Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use

["Steven M. Christey" <coley () linus mitre org>]

On Fri, 4 Jun 2010, Josh Bressers wrote:

> Please use CVE-2010-2061 for this.

My read of Guillem's report at 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5 suggests that we 
might have two distinct issues here:

- "*any* user can craft those two files before the daemon
has started for the first time, which the daemon will parse."  Nothing to 
do with symlinks.

- symlinks are followed on creation of those files


So we may need two CVEs here.

- Steve