Re: CVE request: jhead

["Steven M. Christey" <coley () linus mitre org>]

On Fri, 6 Feb 2009, Tomas Hoger wrote:

> Looks like -latest tarball was updated again and now mentions 2.86
> inside.  In that, usage of mkstemp was replaced with mktemp (previous
> version failed to close file descriptors opened by mkstemp, probably
> causing issues when trying to use command on large pile of images at
> once).  Those the temp file seem to be created user-specified
> destination directory, probably not too likely to be /tmp (and hence
> prone to races).
>
> Anyway, can anyone help me understand what was CVE-2008-4639 assigned
> to?  I tried looking at the diff between 2.7 and 2.84 and fail to see
> any relevant change...

I anchored on this:

  http://www.openwall.com/lists/oss-security/2008/10/16/3

which is John Dong's answer to an inquiry I had for how many CVEs to
create:

> > = Steve
> = John
> > 1 - long -cmd
> > 2 - unsafe temp file creation
> > 3 - "more unchecked buffers" and "unsafe buffer sized strcat's in
> >    ModifyDescriptComment"  [this assumes that upstream only fixed
> >    issue 1)
> > 4 - shell escapes
> ...
>
>
> So, bottom line is I think 2.84 fixes 1 and 3 acceptably, while 2 and 4
> are still unresolved.

So CVE-2008-4641 was assigned to issue 4, and CVE-2008-4639 was assigned
to issue 2.  However, I made a mistake in CVE-2008-4639 and said "before
2.84" instead of "2.84 and earlier."  I've since fixed the CVE-2008-4639
description to say ""2.84 and earlier."

Now what's this about 2.86?... Sounds like it may be a regression.

- Steve