oss-sec mailing list archives
Re: CVE request: opencryptoki insecure lock files handling
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 27 Sep 2012 00:58:59 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2012 10:50 PM, Raphael Geissert wrote:
On Thursday 20 September 2012 09:10:14 Tomas Hoger wrote:Ok, so I think we need 1 CVE for the two insecure temporary file uses, unless we want to split each temporary file issue under a separate CVE. I don't believe there's a real need to assign CVE for 2.4.1 (which did not improve things on systems with world writable /var/lock) or 2.4.2 (which re-opens the attack for pkcs11 group members on systems with restricted /var/lock, but improves things on systems with world writable /var/lock).I think two ids is more appropriate given that the issue isn't fixed in 2.4.1 for systems with world writable /var/lock. 2.4.2, on the other hand, covers boths scenarios (given that pkcs11 group membership is already considered root-equivalent.) Regards,
Apologies for the late reply. I'm going to assign 2 CVE's: Please use CVE-2012-4454 for opencryptoki insecure lock files handling in /tmp in 2.4.0 Please use CVE-2012-4455 for opencryptoki insecure lock files handling in /var/tmp in 2.4.1 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQY/kzAAoJEBYNRVNeJnmT4OQQAKii/9ecdhbj1nYL2hLo8Wd/ SW1Ss8yKRmo6MiwjHjguQ/gaGz2e09zZ5lMgyFNd5eOSNV6kqf+9W3ISXGufMOOx H/cJaI9WnagH/p0C2B4laLUUN3JN3UMjPPipnjMq/lGSGhT+YR1FzLlMXakmS9GX e+0D8SUiI6UHlkbrLf+gOibujWl8xjYyvxWdpokf4OATertAEEYvZPWkyCEfJ7re F4ffgA7VdgZk8XjHlNuTjRNdJtDmZIbY/KvqMEic6xBwLvwymMUWYIiJcHAIEUZ9 XlG7gEnmKx6IwSFr4WDfRwHCXRDTf21KD10yXa1iJgign+tsnKmvSgj9Ny4HezTi gj/J9oKphTW/SKyStf70mAsLXS3IWiuhx+jwSQwzwQIV5IaDoklj/EpEiCeOxb52 UXulCPDl5PnveaKeQ3s6/IWSd7VgskXExdO3D8hz1Ka0A+5oaXHXwuGJo/niY/kL u3ljlqJ6XUUDSk9r+3eZaPL6szh8AFUrLNuALgVAYJTIoSh3xhgXwD1+ccLKt6et 8oY/2GeTrsK1fMSp2X0C42WXc62NGfG1ecSEcXpU/6DuoBUxYYEPdppsTEK1tzdc JIDcVV9ZIF0AcQvuhUpNpVlV+nnHtBuLkOWgvoNsy9Z9A61ZJkhpIJtxns09zc4E oMWWJjtWa+MN86VVKvfj =UaY/ -----END PGP SIGNATURE-----
Current thread:
- CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 06)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 09)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 12)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 20)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 24)
- Re: CVE request: opencryptoki insecure lock files handling Kurt Seifried (Sep 26)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 07)