oss-sec mailing list archives

Re: CVE-request: pithos symlink vulnerability CWE-61

From: Josh Bressers <bressers () redhat com>
Date: Fri, 19 Aug 2011 14:55:08 -0400 (EDT)



----- Original Message -----

Can I get 2010 CVE-ID for Pithos symlink attack vulnerability:
https://bugs.launchpad.net/pithos/+bug/667896

Software web-page: https://launchpad.net/pithos
Found by: lfaraone <https://launchpad.net/~lfaraone>
Found at: 2010-10-30 (fix released same day)
"Predictable file- or directory-names in /tmp/-directory can lead to
symlink attack."

Fixed in Debian:

http://packages.debian.org/changelogs/pool/main/p/pithos/current/changelog
says:
pithos (0.3.5-1) unstable; urgency=high

* New upstream version.
- SECURITY UPDATE: fixes overwriting of arbitrary file via symlinks
(LP: #667896)
Can be still found from DST:
http://security-tracker.debian.org/tracker/TEMP-0000000-14D1F9

And in Ubuntu:
http://changelogs.ubuntu.com/changelogs/pool/universe/p/pithos/pithos_0.3.8-1/changelog


Please use CVE-2010-4817.

Thanks.

-- 
    JB

Current thread:

CVE-request: pithos symlink vulnerability CWE-61 Henri Salo (Aug 04)
- Re: CVE-request: pithos symlink vulnerability CWE-61 Josh Bressers (Aug 19)