oss-sec mailing list archives
Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure
From: cve-assign () mitre org
Date: Fri, 6 Jun 2014 07:53:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://seclists.org/fulldisclosure/2014/Jun/21 https://bugzilla.redhat.com/show_bug.cgi?id=1104978
Use CVE-2014-3981 for this issue in PHP.
The second issue is Lynis ... 2 runs on Fedora 20 revealed the following file being used each time: /tmp/ffiYFc1nZ I cannot find that in the source. I do not know if lynsis exec()'s any other scripts or programs.
We probably can't make a CVE assignment for this because the primary affected product is unknown, and this /tmp/ffiYFc1nZ observation might already be covered by a previous CVE. Lynis apparently runs many other scripts and programs; for example, there are hundreds of FIND=` lines.
The full disclosure report might be referring to the following in include/tests_webservers: 39 if [ "${OS}" = "AIX" ]; then 40 TMPFILE=/tmp/lynis.$$
We can make a CVE assignment corresponding to your disclosure of this lynis.$$ issue on oss-security. Use CVE-2014-3982. A CVE for this most likely won't (or shouldn't) have a http://seclists.org/fulldisclosure/2014/Jun/21 reference unless the original fulldisclosure author confirms the association. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTkat2AAoJEKllVAevmvmsYoYIAISk5kSEkjIDI0d1Ky3udkJm /gzIpiKm4gWudGac9z4D0rhxJmCy6JaGIN87n46CxgWUDCJoTCdgNx4HOs4czC7b CsLagZfSdcFH4rkKxfWMsoB4Kyc3kMNK2sVc+TgKY8Vbk2oY7S54to/mAcmMxN9I pT4KtMTK6w+XKIcMszD3reIgoxG35tRhvpqh8C/fZMY2H7XQgzn1Us2GqNV8emDG ckkZJgLvlgLIGn+NArogzd2noBhpR4MqhDfLNL7y5LV0mXbV7b0MSwYLB5Da8qU1 tkODpivVlr49oDU50jznAVV/1Eg/KWqswY2ldTOy9k3jN4hw/1mp7wTBE4nTvCA= =Ltzt -----END PGP SIGNATURE-----
Current thread:
- CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure Murray McAllister (Jun 05)
- Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure cve-assign (Jun 06)
- Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure cve-assign (Jun 06)