|
Message-ID: <Pine.GSO.4.51.0906061340570.28142@faron.mitre.org> Date: Sat, 6 Jun 2009 13:41:43 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE id rquest: xfig insecure tmp files Not sure of the version because it's not stated in the original request and the Xfig changelog doesn't list any security issues. ====================================================== Name: CVE-2009-1962 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1962 Reference: MLIST:[oss-security] 20090401 CVE id rquest: xfig insecure tmp files Reference: URL:http://www.openwall.com/lists/oss-security/2009/04/01/6 Reference: BID:34328 Reference: URL:http://www.securityfocus.com/bid/34328 Reference: XF:xfig-temp-symlink(49600) Reference: URL:http://xforce.iss.net/xforce/xfdb/49600 Xfig in Debian GNU/Linux, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1) xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err, (4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID], (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID] is a process ID.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.