oss-sec mailing list archives
Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 7 Jun 2010 10:46:10 -0400 (EDT)
On Fri, 4 Jun 2010, Josh Bressers wrote:
Please use CVE-2010-2061 for this.
My read of Guillem's report at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5 suggests that we might have two distinct issues here:
- "*any* user can craft those two files before the daemonhas started for the first time, which the daemon will parse." Nothing to do with symlinks.
- symlinks are followed on creation of those files So we may need two CVEs here. - Steve
Current thread:
- CVE Request -- rpcbind -- Insecure (predictable) temporary file use Jan Lieskovsky (Jun 03)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 04)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 04)
- <Possible follow-ups>
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 08)