Full Disclosure mailing list archives
Re: Secunia published adviso withoutrespectingrelease date !
From: "Jerome Athias" <jerome.athias () free fr>
Date: Sat, 16 Jul 2005 03:59:05 +0200
2 things i remind myself... 1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html2) This is an answer of Thomas before a disclosure of some vuln that Secunia found "at the same time" :
10/09/2004 19:40 Re: OpenOffice World-Readable Temporary Files Disclose Files to Local Users Hi Jérôme, This issue was originally discovered by Secunia on 16th August and reported to the vendors. Please do not forward to anyone else. The various vendors well release updates on Wednesday in a co-ordinated disclosure. Kind regards, Thomas On Fri, 2004-09-10 at 17:31, jerome.athias () caramail com wrote:
Date: Thu, 9 Sep 2004 23:52:18 -0400 Subject: http://www.openoffice.org/issues/show_bug.cgi?id=33357> Reporter: pmladek OS: Linux Version: OOo 1.1.2 Summary: Insecure permissions on temporary files at runtime When OOo is started, a directory /tmp/sv.tmp is created, whereRAND is a 3 character random string. The permissions of this directory allow other users (depending on the user'sumask) to 'cd' to this directory and list the contents. Once a file is saved, a zipped file is created in /tmp/sv.tmp and the name of the file follows the same convention. The permissions of the file allow others (depending on the user's umask) to read the content. Due to this any user can grab sensitive information of someother user. Steps to reproduce the problem: 1. Launch OpenOffice. 2. List /tmp contents. Locate the directory 'sv*.tmp' 3. Type in some contents in the document and save it. 4. List the contents of the directory /tmp/sv*.tmp/ 5. Do not cl ose OpenOffice. 'su' to a different user. 6. Copy the file under /tmp/sv*.tmp/ to home directory. 7. Use 'unzip' to unzip the files. 8. The file content.xml holds the data the user had just saved.The workaround is to set more secure umask. The problem is that the users does not know about it. Why should they need to set more strict umask if they save its data in a directory which has the correct permissions. They do not expectRegards, Jérôme ATHIAS -------------------that there are any world-readable temporary data available somewhere on the system.
-- Kind regards, Thomas Kristensen CTO Secunia Toldbodgade 37B 1253 Copenhagen K Denmark Tlf.: +45 7020 5144 Fax: +45 7020 5145So, express your opinion, but either they want exclusivity, either they respect the majority of the time the "full-disclosure policy"
My 0,000001€ /JA ****************** http://www.secunia.fr----- Original Message ----- From: "Xavier Beaudouin" <kiwi () oav net>
To: <ad@class101.orgad () class101 org> Cc: <full-disclosure () lists grok org uk> Sent: Thursday, July 14, 2005 12:59 PMSubject: Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date !
This is usual with secunia.. I had at "bug" in a beta version of software and they "release" a vulnerability to *all* version of this software without even inform the maintainer (me) of this "pseudo advisory". My thought with this guys are now : don't even trust them... They push advisory without testing and respect the usual way to inform developper as it should. My 0,02€ /xavier Le 13 juil. 05 à 23:45, <ad () class101 org> <ad () class101 org> a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Then don't send to Secunia b4 the rls date ! HUH - -----Message d'origine-----De : full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] De la part de Eric Romang Envoyé : mardi 12 juillet 2005 21:09 À : support () secunia com Cc : full-disclosure () lists grok org uk; Eric Romang Objet : [Full- disclosure] Secunia published adviso without respectingrelease date !Hello, This adviso are published on your website, but the patch are not already ok. I have contact upstream today, before you release the adviso, so they could react. As you can see in the adviso, the release date was not given !!!! http://secunia.com/advisories/16040/ http://secunia.com/advisories/16040/ http://secunia.com/advisories/16038/ You release adviso without respect the normal process to publish adviso. This guy is monitoring my /adviso/ folder. 80.161.200.182 I think this guy is working for you. So please say to him to respect the normal process in a security process. Regards. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc2 (MingW32) iQIVAwUBQtWLU6+LRXunxpxfAQL+1w/+IE947ec5TVHTUox8RC5JCSSAkk+C3GTf wAvkTzYoN7p0LLgFOGmf0oZUQytxQ1QKjgRSv0WeHM3sh/ZX3E33l6z+1aPwLOsO asJDVVYHoxJMTbxccO01dM724UvANPvfO68Y3YHOIcZupJQhzuIqIR8u+clUwwpc M7bToYBMaQbyGKCPuBpVdUqK8DVuXj9Q/+Fz8G+2kvEfM/leGhkOh55AWqcQyyJ0 YMEYFz4pxoR7HnYvMbxh3GLdRda0YhQj12uNw29VacLDmlYJ9JEIp2skfuk/nMM/ CMoVGMHz+HbOhBJTOYoLvqVUcPB9rahXNxgRHas/z8gydFUYzY8IXF5oWlAnw6UQ XrAYR9EvEJaXFO+FqDAoppEnvfv7NNm+dzs5yZCZM1cKel028Zg95sKkzjoAnqZA CfVke2I7/0nFX3gnq/Ka54reKKKk0U732zwV1RFqanmaVueCsmoj8IhbL+3Gc1So fwuhG5uGXskTqVh0qr3FMxXgf9dHDJqzZyTIS2Wi2St8SZzAQSOfIpZ8tuOA4YQO QK3hIOExKFDzZXSidlZzR0455YQKEyzjuylctWRcZwx51a/E6u1/ZDty/DRgO37S d4YFiD0za38qE7Etu5nEG1CZIhlU5mroKCqE00ld97eu9rv2tUeYC/aN4W+wnOTm S6Q77U46E8A= =VbS3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Secunia published adviso without respectingrelease date ! ad (Jul 13)
- Re: Secunia published adviso without respectingrelease date ! Xavier Beaudouin (Jul 14)
- Re: Secunia published adviso withoutrespectingrelease date ! Jerome Athias (Jul 16)
- Re: Secunia published adviso withoutrespectingrelease date ! Xavier Beaudouin (Jul 16)
- Re: Secunia published adviso withoutrespectingrelease date ! Jerome Athias (Jul 16)
- Re: Secunia published adviso without respectingrelease date ! Xavier Beaudouin (Jul 14)