Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 6 Jun 2014 07:53:43 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://seclists.org/fulldisclosure/2014/Jun/21
> https://bugzilla.redhat.com/show_bug.cgi?id=1104978

Use CVE-2014-3981 for this issue in PHP.


> The second issue is Lynis ...
> 2 runs on Fedora 20 revealed the following file being used each time:
> 
> /tmp/ffiYFc1nZ
> 
> I cannot find that in the source. I do not know if lynsis exec()'s any
> other scripts or programs.

We probably can't make a CVE assignment for this because the primary
affected product is unknown, and this /tmp/ffiYFc1nZ observation might
already be covered by a previous CVE. Lynis apparently runs many other
scripts and programs; for example, there are hundreds of

  FIND=`

lines.

> The full disclosure report might be referring to the following in
> include/tests_webservers:
> 
>   39     if [ "${OS}" = "AIX" ]; then
>   40         TMPFILE=/tmp/lynis.$$

We can make a CVE assignment corresponding to your disclosure of this
lynis.$$ issue on oss-security. Use CVE-2014-3982. A CVE for this most
likely won't (or shouldn't) have a
http://seclists.org/fulldisclosure/2014/Jun/21 reference unless the
original fulldisclosure author confirms the association.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTkat2AAoJEKllVAevmvmsYoYIAISk5kSEkjIDI0d1Ky3udkJm
/gzIpiKm4gWudGac9z4D0rhxJmCy6JaGIN87n46CxgWUDCJoTCdgNx4HOs4czC7b
CsLagZfSdcFH4rkKxfWMsoB4Kyc3kMNK2sVc+TgKY8Vbk2oY7S54to/mAcmMxN9I
pT4KtMTK6w+XKIcMszD3reIgoxG35tRhvpqh8C/fZMY2H7XQgzn1Us2GqNV8emDG
ckkZJgLvlgLIGn+NArogzd2noBhpR4MqhDfLNL7y5LV0mXbV7b0MSwYLB5Da8qU1
tkODpivVlr49oDU50jznAVV/1Eg/KWqswY2ldTOy9k3jN4hw/1mp7wTBE4nTvCA=
=Ltzt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.