oss-sec mailing list archives
Re: CVE request: surf
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 10 Feb 2012 23:11:00 +0100
* Kurt Seifried:
On 02/09/2012 05:24 PM, Florian Weimer wrote:surf does not protect its cookie jar against access read access from other local users, as reported by Jakub Wilk in this Debian bug: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296> Could someone please assign a CVE for this?So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842
Oops. I mistook this for the HTTP client library. Your reference is correct, and it appears I consistently wrote "surf" (the correct spelling).
uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir function creates the dot directory with world-readable settings) have a similar issue, but are from different code bases. I think those should get distinct CVEs, too.I'll need advisories or code commits, or links to the vuln code to assign CVE's (I need more information). Thanks!
Jakub has filed bugs: uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379 netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376
Current thread:
- CVE request: surf Florian Weimer (Feb 09)
- Re: CVE request: surf Kurt Seifried (Feb 09)
- Re: CVE request: surf Florian Weimer (Feb 10)
- RE: CVE request: surf Daniel Suarez (Feb 10)
- Re: CVE request: surf Kurt Seifried (Feb 11)
- Re: CVE request: surf Florian Weimer (Feb 10)
- Re: CVE request: surf Kurt Seifried (Feb 09)