oss-sec mailing list archives
Re: CVE Request: IPTables-Parse: Use of predictable names for temporary files
From: cve-assign () mitre org
Date: Tue, 24 Nov 2015 12:16:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 https://metacpan.org/source/MRASH/IPTables-Parse-1.6/Changes
- _iptout => $args{'iptout'} || '/tmp/ipt.out' . $$, - _ipterr => $args{'ipterr'} || '/tmp/ipt.err' . $$, + _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'), + _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'),
Use CVE-2015-8326 for the vulnerability with the above fix.
If a user manually overrides the temporary file locations with the 'iptout' and 'ipterr' hash keys, it is recommended to not use predictable names either.
- 'iptout' => '/tmp/iptables.out', - 'ipterr' => '/tmp/iptables.err',
The deletion of the /tmp/iptables.out and /tmp/iptables.err lines is a documentation change. In some cases, there can be a CVE ID when documentation indicates an unsafe way to use a product, and a CVE ID for documentation would typically be separate from a CVE ID for code. Here, however, there is no CVE ID for the documentation change. We feel that a reader's most likely interpretation of those lines was simply that configuration was possible, not that it was a good configuration for a multi-user system. In general, it seems that a CVE ID for documentation would be more useful if a documented usage example were dangerous in an unexpected or subtle way. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWVJsVAAoJEL54rhJi8gl5v4EQAMsL6bSZx9YHmeP1V/Mg1+Bl +/4JD0hoPGHzpnCWBge9It2yjz0Qyg9VdqLHPQhyuZbO84l56bq4KrznhS9BjvwS bRi7toqCZ5VUqyCKDR67KU23enz2peNRuUkcTBHcen2YIsbLdUhpbkLgfhxgFWDV zAeTjpf7QEEiiG/kKchq0kOp5/zC0INy7AuhOOaxrv+qfrqFZhcpA4Jx+aiMHbFh /I+QkEDoarnV9lLQh0/3LePvfZ4RZm4TrqAT/NMlhJrM762iQ6qMsasgnR3Q3Yf6 y61uYuTZZfRcRPsykQQTNOV8VQYSsR1gRoJqalD2S0pMehQEOcckstUVxcfAqjQc lXn4lLd7y7OWd4ZYDfHl4UDXXvDt8urxt0OCh1J/skdsQwK6QvrUEJLiqD6++iVC DQ4j2zyGIAS+Aqtjk0xSZCPZiSdNkF8GtouQVWIrv6hOJiuWG2LiRSoic8sdFeK3 5Kta/FF/bp3YCPHlTnBHxLEzs4UgcmO/bG42v4cySBrmaeqA4hyJUWsKGxFPfPab 8q9eAj+bWJA5fPw/YQ4mpwSkPbs8ut2DoZ1z3gXQBwlTFayJxx36sqh8NH0kZVts GdL46xuiHlpEnAzFOhI5nDq6uqHPU4Swi+Jj7QWrwHpD2Vb/5qxXccKEH1c5GVwC yWF6xKDli3IDwDGl+pbr =Nw8v -----END PGP SIGNATURE-----
Current thread:
- CVE Request: IPTables-Parse: Use of predictable names for temporary files Salvatore Bonaccorso (Nov 24)
- Re: CVE Request: IPTables-Parse: Use of predictable names for temporary files cve-assign (Nov 24)