oss-sec mailing list archives
Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 2 Apr 2009 16:54:01 +0200
On Tue, 31 Mar 2009 21:12:25 -0400 (EDT) "Steven M. Christey" <coley () linus mitre org> wrote:
3, screen: Unsafe usage of temporary file References: https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123 https://bugzilla.redhat.com/show_bug.cgi?id=492104
Based on the additional comments in the upstream bug: https://savannah.gnu.org/bugs/index.php?25296
CVE-2009-1214 - world-readable permissions
This should be expected and intended behavior.
CVE-2009-1215 - symlink following
There should be no real symlink issue for /tmp/screen-exchange in the upstream version. Debian screen version seems to have a patch, that introduces a symlink flaw, but it does not depend on any race condition. Description for this one may need to be updated. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen Tomas Hoger (Apr 02)