Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201209242350.45147.geissert@debian.org>
Date: Mon, 24 Sep 2012 23:50:44 -0500
From: Raphael Geissert <geissert@...ian.org>
To: Tomas Hoger <thoger@...hat.com>,
 oss-security@...ts.openwall.com
Subject: Re: CVE request: opencryptoki insecure lock files handling

On Thursday 20 September 2012 09:10:14 Tomas Hoger wrote:
> Ok, so I think we need 1 CVE for the two insecure temporary file uses,
> unless we want to split each temporary file issue under a separate
> CVE.  I don't believe there's a real need to assign CVE for 2.4.1
> (which did not improve things on systems with world writable /var/lock)
> or 2.4.2 (which re-opens the attack for pkcs11 group members on systems
> with restricted /var/lock, but improves things on systems with world
> writable /var/lock).

I think two ids is more appropriate given that the issue isn't fixed in 2.4.1 
for systems with world writable /var/lock. 2.4.2, on the other hand, covers 
boths scenarios (given that pkcs11 group membership is already considered 
root-equivalent.)

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.