RE: CVE request: surf

[Daniel Suarez <daniel () sefisasecure com>]

-----Mensaje original-----
De: Florian Weimer [mailto:fw () deneb enyo de] 
Enviado el: viernes, 10 de febrero de 2012 16:11
Para: oss-security () lists openwall com
Asunto: Re: [oss-security] CVE request: surf

* Kurt Seifried:

> On 02/09/2012 05:24 PM, Florian Weimer wrote:
> > surf does not protect its cookie jar against access read access from
> > other local users, as reported by Jakub Wilk in this Debian bug:
> >
> > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296>
> >
> > Could someone please assign a CVE for this?
>
> So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842

Oops.  I mistook this for the HTTP client library.  Your reference is
correct, and it appears I consistently wrote "surf" (the correct
spelling).

> > uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and
> > netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir
> > function creates the dot directory with world-readable settings) have
> > a similar issue, but are from different code bases.  I think those
> > should get distinct CVEs, too.
>
> I'll need advisories or code commits, or links to the vuln code to
> assign CVE's (I need more information). Thanks!

Jakub has filed bugs:

uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379
netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376


This message has been scanned for malware by Websense. www.websense.com