 and 2.84 and fail to see
> any relevant change...
I anchored on this:
http://www.openwall.com/lists/oss-security/2008/10/16/3
which is John Dong's answer to an inquiry I had for how many CVEs to
create:
>> = Steve
> = John
>>
>> 1 - long -cmd
>> 2 - unsafe temp file creation
>> 3 - "more unchecked buffers" and "unsafe buffer sized strcat's in
>> ModifyDescriptComment" [this assumes that upstream only fixed
>> issue 1)
>> 4 - shell escapes
>...
>
>
>So, bottom line is I think 2.84 fixes 1 and 3 acceptably, while 2 and 4
>are still unresolved.
So CVE-2008-4641 was assigned to issue 4, and CVE-2008-4639 was assigned
to issue 2. However, I made a mistake in CVE-2008-4639 and said "before
2.84" instead of "2.84 and earlier." I've since fixed the CVE-2008-4639
description to say ""2.84 and earlier."
Now what's this about 2.86?... Sounds like it may be a regression.
- Steve
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux