oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: oping allows the disclosure of arbitrary file contents

From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 9 Nov 2009 20:49:33 -0500 (EST)

On Mon, 9 Nov 2009, Josh Bressers wrote:


That issue has a CVE id. I gave it CVE-2009-3614 quite some time ago.
http://marc.info/?l=oss-security&m=125561742729846&w=2


A "feature" in our oss-security list monitor prevented me from noticing
this post.  Apologies.


The discussion then branched out into if an unchecked call to setuid to
drop permissions is a security flaw (as a user could cause it to fail,
preventing oping from dropping privs). I saw nothing in the code that
showed it to be anything but a bug, as oping doesn't do anything
exciting after the call could fail.


OK, in this context I would agree (just to be consistent with my Oct 16
post.)

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: