oss-sec mailing list archives
Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use
From: Josh Bressers <bressers () redhat com>
Date: Tue, 8 Jun 2010 15:43:09 -0400 (EDT)
----- "Steven M. Christey" <coley () linus mitre org> wrote:
On Fri, 4 Jun 2010, Josh Bressers wrote:Please use CVE-2010-2061 for this.My read of Guillem's report at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5 suggests that we might have two distinct issues here: - "*any* user can craft those two files before the daemon has started for the first time, which the daemon will parse." Nothing to do with symlinks.
Let's use CVE-2010-2061 for this one.
- symlinks are followed on creation of those files
Let's use CVE-2010-2064 for this one.
Thanks.
--
JB
Current thread:
- CVE Request -- rpcbind -- Insecure (predictable) temporary file use Jan Lieskovsky (Jun 03)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 04)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Steven M. Christey (Jun 07)
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 04)
- <Possible follow-ups>
- Re: CVE Request -- rpcbind -- Insecure (predictable) temporary file use Josh Bressers (Jun 08)