Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Feb 2014 22:11:09 -0500 (EST)
From: cve-assign@...re.org
To: jwilk@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> * Pacemaker:
> https://bugs.debian.org/633964
> This needs a CVE-2011-#### id.

Use CVE-2011-5271.


> * Python Imaging Library:
> https://bugs.debian.org/737059

> Note that we have two slightly different kinds of problems here:
> 1) in IptcImagePlugin.py and Image.py there's tempfile.mktemp() followed 
> by open() in the same subprocess;

> 2) in JpegImagePlugin.py and EpsImagePlugin.py, temporary file name 
> generated by tempfile.mktemp()

Use CVE-2014-1932 for the issue of using mktemp in all of these .py
files.


> 2) ... temporary file name ... is passed to an external process.
> The latter kind is much easier to exploit, at least on some systems, 
> because commandlines are not secret.

Use CVE-2014-1933 for the issue of including sensitive filename
information on a command line that is visible by using ps or a similar
approach.


> * eyeD3:
> https://bugs.debian.org/737062

Use CVE-2014-1934.


> * Tom Duff's rc (part of 9base):
> https://bugs.debian.org/737206

Use CVE-2014-1935.


> * Byron Rakitzis's rc:
> https://bugs.debian.org/737125

Use CVE-2014-1936.


> * Gamera:
> https://bugs.debian.org/737324

Use CVE-2014-1937.


> * RPLY (follow-up for CVE-2014-1604):
> https://bugs.debian.org/737627

Use CVE-2014-1938.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+ZOnAAoJEKllVAevmvmsmGgH/2pKXzhtYjqTnz9/KvGeDqRH
af5obLEN/SB7p/aCpMQtIQ2sRSw7bKYGQ6R+niEfw2+5ZrRuYhbiQLikd1qH4kMX
OTfPYhDJUJwq5t7JdoNSc0CD1/aNg3FDvJ/cfNs80Tln97zRd7kgpp3xUPOdwsKn
/cU2WIelFMGIXCuXDRpKpqep7grP3bfAZRHzo03hg0NxY/6Ah/0eJHV02/8b3ta/
CX9I1a/+4yi6TeBXnez4VhBT5Cs+2Ft1QE5nMSnHEQzf0U6USfRKK7MSWgug5mVK
zEEzHwY24gEDWumv6eGhrgU+/AySN9M6d+m7QjhNV3txgZgJ6adgx4qumHSTbkg=
=umjH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.