oss-security - Re: CVE id request: checkinstall

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <Pine.GSO.4.51.0807011733370.19497@faron.mitre.org>
Date: Tue, 1 Jul 2008 17:33:43 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: checkinstall

======================================================
Name: CVE-2008-2958
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958
Reference: MISC:http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-June/001672.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140
Reference: SECUNIA:30873
Reference: URL:http://secunia.com/advisories/30873
Reference: XF:checkinstall-multiple-symlink(43440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43440

Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows
local users to overwrite arbitrary files and have other impacts via
symlink and possibly other attacks on temporary working directories.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.