Date: Mon, 16 May 2011 15:39:30 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: Matej Vela <vela@...ian.org>, Jakub Jelinek <jakub@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- pmake -- Use of insecure temporary file for 'depend' target Please use CVE-2011-1920 Thanks. -- JB ----- Original Message ----- > Hello Josh, Steve, vendors, > > it was found that pmake (BSD 4.4 version of make) used insecure > temporary file for 'depend' target when building libraries (/usr/share > /mk/bsd.lib.mk) and executables (/usr/share/mk/bsd.prog.mk). A local > attacker could use this flaw to conduct symlink attacks possibly > leading to their ability to replace content of arbitrary files, > belonging to user running the pmake tool or ability to modify the > integrity of .depend file in the home directory of the victim. > > References: >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673 >  https://bugzilla.redhat.com/show_bug.cgi?id=705090 > > Could you allocate a CVE id for this? > > Thank you & Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ